[Samba] Help needed: valid users

Chris Osicki osk at admin.swisscom-mobile.ch
Fri Sep 18 05:35:11 MDT 2009

On Thu, 17 Sep 2009 16:42:50 +0100
Alex Crow <acrow at integrafin.co.uk> wrote:

> > >
> > >   
> > I'm not sure that Samba checks the Linux groups but Linux does. In a 
> > Windows domain, all the accounts reside in the Domain. It may be 
> > checking the Linux accounts for shares on the DC, but wouldn't be able 
> > to on a member server. Perhaps one of the Linux gurus could answer your 
> > question. However, for operations in the domain, you're best to stick 
> > with domain entities, such as a domain group or domain user accounts. So 
> > long as Samba has sufficient privileges to access the local Linux share, 
> > it should be OK.
> Samba (and the windows clients) will only care about domain groups in
> the global context of a Samba domain, Unix local groups are pretty
> useless here. You need to sort out group mappings to map your local Unix
> group to a Samba group, then all should work fine.
> "net groupmap" on your domain controller is the way to go. You can then
> go on your merry way using Linux groups on the server across all your
> Windows clients and other Win/Samba member servers (given an appropriate
> way of resolving those groups across any other Samba/windows servers you
> may have - eg Winbind and LDAP).
> Seems this type of thing comes up a lot - should there be something
> prominent on TOSHARG about it?
> Alex

Thank you both Alex and Gary for your comments.
I guess there is somwhere a better explanation of the +group, the "(in)valid users" section
in smb.conf(5) is IMHO missleading.

I ended up listing all those users as domain\user and it work. Yes, it's ugly
but the DC is not under my control, thus not easy to to have/manage a group there.

Thanks for your time.

> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list