[Samba] question of domain group memberships

Eric S. Hvozda hvozda at ack.org
Tue Jun 7 16:17:30 GMT 2005

We've been using samba w/ ADS for quite ahile now and we're quite
happy with it.  However, we have run into an interesting impasse

We have domains A and B.  There is bi-directional trust between
the domains.  The samba server has membership to domain A.

Recently a new share was created and it's access is controlled by
the domai ngroup A+group.  A+group contains users from both domains.
The group also contains another group A+group2.

Users in A+group2 can do all exepected operations on the share.
Users in A+group from domain A can do all expected operations also.
Users from domain B can add files, but not delete or rename them.


getent group A+group

Only shows the members from domain A, not domain B.  Also group
A+group2 does not show even though apparently the Right THing (tm)
is happening for them.

My major concern is why are users from domain B not showing up via
getent.  I expect that they should.  If they were I would expect
their delete and rename problems to go away.

I have created a server in domain B and created similar circumstances,
with the same behavior.

Also, what behavior should I expect from getent when a group is
included within a group?  See the group listed?  See the users of
the included group expanded?  See nothing?

Or am I barking up the wrong tree completely...?

More information about the samba mailing list