[Samba] Group membership confusion, UNIX, nested, and AD

Robert M. Martel - CSU r.martel at csuohio.edu
Mon Jun 2 20:53:53 GMT 2008

Still hoping that someone can help clear this up.


I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
and UNIX", Mailing list messages with the subjects "valid users = +group
doesn't work" and "Unix ADS group membership or vice versa" and all I've
gotten is more confused.

I have to move my samba servers from a Samba PDC environment to Active
Directory (AD) where they will be member servers.  I will NOT be able to
make ANY changes to the AD configuration: it is dictated and controlled
by those "on high."  I cannot add any groups to AD.  I can only
manipulate the membership of the UNIX groups on my servers.

I already have a test samba server (3.0.28a) as a member of AD.

What I want is to be able to control access to "shares" using lines like
"valid user +www" in smb.conf as I have in the past.  The groups I want
to use are the UNIX groups on the AD member samba server.  I have added
AD users as members of the UNIX groups in /etc/group

It looks like Samba AD member servers will NOT look at local UNIX groups
to check and see if an AD account is a member of the UNIX group.  I do
not want to have to map each and every AD user to a corresponding local
user - I thought accessing AD would cut down on the account management
workload, not increase it.

I fail to see where windbind's nested groups will help me solve this
problem - as presented in the docs it seems to solve an MS Windows issue
that I do not have.  Perhaps I still do not understand what that the
nested group is supposed to provide.

Since I have no administrative access to the AD server, how am I to
create nested groups?  The example shows:

  net rpc group add demo -L -Uroot%not24get"

   So it seems I would need some kind of administrative account to even
create the nested group.  If not an AD account, I do not recall setting
up an smbpassword for root as I did in the past on my samba PDC.  I am
not a member of "Domain Administrators" in out AD setup, but that is a
whole different set of questions.

How would I make such a nested group the group owner for
files/directories? Or would I then use the nested group in the "valid
user" line of smb.conf?  Use groupmap to associate it with a UNIX group?
  See, confusion.

At this moment it seems my worst case/quick fix calls for long "valid
user" lines listing the AD accounts that I wish to have access to
certain shares - kinda' defeats the reason to have groups.  Why would
Samba be written to ignore the group memberships?

Thanks in advance to anyone that can help clear up my confusion about

-Bob Martel

Bob Martel,System Administrator  I met someone who looks a lot like you
Levin College of Urban Affairs   She does the things you do
Cleveland State University       But she is an IBM
(216) 687-2214
r.martel at csuohio.edu                                -Jeff Lynne

More information about the samba mailing list