I'm using samba 3.0.28 as distributed by SUN on solaris 10 x86_64 5_08.
Samba and kerberos are configured to authenticate to a domain, and
domain user authentication, and access to shares goes smoothly.
I need to limit access to the samba shares to a few select groups.
The problem is those groups aren't showing neither in getent groups
nor in wbinfo -g.
A conversation with the domain admin revealed that the groups that I need
were created as "Universal" as they contain members from several
different
domains (with trust relationships).
I guessed that a good work-around for this would be to create local _unix_
groups and add the domain users to these groups.
I've tried this, but without success (the user still logs-in, but can't
write
unless the directory has write access to everyone).
Is there a config option that must be enabled on smb.conf (or somewhere
else) for this to work ?
What is the correct way add a domain user to a _unix_ group ?
I'v tried both:
lclgrp::15757:DOMAIN+domuser
lclgrp::15757:domuser
Also, can't login with a local unix user. Is the use of winbind mutually
exclusive of local logins ?
If not, how can I enable it ?
Thanks for your help,
Duarte Alencastre
smb.conf follows:
[global]
workgroup = DOMAIN
dns proxy = yes
security = ads
password server = *
wins server = wins.server.ip.address
netbiosname = myhost
#winbind separator = . # This isn't used in the configuration anywhere
winbind separator= +
#### disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
# This template can include the domain name if required
template homedir = /export/home/%U
template shell = /usr/bin/bash
# Allows login in as "username" instead of
"NTDOMAIN.username"
winbind use default domain = Yes
allow trusted domains = Yes
[share_a]
comment= share_a
path = /storage/share_a
#Disabled acl check permissions and zfsacl due to zfsacl issues encountered
Solaris 08/07 w/ Samba 3.0.25
acl check permissions = False
public = yes
writable = yes
