[Samba] AD Member server and local UNIX groups

Robert M. Martel - CSU r.martel at csuohio.edu
Wed Nov 12 16:19:22 GMT 2008


I hope someone can tell me if what I want to do is possible with Samba 
or not.  I have been searching for info and found a number of people 
with similar problems, but not an answer.

I have a Samba server (3.2.4) running on a Solaris 10 machine which is a 
member server in Active Directory (AD).  I am using winbind.  The AD 
users can access the samba server shares and UNIX services.

I want to control access to some samba shares by putting a group name 
in a  'valid users' entry for the share (as I have done in the past when 
we had a samba-based PDC.)

Our AD system is strictly HANDS-OFF, I cannot make any changes to it, 
cannot add groups, cannot change group memberships.  It is run by a 
different department.  So I cannot create my groups on the AD server.

I had thought I could add AD users as members to the local UNIX groups 
on the samba server and use those group names on my "valid users" lines 
in smb.conf.

When I tried that what I mostly see is the following in the logs:
smblog.client:  User CSUNET\martel-test not in 'valid users'
smblog.client:  User CSUNET\1001362 not in 'valid users'

So, is what I want to do even possible?  If it is not, how do others 
work around group membership issues - I can't be the only person running 
  a samba server where they are not permitted to alter the AD setup.  I 
can list AD users one at a time on the 'valid users' entry, but that 
will get cumbersome pretty quickly.

Thanks in advance
Bob Martel

Bob Martel,System Administrator  I met someone who looks a lot like you
Levin College of Urban Affairs   She does the things you do
Cleveland State University       But she is an IBM
(216) 687-2214
r.martel at csuohio.edu                                -Jeff Lynne

More information about the samba mailing list