Robert M. Martel - CSU
2008-May-28  18:14 UTC
[Samba] Group membership confusion, UNIX, nested, and AD
Greetings, I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows and UNIX", Mailing list messages with the subjects "valid users = +group doesn't work" and "Unix ADS group membership or vice versa" and all I've gotten is more confused. I have to move my samba servers from a Samba PDC environment to Active Directory (AD) where they will be member servers. I will NOT be able to make ANY changes to the AD configuration: it is dictated and controlled by those "on high." I cannot add any groups to AD. I can only manipulate the membership of the UNIX groups on my servers. I already have a test samba server (3.0.28a) as a member of AD. What I want is to be able to control access to "shares" using lines like "valid user +www" in smb.conf as I have in the past. The groups I want to use are the UNIX groups on the AD member samba server. I have added AD users as members of the UNIX groups in /etc/group It looks like Samba AD member servers will NOT look at local UNIX groups to check and see if an AD account is a member of the UNIX group. I do not want to have to map each and every AD user to a corresponding local user - I thought accessing AD would cut down on the account management workload, not increase it. I fail to see where windbind's nested groups will help me solve this problem - as presented in the docs it seems to solve an MS Windows issue that I do not have. Perhaps I still do not understand what that the nested group is supposed to provide. Since I have no administrative access to the AD server, how am I to create nested groups? The example shows: net rpc group add demo -L -Uroot%not24get" So it seems I would need some kind of administrative account to even create the nested group. If not an AD account, I do not recall setting up an smbpassword for root as I did in the past on my samba PDC. I am not a member of "Domain Administrators" in out AD setup, but that is a whole different set of questions. How would I make such a nested group the group owner for files/directories? Or would I then use the nested group in the "valid user" line of smb.conf? Use groupmap to associate it with a UNIX group? See, confusion. At this moment it seems my worst case/quick fix calls for long "valid user" lines listing the AD accounts that I wish to have access to certain shares - kinda' defeats the reason to have groups. Why would Samba be written to ignore the group memberships? Thanks in advance to anyone that can help clear up my confusion about groups! -Bob Martel -- *********************************************************************** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 r.martel@csuohio.edu -Jeff Lynne ***********************************************************************
Robert M. Martel - CSU
2008-Jun-02  20:53 UTC
[Samba] Group membership confusion, UNIX, nested, and AD
Still hoping that someone can help clear this up. Greetings, I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows and UNIX", Mailing list messages with the subjects "valid users = +group doesn't work" and "Unix ADS group membership or vice versa" and all I've gotten is more confused. I have to move my samba servers from a Samba PDC environment to Active Directory (AD) where they will be member servers. I will NOT be able to make ANY changes to the AD configuration: it is dictated and controlled by those "on high." I cannot add any groups to AD. I can only manipulate the membership of the UNIX groups on my servers. I already have a test samba server (3.0.28a) as a member of AD. What I want is to be able to control access to "shares" using lines like "valid user +www" in smb.conf as I have in the past. The groups I want to use are the UNIX groups on the AD member samba server. I have added AD users as members of the UNIX groups in /etc/group It looks like Samba AD member servers will NOT look at local UNIX groups to check and see if an AD account is a member of the UNIX group. I do not want to have to map each and every AD user to a corresponding local user - I thought accessing AD would cut down on the account management workload, not increase it. I fail to see where windbind's nested groups will help me solve this problem - as presented in the docs it seems to solve an MS Windows issue that I do not have. Perhaps I still do not understand what that the nested group is supposed to provide. Since I have no administrative access to the AD server, how am I to create nested groups? The example shows: net rpc group add demo -L -Uroot%not24get" So it seems I would need some kind of administrative account to even create the nested group. If not an AD account, I do not recall setting up an smbpassword for root as I did in the past on my samba PDC. I am not a member of "Domain Administrators" in out AD setup, but that is a whole different set of questions. How would I make such a nested group the group owner for files/directories? Or would I then use the nested group in the "valid user" line of smb.conf? Use groupmap to associate it with a UNIX group? See, confusion. At this moment it seems my worst case/quick fix calls for long "valid user" lines listing the AD accounts that I wish to have access to certain shares - kinda' defeats the reason to have groups. Why would Samba be written to ignore the group memberships? Thanks in advance to anyone that can help clear up my confusion about groups! -Bob Martel -- *********************************************************************** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 r.martel@csuohio.edu -Jeff Lynne ***********************************************************************