[Samba] Winbind AND local users AND local groups

Tue, 24 Jun 2008 20:15:21 -0700 

I'm using samba 3.0.28 as distributed by SUN on solaris 10 x86_64 5_08.

Samba and kerberos are configured to authenticate to a domain, and
domain user authentication, and access to shares goes smoothly.

I need to limit access to the samba shares to a few select groups.
The problem is those groups aren't showing neither in getent groups
nor in wbinfo -g.

A conversation with the domain admin revealed that the groups that I need
were created as "Universal" as they contain members from several different
domains (with trust relationships).

I guessed that a good work-around for this would be to create local _unix_
groups and add the domain users to these groups.
I've tried this, but without success (the user still logs-in, but can't write
unless the directory has write access to everyone).
Is there a config option that must be enabled on smb.conf (or somewhere
else) for this to work ?
What is the correct way add a domain user to a _unix_ group ?
I'v tried both:
lclgrp::15757:DOMAIN+domuser
lclgrp::15757:domuser

Also, can't login with a local unix user. Is the use of winbind mutually 
exclusive of local logins ?
If not, how can I enable it ?

Thanks for your help,
Duarte Alencastre

smb.conf follows:

[global]
        workgroup = DOMAIN
        dns proxy = yes 
        security = ads
        password server = *
        wins server = wins.server.ip.address
        netbiosname = myhost
        #winbind separator = . # This isn't used in the configuration anywhere
        winbind separator=  +

        #### disable printing
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        idmap uid = 15000-20000
        idmap gid = 15000-20000

        winbind enum users = yes
        winbind enum groups = yes

        # This template can include the domain name if required
        template homedir = /export/home/%U
        template shell = /usr/bin/bash

        # Allows login in as "username" instead of "NTDOMAIN.username" 
        winbind use default domain = Yes 
        allow trusted domains = Yes

[share_a]
        comment= share_a
        path = /storage/share_a
        #Disabled acl check permissions and zfsacl due to zfsacl issues 
encountered 
Solaris 08/07 w/ Samba 3.0.25
        acl check permissions = False
        public = yes
        writable = yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to