[Samba] Unix ADS group membership or vice versa

Robert M. Martel - CSU r.martel at csuohio.edu
Fri May 23 19:16:14 GMT 2008

Ryan Bair wrote:
> You can't make a local user a member of an AD group since AD needs to
> know about them.
> You can however add an AD user to a local group just like you would
> for a local user.
> This is true with normal LDAP accounts as well.

I've spent a fair chunk of the day looking for a solution, and have only 
found people w/ similar problems.

I have NO ability to control/manipulate the Active Directory(AD) server 
- different group manages that resource.

I have a samba server as an AD.  Currently the AD users can access the 
Samba shares.  I have added some AD users to the local UNIX groups on 
the server but that does not not seem to be working - while (UNIX) group 
membership should permit access to the resource, the users are being 
denied access by Samba - according to the logs.  I have used the "net 
groupmap add"  to map the local UNIX group to a windows group in Samba. 
  Shouldn't this work?

How do I convince samba to check and see if an AD account is a member of 
a local UNIX  group?

On my older systems that are still using samba as a PDC this works fine 
- but I need to move the servers to AD for authentication.

What (obvious) step have I missed?

Samba version 3.0.28a on Solaris

Thanks in advance.


Bob Martel,System Administrator  I met someone who looks a lot like you
Levin College of Urban Affairs   She does the things you do
Cleveland State University       But she is an IBM
(216) 687-2214
r.martel at csuohio.edu                                -Jeff Lynne

More information about the samba mailing list