[Samba] Domain-member and simple read and readwrite file-permissions based on group-membership

Christian Rost chr at baltic-online.de
Tue Jan 3 18:58:24 GMT 2006

I'm pretty confused about using samba as domain-member and file-server.
Assuming i have a couple of windows-users on my active directory  
server and there are
mainly 2 groups defined in the AD: ReadOnlyGroup and WriteOnlyGroup.
On my samba-server there is one share which should be used by both  
groups and i
want users in the WriteOnlyGroup to have the permission to modify/ 
delete all
files/directories and the users to in the ReadOnlyGroup to only read the
files/directories. To keep it simple I don't want any other acl's at  

I thought that this setup should be possible by using the read/write  
list -, the
force group - and the mode - feature in the smb.conf.

Now i have 2 options to connect to my PDC.
Either I use security = ADS or I use security = domain.

For the first option as far as I know, I need to use kerberos.  
Because i'm
forced to use aix as platform for the samba-server and there is no  
installed, i must use security = domain.

Runing with security = domain I think at first i'm now forced to  
replicate all active-directory
user to unix-users on my samba-server to establish a mapping between  
NT <-> Unix User ID's for the proper
ownership of files on the share's filesystem

Now my Questions:
When i have done this, there is no need to use the "net groupmap" -  
Feature, because
all users are mapped to Unix-User and these Unix-Users are belonging  
to primary
unix-groups. The groupmap - Feature only makes sense if i run the  
winbindd-daemon (on top of kerberos)
and there is no complete mapping of NT<->Unix User/Group. Is this  

Which kind of arguments are possible to: "read list" and "write list"?
Is it correct that only unix-users and unix-groups are possible?
Is there any way to use the ReadOnlyGroup and WriteOnlyGroup from the  
If only unix-groups are possible I although have to replicate the  
to the unix-system. Is this correct?
When this is correct, this is pretty painfull because I've to  
administrate 2 userdatabases now.

Is this simple setup only possible with acl's on the filesystem and  
with running

Thank you for answers

More information about the samba mailing list