[Samba] Do Domain Local groups work via 'valid users = "@dom\Group Name"'?

[Jason Haar]

Hi there

We have a bunch of Samba 3.0.24 servers that use winbind to integrate
into an existing Win2K3-based AD infrastructure. We have our own forest
(call it FOREST, with sub-domains "DOM1" and "DOM2") - but have
transitive and two-way trusts to other Win2K3 forests.

We have set up (under Windows) a bunch of "DOM1" Domain Local Groups
containing a mixture of "DOM1" Domain groups and accounts from DOM2 and
other trusted forests. i.e. on a Win2K3 server we can create a share
that can be accessed via people from both our own forest (both DOM1 and
DOM2) and others via using a Domain Local Group.

I want to do the same with Samba, but 'valid users = "@DOM1\Domain Local
Group"' doesn't work?. If I am logged into a Samba server that is a
member of DOM1, then "getent group 'Domain Local Group'" returns the
DOM1 members - **but not any from DOM2 or the other trusted forests**!
BTW The DOM1 Samba server is quite capable of successfully doing a
"getent passwd DOM2\account".


Am I doing something wrong? How can I get a Samba server in either DOM1
or DOM2 to fully support allowing anyone in that Domain Local Group to
connect?


Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1