[Samba] Does Samba/Winbind not follow nested groups in AD?!?

Matt Skerritt matt.skerritt at agrav.net
Tue Dec 5 23:08:14 GMT 2006

On 06/12/2006, at 3:46 AM, James A. Dinkel wrote:

> Here's the situation:  We have users who are members of groups and  
> those
> groups are sometimes members of a 2nd level of groups.  If a folder  
> has
> permissions assigned to a 2nd level group, then the user can not  
> access
> the share.  Doing a "getent group | grep user | grep 2nd_level_group"
> also returns nothing.  Samba seems to not be recognizing that a  
> user is
> a member of a group under another group.
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?

There is an option in smb.conf called "winbind nested groups" ... and  
the help text from swat says:

"winbind nested groups (G)

     If set to yes, this parameter activates the support for nested  
groups. Nested groups are also called local groups or aliases. They  
work like their counterparts in Windows: Nested groups are defined  
locally on any machine (they are shared between DC's through their  
SAM) and can contain users and global groups from any trusted SAM. To  
be able to use nested groups, you need to run nss_winbind.

     Please note that per 3.0.3 this is a new feature, so handle with  

     Default: winbind nested groups = no"

So I'm guessing that you want to set winbind nested groups = yes in  
your smb.conf.

Matt Skerritt
matt.skerritt at agrav.net

More information about the samba mailing list