I posed this question earlier but it was with another question and I think it got lost. I have winbindd up and running and working great. If I add NT domain users to an NT domain global group, add that group to a local linux group in /etc/group, and then assign that local linux group ownership of an object (file or dir) should this work? In other words, can you still use local linux groups as you would local groups on an NT member server once winbindd is running? Doug
MCCALL,DON (HP-USA,ex1)
2002-Feb-12 13:38 UTC
[Samba] linux groups & NT global groups with winbindd
Hi Doug, I'm going to make an educated guess: NO. at least on HP-UX, the entries in the /etc/group file are of the form groupname:...:gid:username,username..... NOTE the "username".... Unix (afaik) does not support the concept of 'nested' groups. a Unix group contains names that resolve to UIDS, not GIDS. On top of this, there is also the fact that when you authenticate via winbindd, you are authenticating as the NT user, and will be bounded by the NT groups you are a member of. So when samba is checking to see what groups you are a member of, it's not looking in the /etc/group file at all. I'm NOT looking at the code while I'm writing this, so I could be wrong - I graciously accept corrections, if any one knows different... So I wouldn't expect this to work. Hope this helps, Don -----Original Message----- From: Doug Aldridge [mailto:doug@aldridge.net] Sent: Tuesday, February 12, 2002 4:20 PM To: samba@lists.samba.org Subject: [Samba] linux groups & NT global groups with winbindd I posed this question earlier but it was with another question and I think it got lost. I have winbindd up and running and working great. If I add NT domain users to an NT domain global group, add that group to a local linux group in /etc/group, and then assign that local linux group ownership of an object (file or dir) should this work? In other words, can you still use local linux groups as you would local groups on an NT member server once winbindd is running? Doug -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-12 14:20 UTC
[Samba] linux groups & NT global groups with winbindd
Hi Doug, Well, that's sticky. If your U*IX version supports posix acls, you should be able to do something like the following (assuming you have a domain named wt1, and a couple of global groups named testgroup1 and testgroup2): (you may have a different commandline on your unix box for setting acl's - this is specifically for HP-UX): # setacl -m group:wt1/testgroup1:rwx /home/ddmc/junk # setacl -m group:wt1/testgroup2:rw /home/ddmc/junk # getacl /home/ddmc/junk # file: /home/ddmc/junk # owner: WT1/ddmc # group: WT1/Doma user::rwx group::r-x group:WT1/test:rwx group:WT1/test:rw class:rwx other:r-x (Note that the two group ace's are indistinguishable in the getacl listing, as it expects (on HP-UX) a groupname to be no more than 8 characters long - but it's the GID that's actually kept in the ace, so it DOES know the difference)... THEORETICALLY, you should be able to rightclick on the folder/filename from your windows client and choose security and add group permissions in that manner, but I havent' gotten that to work, myself - probably my bad... Hope this helps, Don -----Original Message----- From: Doug Aldridge [mailto:doug@aldridge.net] Sent: Tuesday, February 12, 2002 4:49 PM To: samba@lists.samba.org Subject: Re: [Samba] linux groups & NT global groups with winbindd Don, That makes sense. At least my situation is not unique. However, since you cannot add domain global groups to linux local groups then how would one assign rights to a linux file or dir to multiple NT domain groups? Any thoughts? Thanks again!! ----- Original Message ----- From: "MCCALL,DON (HP-USA,ex1)" <don_mccall@hp.com> To: "'Doug Aldridge'" <doug@aldridge.net>; <samba@lists.samba.org> Sent: Tuesday, February 12, 2002 4:32 PM Subject: RE: [Samba] linux groups & NT global groups with winbindd> Hi Doug, > I'm going to make an educated guess: NO. > at least on HP-UX, the entries in the /etc/group file > are of the form > groupname:...:gid:username,username..... > > NOTE the "username".... > Unix (afaik) does not support the concept of 'nested' groups. > a Unix group contains names that resolve to UIDS, not GIDS. > On top of this, there is also the fact that when you authenticate > via winbindd, you are authenticating as the NT user, and will > be bounded by the NT groups you are a member of. So when samba > is checking to see what groups you are a member of, it's not looking > in the /etc/group file at all. I'm NOT looking at the code while I'm > writing this, so I could be wrong - I graciously accept corrections, > if any one knows different... > So I wouldn't expect this to work. > Hope this helps, > Don > > > -----Original Message----- > From: Doug Aldridge [mailto:doug@aldridge.net] > Sent: Tuesday, February 12, 2002 4:20 PM > To: samba@lists.samba.org > Subject: [Samba] linux groups & NT global groups with winbindd > > > I posed this question earlier but it was with another question and I think > it got lost. > > I have winbindd up and running and working great. > > If I add NT domain users to an NT domain global group, add that group to a > local linux group in /etc/group, and then assign that local linux group > ownership of an object (file or dir) should this work? In other words, can > you still use local linux groups as you would local groups on an NT member > server once winbindd is running? > > Doug > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba