[Samba] Samba4 - mapping Network Drives based on Group membership
Andrew Bartlett
abartlet at samba.org
Fri Mar 22 17:09:26 MDT 2013
On Wed, 2013-03-20 at 11:16 -0700, Varoujan Avanessians wrote:
> Hi All
>
> I have a problem running a logon script to map network drives based on
> Group Membership. The script is a VBScript that resides in the netlogon
> share. It Works just fine when the logged in user is a Domain Admin but
> fails to get the Group information when logged in as a regular user. For
> example when I login as administrator who is a member of every Group (For
> test only all the requested Drives are mapped. When I login as testuser1
> who is a member of HR Group say, only a Public drive is mapped and nothing
> else.
>
> This seems to be a permission issue querying Active Directory, and I have
> no idea on how to give users the permission to Query the AD in Samba4. Can
> anyone help?
Are you running a domain provisioned with Samba 4.0.3 or later?
If you are running a version earlier than Samba 4.0.3 then a bug in our
ACL implementation would cause exactly this behaviour. We also
corrected some default ACLs in the provision script provided with Samba
4.0.3.
Also, you could evaluate group membership based on the user's
tokenGroups attribute on the rootdse entry. This will catch recursive
group memberships, and would not be subject to any ACL restrictions.
(The downside for simple scripting is that binary SIDs are returned).
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list