[Samba] Group membership confusion, UNIX, nested, and AD
Robert M. Martel - CSU
r.martel at csuohio.edu
Mon Jun 2 20:53:53 GMT 2008
Still hoping that someone can help clear this up.
Greetings,
I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
and UNIX", Mailing list messages with the subjects "valid users = +group
doesn't work" and "Unix ADS group membership or vice versa" and all I've
gotten is more confused.
I have to move my samba servers from a Samba PDC environment to Active
Directory (AD) where they will be member servers. I will NOT be able to
make ANY changes to the AD configuration: it is dictated and controlled
by those "on high." I cannot add any groups to AD. I can only
manipulate the membership of the UNIX groups on my servers.
I already have a test samba server (3.0.28a) as a member of AD.
What I want is to be able to control access to "shares" using lines like
"valid user +www" in smb.conf as I have in the past. The groups I want
to use are the UNIX groups on the AD member samba server. I have added
AD users as members of the UNIX groups in /etc/group
It looks like Samba AD member servers will NOT look at local UNIX groups
to check and see if an AD account is a member of the UNIX group. I do
not want to have to map each and every AD user to a corresponding local
user - I thought accessing AD would cut down on the account management
workload, not increase it.
I fail to see where windbind's nested groups will help me solve this
problem - as presented in the docs it seems to solve an MS Windows issue
that I do not have. Perhaps I still do not understand what that the
nested group is supposed to provide.
Since I have no administrative access to the AD server, how am I to
create nested groups? The example shows:
net rpc group add demo -L -Uroot%not24get"
So it seems I would need some kind of administrative account to even
create the nested group. If not an AD account, I do not recall setting
up an smbpassword for root as I did in the past on my samba PDC. I am
not a member of "Domain Administrators" in out AD setup, but that is a
whole different set of questions.
How would I make such a nested group the group owner for
files/directories? Or would I then use the nested group in the "valid
user" line of smb.conf? Use groupmap to associate it with a UNIX group?
See, confusion.
At this moment it seems my worst case/quick fix calls for long "valid
user" lines listing the AD accounts that I wish to have access to
certain shares - kinda' defeats the reason to have groups. Why would
Samba be written to ignore the group memberships?
Thanks in advance to anyone that can help clear up my confusion about
groups!
-Bob Martel
--
***********************************************************************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
r.martel at csuohio.edu -Jeff Lynne
***********************************************************************
More information about the samba
mailing list