[Samba] samba windows-2-unix group mapping troubles

no at spam at mgEDV.net nospam at mgedv.net
Mon Apr 6 15:46:07 GMT 2009


i would like to allow access to specific samba shares, where
the windows domain user is NOT authenticated against the share
with it's username, but with a membership of a given windows-group.

windows-domain user "test01" -->
which is a member of windows domain group "smb_test01" -->
which gets mapped to the unix-group "smb01" -->
which is granted access to the share "testshare01".

this is needed to allow group admins to change share access
w/o needing to change anything on the samba server (not even
add local users or change group relationships on the ux server).

the samba 3.0.28 server is configured with SECURITY = ADS, is
a full member of the domain and can authenticate the users

smb.conf (essentials shown):
        netbios name = TESTUNIX
        realm = test.local
        security = ADS
        server string = samba v3 testserver
        workgroup = TEST
        guest account = nobody
        map to guest = never
        idmap gid = 2000-2999
        idmap uid = 2000-2999

        path = /data/samba/test01
        read only = no
        browseable = yes
        valid users = @smb01

unix user:

unix group:

windows user:

windows group:

# net ads join -U <domainuser>%<password>
Using short domain name -- TEST
Joined 'TESTUNIX' to realm 'TEST.LOCAL'

# net groupmap add ntgroup="smb_test01" unixgroup="smb01" type=d
No rid or sid specified, choosing a RID
Got RID 5001
Successfully added group smb_test01 to the mapping db as a domain group

error message from the smb log:
[2009/04/06 17:38:06, 2, pid=9320, effective(0, 0), real(0, 0)] 
  user 'test01' (from session setup) not permitted to access this share 

please, if someone knows how to solve this, point me in the right direction 


More information about the samba mailing list