[Samba] Group membership confusion, UNIX, nested, and AD

Mon Jun 2 21:33:19 GMT 2008

Robert M. Martel - CSU wrote:
> Still hoping that someone can help clear this up.
>
>
> Greetings,
>
> I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
> and UNIX", Mailing list messages with the subjects "valid users = +group
> doesn't work" and "Unix ADS group membership or vice versa" and all I've
> gotten is more confused.
>
> I have to move my samba servers from a Samba PDC environment to Active
> Directory (AD) where they will be member servers.  I will NOT be able to
> make ANY changes to the AD configuration: it is dictated and controlled
> by those "on high."  I cannot add any groups to AD.  I can only
> manipulate the membership of the UNIX groups on my servers.
>
> I already have a test samba server (3.0.28a) as a member of AD.
>
> What I want is to be able to control access to "shares" using lines like
> "valid user +www" in smb.conf as I have in the past.  The groups I want
> to use are the UNIX groups on the AD member samba server.  I have added
> AD users as members of the UNIX groups in /etc/group
>
> It looks like Samba AD member servers will NOT look at local UNIX groups
> to check and see if an AD account is a member of the UNIX group.  I do
> not want to have to map each and every AD user to a corresponding local
> user - I thought accessing AD would cut down on the account management
> workload, not increase it.
>
> I fail to see where windbind's nested groups will help me solve this
> problem - as presented in the docs it seems to solve an MS Windows issue
> that I do not have.  Perhaps I still do not understand what that the
> nested group is supposed to provide.
>
> Since I have no administrative access to the AD server, how am I to
> create nested groups?  The example shows:
>
>  net rpc group add demo -L -Uroot%not24get"
>
>   So it seems I would need some kind of administrative account to even
> create the nested group.  If not an AD account, I do not recall setting
> up an smbpassword for root as I did in the past on my samba PDC.  I am
> not a member of "Domain Administrators" in out AD setup, but that is a
> whole different set of questions.
>
> How would I make such a nested group the group owner for
> files/directories? Or would I then use the nested group in the "valid
> user" line of smb.conf?  Use groupmap to associate it with a UNIX group?
>  See, confusion.
>
> At this moment it seems my worst case/quick fix calls for long "valid
> user" lines listing the AD accounts that I wish to have access to
> certain shares - kinda' defeats the reason to have groups.  Why would
> Samba be written to ignore the group memberships?
>
> Thanks in advance to anyone that can help clear up my confusion about
> groups!
>
> -Bob Martel
>
Hi Bob,

I recently did something similar, this page helped me the most of 
anything I believe it was section 14.3
> http://samba.dsmirror.nl/samba/docs/man/Samba-HOWTO-Collection/idmapper.html

However I think you will need an account with privileges to join 
machines to the domain, if the AD admins will not give you one it is 
possible to create an account this is not a domain administrator but can 
add/remove objects from the domain maybe they can create that type of 
account for you.

Also here are my notes when I was setting up our fileserver, they may help:
> http://www.che.utah.edu/resources/supportwiki/index.php/Samba_and_Active_Directory