Bill Town
2002-Mar-19 14:54 UTC
[Samba] Quick question on adding Winbind/NIS groups to a Samba ACL
Hi all-
First a little background and infrastructure:
After a long arduous road I got my Samba file server to authenticate
with Winbind and/or NIS (synced with AD) in a Native Mode Active
Directory. I can logon to the Linux server locally and also gain access
to a file share via a windows box with accounts in either. Samba is
running on a Linux 7.2 server with Kernel 2.14.18 with the ACL patches
(using http://acl.bestbits.at/). I built Samba with the
--with-acl-support and --with-nis (--with-winbind is a default option).
The Samba configuration file is below as well as the pam.d/login and
pam.d/system-auth files. The server is a member of the domain and
[wbinfo -t] reports [security is good]. [Getent passwd] and [getent
group] enumerate the users and groups correctly.
Now the question:
I can modify permissions through a Windows 2000 Security Interface if
the group already has some sort of permissions assigned on the
file/directory. I cannot add groups to an ACL through the Windows 2000
interface but must resort to adding them via setfacl on the Linux box.
Any ideas? I cannot add groups because it only wants DOMAIN\GROUP and
the current permissions show up as FILE-SERVER\GROUP. The Winbind
groups do not show up at all in the Windows security interface but do in
the getfacl on the Linux box. Thanks in advance for your help.
Cheers,
-Bill
smb.conf:
---------------------------------------------------------
# Samba config file
# Date: 2002/03/19
# Global parameters
[global]
workgroup = ZODIAC
netbios name = fs1-test
server string = Test File Server
security = DOMAIN
encrypt passwords = Yes
password server = *
preferred master = False
local master = No
domain master = False
wins server = 172.16.1.12 172.16.2.12
large readwrite = yes
winbind uid = 20000-29999
winbind gid = 2000-2999
# winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
[test]
comment = Test File Share
path = /export/test
read only = No
inherit permissions = yes
---------------------------------------------------------
pam.d/login:
---------------------------------------------------------
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_pwdb.so use_first_pass shadow
nullok
#auth sufficient /lib/security/pam_unix.so use_first_pass
#account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
---------------------------------------------------------
pam.d/system-auth:
---------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 typepassword
sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow nis
password sufficient /lib/security/pam_winbind.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session required /lib/security/pam_winbind.so
---------------------------------------------------------
----
Bill Town
Kontiki, Inc.
Voice: 650.625.3065
Fax: 650.623.0142