[Samba] Group Mapping: All Users from a Domain group should be able to write to a local group
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 16 03:53:08 MDT 2015
On 16/04/15 09:57, Bingo Tuk wrote:
> Hello Mailinglist,
>
> I have created a local user "localuser" who is in the local group
> "localgroup"
>
> $ id
> uid=1001(localuser) gid=1001(localgroup) groups=1001(localgroup)
>
> My machine authenticates against Active Directory - works
>
> The AD-User "aduser" belongs to a domain group "adgroup"
> $ id
> uid=6161(aduser) gid=5513(domänen-benutzer)
> groups=5513(domänen-benutzer),10656(adgroup)
>
> I have mapped the local group and the adgroup with the command
> net groupmap add ntgroup="adgroup" unixgroup=localgroup rid=10656 type=d
>
> That works also
> # net groupmap list
> adgroup (S-1-5-21-000098831-0000488756-4286701815-10656) -> localgroup
>
> Anyway, the user "aduser" can't write a file with the group "localgroup"
>
> What am I missing? Any hints?
>
> Thank you very much
You are missing the fact that you don't map groups any more with AD,
that is an NT-4 style PDC thing. Just give the AD group a uidNumber and
use the winbind 'ad' backend or use the 'rid' winbind backend, in which
case you do not need to do anything.
Rowland
More information about the samba
mailing list