[Samba] Domain-member and simple read and readwrite
file-permissions based on group-membership
chr at baltic-online.de
Tue Jan 3 18:58:24 GMT 2006
I'm pretty confused about using samba as domain-member and file-server.
Assuming i have a couple of windows-users on my active directory
server and there are
mainly 2 groups defined in the AD: ReadOnlyGroup and WriteOnlyGroup.
On my samba-server there is one share which should be used by both
groups and i
want users in the WriteOnlyGroup to have the permission to modify/
files/directories and the users to in the ReadOnlyGroup to only read the
files/directories. To keep it simple I don't want any other acl's at
I thought that this setup should be possible by using the read/write
list -, the
force group - and the mode - feature in the smb.conf.
Now i have 2 options to connect to my PDC.
Either I use security = ADS or I use security = domain.
For the first option as far as I know, I need to use kerberos.
forced to use aix as platform for the samba-server and there is no
installed, i must use security = domain.
Runing with security = domain I think at first i'm now forced to
replicate all active-directory
user to unix-users on my samba-server to establish a mapping between
NT <-> Unix User ID's for the proper
ownership of files on the share's filesystem
Now my Questions:
When i have done this, there is no need to use the "net groupmap" -
all users are mapped to Unix-User and these Unix-Users are belonging
unix-groups. The groupmap - Feature only makes sense if i run the
winbindd-daemon (on top of kerberos)
and there is no complete mapping of NT<->Unix User/Group. Is this
Which kind of arguments are possible to: "read list" and "write list"?
Is it correct that only unix-users and unix-groups are possible?
Is there any way to use the ReadOnlyGroup and WriteOnlyGroup from the
If only unix-groups are possible I although have to replicate the
to the unix-system. Is this correct?
When this is correct, this is pretty painfull because I've to
administrate 2 userdatabases now.
Is this simple setup only possible with acl's on the filesystem and
Thank you for answers
More information about the samba