[Samba] Domain-member and simple read and readwrite file-permissions based on group-membership

Adam Nielsen adam.nielsen at uq.edu.au
Wed Jan 4 04:30:22 GMT 2006

> Runing with security = domain I think at first i'm now forced to  
> replicate all active-directory user to unix-users on my samba-server
> to establish a mapping between NT <-> Unix User ID's for the proper
> ownership of files on the share's filesystem

You can use winbind to do this more or less automatically.  It makes a
bunch of UNIX users appear on your system of the form "DOMAIN\user".

> When i have done this, there is no need to use the "net groupmap" -  
> Feature, because all users are mapped to Unix-User and these
> Unix-Users are belonging to primary unix-groups. The groupmap -
> Feature only makes sense if i run the winbindd-daemon (on top of
> kerberos) and there is no complete mapping of NT<->Unix User/Group.
> Is this correct?

That sounds correct.  If you run winbind though, you have two options -
either create a UNIX group holding all your NT accounts, or just use
the NT groups.

> Which kind of arguments are possible to: "read list" and "write list"?
> Is it correct that only unix-users and unix-groups are possible?

Yes, technically only UNIX users and groups are possible, but winbind
will make your NT accounts appear as UNIX users and groups.  This means
that once winbind is configured, you could put this in your smb.conf:

  path = /some/share/path
  valid users = @DOMAIN\ReadOnlyGroup @DOMAIN\WriteOnlyGroup
  write list = @DOMAIN\WriteOnlyGrouop

Or something similar.  Probably not the best way of doing it as Samba
will then allow anyone in "WriteOnlyGroup" access to the share, but the
underlying UNIX permissions may decide the user doesn't have write
access anyway.  In this case you'll also need to use the "force user"
and/or "force group" option so that all filesystem operations are done
as a user who definitely has access.

> When this is correct, this is pretty painfull because I've to  
> administrate 2 userdatabases now.

You should definitely use winbind then, since that will mean you only
have the one user database to look after.


More information about the samba mailing list