[Samba] Samba server joining domain and browsing group shares

Alex de Vaal samba.alex at gmail.com
Fri Feb 29 10:04:55 GMT 2008

On Fri, Feb 29, 2008 at 5:12 AM, Victor Mendez <vmendez at netsystemsinfo.com>

Alex thank you  for your support, can you please explain the command below:
> Specially the chown I'm not familiar with the syntax you are using. If I
> try
> to apply this to our TEST configuration it does not work we get the
> following
> error:
> cuzco:~ # chown 0:"NETSYS\Series" /Series
> chown: `0:NETSYS\\Series': invalid group
> Being NETSYS = workgroup name
> Being Series = group Series defined on the ADS windows PDC
> Being  /Series = a disk share on the samba machine
> > On the server you have to use the chown command and chmod command to
> give
> > the AD group DEP_TEST_MEMBER access on the Linux filesystem:
> > chmod g+s /data/grp
> > chown 0:"TEST\DEP_TEST_MEMBER" /data/grp
> QUESTION: does DEP_TEST_MEMBER is a group defined on the Linux box and on
> the
> ADS. or is only defined on the ADS.?

DEP_TEST_MEMBER is a group only defined in the AD.

> on my linux TEST box on the /etc/groups there is no "Series" group
> on my windows TEST ADS there is a group called "Series"  with 4 users
> Another thing maybe I have not been clear, from our windows workstations
> we
> want to connect to a share in the Linux box but the user logged in the
> workstation does NOT have an account on linux machine he has an account on
> the windows ADS PDC.

AD users don't need a account on the Linux machine. But for Samba to work
properly with AD users, you also need  the winbind daemon to run.
winbind is a daemon of Samba. If winbind runs properly then AD users/groups
will be a (virtual) part of /etc/passwd and /etc/group.

The file /etc/nsswitch.conf must look like this for winbind to run properly:
passwd:     files winbind
shadow:     files
group:      files winbind

You can test that by using the getent command:
getent group "TEST\DEP_TEST_MEMBER"

The AD group DEP_TEST_MEMBER will be now translated to a Linux GID.

- Joining the Domain see command below:
>  cuzco:~ # net ads join -U Administrator
>  Administrator's password:
>  Using short domain name -- NETSYS
>  Joined 'CUZCO' to realm 'NETSYSTEMSINFO.COM'

That looks fine.

> We have adjusted the /etc/samba/smb.conf file to match your sample file
> config. Here I include a copy:
> .[global]
>        workgroup = NETSYS
>        realm = NETSYSTEMSINFO.COM
>        preferred master = no
>        server string = Linux file server
>        security = ADS
>        encrypt passwords = yes
>        log level = 3
>        printcap name = cups
>        printing = cups
>        cups options = raw
>        winbind enum users  = yes
>        winbind enum groups = yes
>        winbind use default domain = yes
>        winbind nested groups = no
>        winbind separator = +

The problem resides here: "winbind separator = +"
Remove that entry and now the seperator will be "\"

> [series]
>        comment = Series media files
>        #inherit acls = Yes
>        inherit permissions = Yes
>        path = /Series
>        read only = No
>        valid users = @NETSYSTEMSINFO.COM\Series
>        hide unreadable =yes

If you want to use "winbind separator = +" then the "valid users" must be
like this: @NETSYSTEMSINFO.COM+Series


More information about the samba mailing list