[Samba] Does Samba/Winbind not follow nested groups in AD?!?
Matt Skerritt
matt.skerritt at agrav.net
Tue Dec 5 23:08:14 GMT 2006
On 06/12/2006, at 3:46 AM, James A. Dinkel wrote:
> Here's the situation: We have users who are members of groups and
> those
> groups are sometimes members of a 2nd level of groups. If a folder
> has
> permissions assigned to a 2nd level group, then the user can not
> access
> the share. Doing a "getent group | grep user | grep 2nd_level_group"
> also returns nothing. Samba seems to not be recognizing that a
> user is
> a member of a group under another group.
>
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?
There is an option in smb.conf called "winbind nested groups" ... and
the help text from swat says:
"winbind nested groups (G)
If set to yes, this parameter activates the support for nested
groups. Nested groups are also called local groups or aliases. They
work like their counterparts in Windows: Nested groups are defined
locally on any machine (they are shared between DC's through their
SAM) and can contain users and global groups from any trusted SAM. To
be able to use nested groups, you need to run nss_winbind.
Please note that per 3.0.3 this is a new feature, so handle with
care.
Default: winbind nested groups = no"
So I'm guessing that you want to set winbind nested groups = yes in
your smb.conf.
--
Matt Skerritt
matt.skerritt at agrav.net
More information about the samba
mailing list