[Samba] winbind and local groups

Sat May 22 22:14:39 GMT 2004

Hi, I have been setting up samba and winbind on a Debian Linux box to
allow access to shares authenticating from a Windows 2000 Active Directory
Domain.

I have got almost everythign I want to work, but I am stuck with one
thing.  I would like to add domain users to a local unix group and then
add that group to the valid users line to a share.  Enclosed is my
smb.conf and my /etc/group files

Thank you,

Kimball

--smb.conf--
#======================= Global Settings =======================

[global]
   workgroup = TEST
   server string = %h server (Samba %v)
   wins server = 10.22.2.70
   dns proxy = no
;   name resolve order = lmhosts host wins bcast

   log file = /var/log/samba/log.%m
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = domain
   idmap uid = 15000-20000
   idmap gid = 15000-20000
#  winbind separator = %
   winbind enum users = yes
   winbind enum groups = yes
#  winbind use default domain = yes
   password server = *
   encrypt passwords = true
   passdb backend = tdbsam guest
   obey pam restrictions = yes
;   guest account = nobody
   invalid users = root
;   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
;   pam password change = no
;   load printers = yes
;   printing = bsd
;   printcap name = /etc/printcap
;   printing = cups
;   printcap name = cups
;   printer admin = @ntadmin
;   preserve case = yes
;   short preserve case = yes
;   include = /home/samba/etc/smb.conf.%m
   socket options = TCP_NODELAY
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
;   domain master = auto
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

[homes]
   comment = Home Directories
   browseable = no
   writable = no
   create mask = 0700
   directory mask = 0700

;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
;   write list = root, @ntadmin

# This works, and allows all users authenticated on the domain
[test1]
   comment = Open Test Share
   path = /usr/share/smb/test1
   public = yes
   writable = yes

# This doesn't work
[test2]
   comment = Only for group foo
   path = /usr/share/smb/test2
   public = no
   writeable = yes
   valid users = @foo

# This works and only allow the user 'user' on domain 'TEST' to access
[test3]
   comment = Only for user
   path = /usr/share/smb/test3
   public = no
   writeable = yes
   valid users = TEST\user

# This works and allows all members of the domain group 'Domain Users' to
access
[test4]
   comment = Only for Domain group 'Domain Users'
   path = /usr/share/smb/test4
   public = no
   writeable = yes
   valid users = @TEST\"Domain Users"

--/etc/group--

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:kimball
fax:x:21:
voice:x:22:
cdrom:x:24:kimball
floppy:x:25:kimball
tape:x:26:
sudo:x:27:
audio:x:29:kimball
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:telnetd
video:x:44:kimball
sasl:x:45:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
crontab:x:101:
Debian-exim:x:102:
kimball:x:1000:
postgres:x:103:
ssh:x:104:
bind:x:105:
telnetd:x:106:
foo:x:107:TEST\user
bar:x:1001: