[Samba] samba windows-2-unix group mapping troubles
no at spam at mgEDV.net
nospam at mgedv.net
Mon Apr 6 15:46:07 GMT 2009
hi,
i would like to allow access to specific samba shares, where
the windows domain user is NOT authenticated against the share
with it's username, but with a membership of a given windows-group.
example:
windows-domain user "test01" -->
which is a member of windows domain group "smb_test01" -->
which gets mapped to the unix-group "smb01" -->
which is granted access to the share "testshare01".
this is needed to allow group admins to change share access
w/o needing to change anything on the samba server (not even
add local users or change group relationships on the ux server).
the samba 3.0.28 server is configured with SECURITY = ADS, is
a full member of the domain and can authenticate the users
successfully.
smb.conf (essentials shown):
[global]
netbios name = TESTUNIX
realm = test.local
security = ADS
server string = samba v3 testserver
workgroup = TEST
guest account = nobody
map to guest = never
idmap gid = 2000-2999
idmap uid = 2000-2999
[testshare01]
path = /data/samba/test01
read only = no
browseable = yes
valid users = @smb01
unix user:
smb01:x:2000:2000:testshare01:/data/samba/test01:/usr/bin/ksh
unix group:
smb01::2000:
windows user:
TEST\test01
windows group:
TEST\smb_test01
# net ads join -U <domainuser>%<password>
Using short domain name -- TEST
Joined 'TESTUNIX' to realm 'TEST.LOCAL'
# net groupmap add ntgroup="smb_test01" unixgroup="smb01" type=d
No rid or sid specified, choosing a RID
Got RID 5001
Successfully added group smb_test01 to the mapping db as a domain group
error message from the smb log:
[2009/04/06 17:38:06, 2, pid=9320, effective(0, 0), real(0, 0)]
smbd/service.c:(616)
user 'test01' (from session setup) not permitted to access this share
(testshare01)
please, if someone knows how to solve this, point me in the right direction
:)
cheers.
More information about the samba
mailing list