[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Rowland penny rpenny at samba.org
Tue Jun 18 11:59:04 UTC 2019

On 18/06/2019 12:47, Goetz, Patrick G via samba wrote:
> On 6/18/19 3:22 AM, Rowland penny via samba wrote:
>> OK, I created a new share and two new unix groups and set ownership to
>> 'root' and one of the new groups. I added the second group to the first
>> group as a member (and its only member) and then added a user to the
>> second group.
>> Logged into win7 as the user, opened Windows Explorer -> Network and
>> navigated to the share and created a new txt document, which worked. So,
>> yes, it looks like nested groups work with winbindd.
> Where did you create the unix groups?
I would have thought that was obvious due to the fact that you cannot 
add a group to a group on Unix ;-)

But anyway, I created them in AD using samba-tool:

samba-tool group add nesttestA --nis-domain=samdom --gid-number=10015

However, it wasn't until after I posted that I realised I have been 
using nested groups for years. I use a Unix group called 'Unix Admins', 
which is a member of 'Domain Admins'. I do this so I do not have to give 
'Domain Admins' a gidNumber, 'Unix Admins' inherits all of 'Domain 
Admins' permissions.


More information about the samba mailing list