[Samba] winbind and distribution groups - solved

Peter Kruse pk at q-leap.com
Mon Jan 31 13:48:30 GMT 2005

This is for the record, thanks for your patience.

> Gerald (Jerry) Carter wrote:
>> Peter Kruse wrote:
>> |
>> | Say, I create a "distribution group" on Windows ADS named
>> | "distgroup" add as a member a security group named "secgroup" with a
>> | user "robert" in it. Then when I look at the groups "robert" belongs
>> | to, the group "distgroup" is not listed (checked with "wbinfo -r").
>> | Even after "winbind cache time" has long expired ;)
>> this is the different between a distribution group and a
>> security group from what I understand.  The behavior is
>> by design.
> are you sure?  That means if I add read permissions (via ACL) to a
> directory for group "distgroup" then the user "robert" still has no
> access rights. Although he is member of "secgroup" which is a member of
> "distgroup". This behaviour is intentionally "by design"?  What are
> "distribution groups" then good for?

Because our domain controller did not run in native mode,
I was not able to add a group to a security group.  And I thought
"I can only add groups to distribution groups".  This is not
true which I found out after switching to native mode.
Indeed distribution groups are different:

it says:

"Distribution groups are not security-enabled. They cannot be listed in 

So my fault, there wasn't a problem to begin with.



Peter Kruse <pk at q-leap.com>, Chief Software Architect
Q-Leap Networks GmbH
phone: +497071-703171, mobile: +49172-6340044

More information about the samba mailing list