[Samba] winbind and distribution groups - solved
Peter Kruse
pk at q-leap.com
Mon Jan 31 13:48:30 GMT 2005
This is for the record, thanks for your patience.
> Gerald (Jerry) Carter wrote:
>
>>
>> Peter Kruse wrote:
>> |
>> | Say, I create a "distribution group" on Windows ADS named
>> | "distgroup" add as a member a security group named "secgroup" with a
>> | user "robert" in it. Then when I look at the groups "robert" belongs
>> | to, the group "distgroup" is not listed (checked with "wbinfo -r").
>> | Even after "winbind cache time" has long expired ;)
>>
>> this is the different between a distribution group and a
>> security group from what I understand. The behavior is
>> by design.
>>
>
> are you sure? That means if I add read permissions (via ACL) to a
> directory for group "distgroup" then the user "robert" still has no
> access rights. Although he is member of "secgroup" which is a member of
> "distgroup". This behaviour is intentionally "by design"? What are
> "distribution groups" then good for?
>
Because our domain controller did not run in native mode,
I was not able to add a group to a security group. And I thought
"I can only add groups to distribution groups". This is not
true which I found out after switching to native mode.
Indeed distribution groups are different:
In
http://windows.microsoft.com/windows2000/en/server/help/sag_ADgroups_1intro.htm
it says:
"Distribution groups are not security-enabled. They cannot be listed in
DACLs."
So my fault, there wasn't a problem to begin with.
cheers,
Peter
--
Peter Kruse <pk at q-leap.com>, Chief Software Architect
Q-Leap Networks GmbH
phone: +497071-703171, mobile: +49172-6340044
More information about the samba
mailing list