[Samba] Samba & Windows 2003 AD

Veronica Hill veronica.hill at optusnet.com.au
Tue May 23 10:19:41 GMT 2006

Firstly, winbind is going to be your best friend with AD, so yes set it 
up.  idmap_rid is particularly easy for companies with many sites that 
need consistent UID & GID mapping. (think centralized backups using 
rsync and you'll get the idea)

Secondly the Domain Users Group doesn't fully exist in any practical 
way under Samba......
getent group | grep domain\ users

I think you'll see why......  This is a weird one that the Samba guys 
haven't coded for yet (from what I remember).  The domain users group 
is "special" as in Microsoft special.  I create shares that have access 
to a specific group of users, because the DU group is unusable ( I 
don't think that's FUD.... ).  If I want access to be given to a large 
group of users then I create a group specifically for that site / area 
and add all users that are at that site / area into that group.

Bye, Veronica.

On 19 May 2006, at 00:54, stijn.mahieu at rp-mail.com wrote:

> Hello,
> I have joined my samba 3.0.7 server successfully to Windows 2003 ADS, 
> and
> Kerberos authentication seems to work fine, provided that the user also
> exists on the Linux machine. However, I can't seem to create a share 
> that
> grants access to the Domain Users Group. Will I need to set up Winbind 
> for
> that or is there a way to do this in my current setup? If I need to 
> set up
> winbind, will I need to remove the ADS bits in my smb.conf file?
> Any tips are very much appreciated.
> Stijn
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list