Hello everybody,
I'm going to transfer a couple of Windows file/print server to a large
Linux machine running Samba. I'm currently using a test system to figure
out what works and what not. For the most part everything works fine. But
I'm still left with a question I can't find a answer for.
For easy administration, I will not be in charge of the admin only setup,
I would like to control access to the shares using domain groups. The
PDC/BDC machines will still be Windows.
I'm a correct that you can't enter a domain group in the valid users
group? Only unix groups?
What is the easiest way to implement domain group based access control?
I'm a right in thinking that this has to be done using winbind? Winbind
will make unix groups out of the Windows groups wich I then can use for
the valid/invalid users fields?
And if I have to use winbind, is it already ok for use in larger
environments?
I know, thats a lot of questions, but I really would like to use Samba, so
I really appreciate your help.
Thanks,
Tim Verhoeven
--
=============================================================================Tim
Verhoeven
Music Services - Michel Stoffels
GSM : 0496 / 693 453 + Deejayteam
Email : dj@sin.khk.be + Sound & Light rentals
URL : www.sin.khk.be/~dj/ + P.A. services
=========Public PGP-Key at : http://www.sin.khk.be/~dj/publickey.txt=========
Member of Student Information Networking (www.sin.khk.be)
Brian Whitehead
2002-Apr-07 21:55 UTC
[Samba] Using Domain Groups for share access control
Yes you can use domain groups by using winbind. There will probably be a few quirks to work out and the documentation is rather lacking but it works well. -- Brian ----- Original Message ----- From: "dj" <dj@walhalla.sin.khk.be> To: <samba@lists.samba.org> Sent: Sunday, April 07, 2002 4:47 PM Subject: [Samba] Using Domain Groups for share access control> Hello everybody, > > I'm going to transfer a couple of Windows file/print server to a large > Linux machine running Samba. I'm currently using a test system to figure > out what works and what not. For the most part everything works fine. But > I'm still left with a question I can't find a answer for. > > For easy administration, I will not be in charge of the admin only setup, > I would like to control access to the shares using domain groups. The > PDC/BDC machines will still be Windows. > > I'm a correct that you can't enter a domain group in the valid users > group? Only unix groups? > > What is the easiest way to implement domain group based access control? > I'm a right in thinking that this has to be done using winbind? Winbind > will make unix groups out of the Windows groups wich I then can use for > the valid/invalid users fields? > And if I have to use winbind, is it already ok for use in larger > environments? > > I know, thats a lot of questions, but I really would like to use Samba, so > I really appreciate your help. > > Thanks, > Tim Verhoeven > > -- >============================================================================> Tim Verhoeven> Music Services - Michel Stoffels > GSM : 0496 / 693 453 + Deejayteam > Email : dj@sin.khk.be + Sound & Light rentals > URL : www.sin.khk.be/~dj/ + P.A. services > =========Public PGP-Key at :http://www.sin.khk.be/~dj/publickey.txt=========> Member of Student Information Networking (www.sin.khk.be)> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
João Alexandre - Pluridata/LI
2002-Apr-08 03:00 UTC
[Samba] Using Domain Groups for share access control
Hi Tim, This is a compilation from the help that I received from this great community. If I understood it well you want to see/use from the Unix machine the existent groups/users from the NT domain. This is done via Winbind and easiest way that I discovered (I didn't discovered, I had big help from a great bunch of guys) to implement this was to use the latest distro from Mandrake (8.2 - All 3 CDs, this one have the latest samba stable release) and applying this steps: 1 Do a minimal install (select security = standard), select "ReiserFS XFS" for your partitions, unselect all the packages (ALL OF THEM) 2 It then ask you if you want to do a minimal install and if you don't want "urpmi" (you do want "urpmi", so choose the suggested option and do not choose the last one as it won't install "urpmi". 3 After the installation has finished and the PC rebooted, go to the console as "root" and install the following packages using this command (this command will check dependencies and ask you for the MDK 8.2 CDs witch ever it needs): "urpmi samba" " " samba-client" " " nss_wins" " " samba-swat" " " samba-doc" " " samba-winbind" (I found that for winbind to start automatically after the system starts and had to write "chkconfig winbind on" " " webmin" (if you want a web based administration, watch out editing the smb.conf via webmin, it doesn't handle very good NT users/groups with special characters/spaces in name) " " ntlogon" " " openssh-server" (I found this a good choice for having a secure remote console of the server using a utility like "PuTTY". Also I had to type some additional commands "chkconfig --add sshd" (add sshd service) and "chkconfig sshd on" (start automatically)) Read the following documentation: http://us4.samba.org/samba/docs/man/smb.conf.5.html http://de.samba.org/samba/ftp/docs/htmldocs/winbind.html http://www.mandrakeuser.org/docs/connect/csamba5.html Edit the "smb.conf" appropriately and revise "nsswitch.conf" (it should be OK) but above all read the above documentation to understand all of this. After this (if this will work OK for you) you'll have a nice clean Samba server and a member of your existent NT domain. Next start creating a directory (if you have winbind running and capturing data from the NT domain) you can give permissions choosing a user/group from the NT domain. Next define the share in the "smb.conf" and you're done. After spending more than a week trying to put my Samba server belonging my NT domain using "winbind", a joined this mailing list and got all the help that I needed so that after compiling this help it took me a couple of hours to set up my Samba Server (I even can make a console logon using a user from the NT domain). I didn't yet looked/tried sharing a printer, but that should be easy. Hope this helps, Joao Alexandre> -----Original Message----- > From: dj [mailto:dj@walhalla.sin.khk.be] > Sent: domingo, 7 de Abril de 2002 22:48 > To: samba@lists.samba.org > Subject: [Samba] Using Domain Groups for share access control > > Hello everybody, > > I'm going to transfer a couple of Windows file/print server to a large > Linux machine running Samba. I'm currently using a test system to figure > out what works and what not. For the most part everything works fine. But > I'm still left with a question I can't find a answer for. > > For easy administration, I will not be in charge of the admin only setup, > I would like to control access to the shares using domain groups. The > PDC/BDC machines will still be Windows. > > I'm a correct that you can't enter a domain group in the valid users > group? Only unix groups? > > What is the easiest way to implement domain group based access control? > I'm a right in thinking that this has to be done using winbind? Winbind > will make unix groups out of the Windows groups wich I then can use for > the valid/invalid users fields? > And if I have to use winbind, is it already ok for use in larger > environments? > > I know, thats a lot of questions, but I really would like to use Samba, so > I really appreciate your help. > > Thanks, > Tim Verhoeven > > -- > =========================================================================> ===> Tim Verhoeven > Music Services - Michel Stoffels > GSM : 0496 / 693 453 + Deejayteam > Email : dj@sin.khk.be + Sound & Light rentals > URL : www.sin.khk.be/~dj/ + P.A. services > =========Public PGP-Key at : > http://www.sin.khk.be/~dj/publickey.txt=========> Member of Student Information Networking (www.sin.khk.be) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba