[Samba] Winbind AND local users AND local groups

Duarte Alencastre samba1.20.duarte-n-alencastre at spamgourmet.com
Wed Jun 25 03:05:17 GMT 2008 

I'm using samba 3.0.28 as distributed by SUN on solaris 10 x86_64 5_08.

Samba and kerberos are configured to authenticate to a domain, and
domain user authentication, and access to shares goes smoothly.

I need to limit access to the samba shares to a few select groups.
The problem is those groups aren't showing neither in getent groups
nor in wbinfo -g.

A conversation with the domain admin revealed that the groups that I need
were created as "Universal" as they contain members from several different
domains (with trust relationships).

I guessed that a good work-around for this would be to create local _unix_
groups and add the domain users to these groups.
I've tried this, but without success (the user still logs-in, but can't write
unless the directory has write access to everyone).
Is there a config option that must be enabled on smb.conf (or somewhere
else) for this to work ?
What is the correct way add a domain user to a _unix_ group ?
I'v tried both:
lclgrp::15757:DOMAIN+domuser
lclgrp::15757:domuser

Also, can't login with a local unix user. Is the use of winbind mutually 
exclusive of local logins ?
If not, how can I enable it ?

Thanks for your help,
Duarte Alencastre

smb.conf follows:

[global]
	workgroup = DOMAIN
	dns proxy = yes 
	security = ads
	password server = *
	wins server = wins.server.ip.address
	netbiosname = myhost
	#winbind separator = . # This isn't used in the configuration anywhere
	winbind separator=  +

	#### disable printing
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes

	idmap uid = 15000-20000
	idmap gid = 15000-20000

	winbind enum users = yes
	winbind enum groups = yes

	# This template can include the domain name if required
	template homedir = /export/home/%U
	template shell = /usr/bin/bash

	# Allows login in as "username" instead of "NTDOMAIN.username" 
	winbind use default domain = Yes 
	allow trusted domains = Yes

[share_a]
	comment= share_a
	path = /storage/share_a
	#Disabled acl check permissions and zfsacl due to zfsacl issues encountered 
Solaris 08/07 w/ Samba 3.0.25
	acl check permissions = False
	public = yes
	writable = yes

More information about the samba mailing list