[Samba] ID mapping help
Arwin L Tugade
arwin.tugade at csun.edu
Wed Aug 26 12:03:27 MDT 2009
Hey all,
I got a unique requirement of having AD groups map over to unix gid and existing perms of Unix only groups being granted. Reading through the man pages it seems this can be accomplished via idmap_nss. So my config looks like:
[global]
workgroup = SKUNKTEST
realm = SKUNKTEST.LOCAL
security = ads
preferred master = no
encrypt passwords = yes
log level = 5
log file = /var/log/samba/%m
max log size = 50
server string = Samba RnD Server
winbind enum groups = yes
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config SKUNKTEST: backend = nss
idmap config SKUNKTEST: range = 1000000-1999999
idmap config KRB: default = yes
idmap config KRB: backend = tdb
[foo]
comment = A Shared Drive
read only = no
path = /samba/arwin
When I do a "getent group" my winbindd-idmap.tdb populates with groups from AD with gid mappings, of course winbind is running. When I access a share via Windows and go to the security tab it will looks something like:
Everyone
arwin (Unix User\arwin)
it_posix (Unix Group\it_posix)
My problem arises here. If someone other than myself who is in the it_posix group (LDAP) tries to access the file (perms are rwx for group), they get access denied. So then apparently I should be able to "net groupmap" like:
net groupmap add ntgroup="testing" unixgroup=it_posix type=d
Which results in:
[root at krb samba]# net groupmap list verbose
testing
SID : S-1-5-21-471262856-1245818307-3878391063-11805
Unix gid : 5402
Unix group: itr_posix
Group type: Domain Group
Comment : Domain Unix group
Gid that is reported by Unix gid is good. Now the security tab looks like:
Everyone
arwin (Unix User\arwin)
testing (KRB\testing)
But people in that group still cannot access the file. It's only when I turn off winbind they can access the file, but I want winbind running so acls can be distributed for the groups in winbindd-idmap.tdb.
Any help is appreciated.
Thanks,
Arwin
More information about the samba
mailing list