Hello, I got a Samba setup with an samba server being part of a Windows Domain, which is working great. I can authenticate using all domain users and so on without any problem. Now I added a local group named "rai-additional" to my samba system and added a domain user to that group (using DOMAIN+username). "getent passwd DOMAIN+username" the domain groups and "rai-additional" as groups, which is exactly what I want. Unfortunately, when I set "valid users = @rai-additional", the user DOMAIN+username cannot access the share. It works if I use a domain group, e.g. "valid users = @DOMAIN+some-group". So it seems Samba just ignores local groups. That also seems the conclusion made some other times in the past (unfortunately, all of them around two years ago) [1]. Now my question would be: is there a workaround for this or is this planned for a future samba release? Or am I just doing something wrong and it is already possible? Unfortunately, I couldn't find any notice of that in the official documentation (maybe I just use the right search words?) Thank you for your help! Philipp [1] http://groups.google.com/group/mailing.unix.samba/browse_thread/thread/615bcd6ba0731aed/c988151e7ff6000e?lnk=st&q=group%3Amailing.unix.samba*+%22local+group%22+winbind&rnum=9#c988151e7ff6000e
On Fri, 2007-21-09 at 00:30 +0200, Philipp Wagner wrote:> Hello, > > I got a Samba setup with an samba server being part of a Windows Domain, > which is working great. I can authenticate using all domain users and so > on without any problem. > Now I added a local group named "rai-additional" to my samba system and > added a domain user to that group (using DOMAIN+username). > "getent passwd DOMAIN+username" the domain groups and "rai-additional" > as groups, which is exactly what I want. > Unfortunately, when I set "valid users = @rai-additional", the user > DOMAIN+username cannot access the share. It works if I use a domain > group, e.g. "valid users = @DOMAIN+some-group". So it seems Samba just > ignores local groups. That also seems the conclusion made some other > times in the past (unfortunately, all of them around two years ago) [1]. >Did you do a groupmap of your local group? Something like: net groupmap add ntgroup="Windows group" unixgroup=yourunixgroup type=d rid=yourunixgroupid Example: net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=d rid=512