Robert M. Martel - CSU wrote:
Still hoping that someone can help clear this up.
Greetings,
I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
and UNIX", Mailing list messages with the subjects "valid users = +group
doesn't work" and "Unix ADS group membership or vice versa" and all I've
gotten is more confused.
I have to move my samba servers from a Samba PDC environment to Active
Directory (AD) where they will be member servers. I will NOT be able to
make ANY changes to the AD configuration: it is dictated and controlled
by those "on high." I cannot add any groups to AD. I can only
manipulate the membership of the UNIX groups on my servers.
I already have a test samba server (3.0.28a) as a member of AD.
What I want is to be able to control access to "shares" using lines like
"valid user +www" in smb.conf as I have in the past. The groups I want
to use are the UNIX groups on the AD member samba server. I have added
AD users as members of the UNIX groups in /etc/group
It looks like Samba AD member servers will NOT look at local UNIX groups
to check and see if an AD account is a member of the UNIX group. I do
not want to have to map each and every AD user to a corresponding local
user - I thought accessing AD would cut down on the account management
workload, not increase it.
I fail to see where windbind's nested groups will help me solve this
problem - as presented in the docs it seems to solve an MS Windows issue
that I do not have. Perhaps I still do not understand what that the
nested group is supposed to provide.
Since I have no administrative access to the AD server, how am I to
create nested groups? The example shows:
net rpc group add demo -L -Uroot%not24get"
So it seems I would need some kind of administrative account to even
create the nested group. If not an AD account, I do not recall setting
up an smbpassword for root as I did in the past on my samba PDC. I am
not a member of "Domain Administrators" in out AD setup, but that is a
whole different set of questions.
How would I make such a nested group the group owner for
files/directories? Or would I then use the nested group in the "valid
user" line of smb.conf? Use groupmap to associate it with a UNIX group?
See, confusion.
At this moment it seems my worst case/quick fix calls for long "valid
user" lines listing the AD accounts that I wish to have access to
certain shares - kinda' defeats the reason to have groups. Why would
Samba be written to ignore the group memberships?
Thanks in advance to anyone that can help clear up my confusion about
groups!
-Bob Martel
Hi Bob,
I recently did something similar, this page helped me the most of
anything I believe it was section 14.3
http://samba.dsmirror.nl/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
However I think you will need an account with privileges to join
machines to the domain, if the AD admins will not give you one it is
possible to create an account this is not a domain administrator but can
add/remove objects from the domain maybe they can create that type of
account for you.
Also here are my notes when I was setting up our fileserver, they may help:
http://www.che.utah.edu/resources/supportwiki/index.php/Samba_and_Active_Directory
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
