[Samba] Samba4 - mapping Network Drives based on Group membership

Andrew Bartlett abartlet at samba.org
Fri Mar 22 17:09:26 MDT 2013

On Wed, 2013-03-20 at 11:16 -0700, Varoujan Avanessians wrote:
> Hi All
> I have a problem running a logon script to map network drives based on
> Group Membership. The script is a VBScript that resides in the netlogon
> share. It Works just fine when the logged in user is a Domain Admin but
> fails to get the Group information when logged in as a regular user. For
> example when I login as administrator who is a member of every Group (For
> test only  all the requested Drives are mapped. When I login as testuser1
> who is a member of HR Group say,  only a Public drive is mapped and nothing
> else.
> This seems to be a permission issue querying  Active Directory, and I have
> no idea on how to give users the permission to Query the AD in Samba4. Can
> anyone help?

Are you running a domain provisioned with Samba 4.0.3 or later?

If you are running a version earlier than Samba 4.0.3 then a bug in our
ACL implementation would cause exactly this behaviour.  We also
corrected some default ACLs in the provision script provided with Samba

Also, you could evaluate group membership based on the user's
tokenGroups attribute on the rootdse entry.  This will catch recursive
group memberships, and would not be subject to any ACL restrictions.
(The downside for simple scripting is that binary SIDs are returned). 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list