[Samba] group membership + acl

Dr. Matthias Schlett (987) m.schlett at fz-rossendorf.de
Tue Jan 4 20:18:31 GMT 2005

During the last two years our fileserver was a VERITAS Samba-2.0.10-VRTS server.
This Veritas version of samba contains a special ACL component for the
uid <-> sid and gid <-> sid mapping. It also transparently converts
Windows access rights to Unix access rights and vice versa.
The recent changes in the Windows mbx driver forced us to move to Samba3.
The uid mapping works without problems because our Unix and Windows accounts
are identical.
For the gid mapping the net groupmap command has the same functionality as the
Veritas vmapadm command.
The Windows ACL's are correctly converted into the Unix ACL's, but now we have
a problem with the group membership:

If a Windows account is a member of some Windows group and the corresponding
Unix account is not a member of the corresponding Unix group, the
Windows account cannot use the Windows group rights.
This means that have to synchronize the group membership between Windows and Unix.

But this is not the behavior I was used to have with the Veritas Samba.

How can I reach that the Windows group membership is recognized without converting
all these memberships into Unix group memberships ?
I know that one possibility to avoid this problem is the use of winbind instead of NIS,
but at the moment we are not ready to change our NIS environment.

I hope somebody from the Samba team will have time to explain me how the
access rights of an account are checked.
I spent a lot of time to read all available Samba documentation, but about this
topic I couldn't find anything yet.


More information about the samba mailing list