Robert M. Martel - CSU
2008-Nov-12 16:38 UTC
[Samba] AD Member server and local UNIX groups
Greetings, I hope someone can tell me if what I want to do is possible with Samba or not. I have been searching for info and found a number of people with similar problems, but not an answer. I have a Samba server (3.2.4) running on a Solaris 10 machine which is a member server in Active Directory (AD). I am using winbind. The AD users can access the samba server shares and UNIX services. I want to control access to some samba shares by putting a group name in a 'valid users' entry for the share (as I have done in the past when we had a samba-based PDC.) Our AD system is strictly HANDS-OFF, I cannot make any changes to it, cannot add groups, cannot change group memberships. It is run by a different department. So I cannot create my groups on the AD server. I had thought I could add AD users as members to the local UNIX groups on the samba server and use those group names on my "valid users" lines in smb.conf. When I tried that what I mostly see is the following in the logs: smblog.client: User CSUNET\martel-test not in 'valid users' smblog.client: User CSUNET\1001362 not in 'valid users' So, is what I want to do even possible? If it is not, how do others work around group membership issues - I can't be the only person running a samba server where they are not permitted to alter the AD setup. I can list AD users one at a time on the 'valid users' entry, but that will get cumbersome pretty quickly. Thanks in advance Bob Martel -- *********************************************************************** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 r.martel@csuohio.edu -Jeff Lynne ***********************************************************************
On Wed, Nov 12, 2008 at 11:19:22AM -0500, Robert M. Martel - CSU wrote:> So, is what I want to do even possible? If it is not, how do others > work around group membership issues - I can't be the only person running > a samba server where they are not permitted to alter the AD setup. I > can list AD users one at a time on the 'valid users' entry, but that > will get cumbersome pretty quickly.It is possible: You will have to add winbind-style local groups. Look at "net sam createlocalgroup", "net samm addmem" and "net sam delmem". Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20081112/1a8abe07/attachment.bin