Laurent Blume
2005-Jan-13 15:45 UTC
[Samba] Mapping Windows groups to Unix ones on Samba 2.2
Hi all, Now that I've got Samba 2.2.12 running correctly on that HP-UX box, I need to allow write access to a given AD domain group. What is the right way to do it on Samba 2.2? I added a group.map file in smb.conf, and a line inside that said: unixgroup = "AD Domain Group" Then in smb.conf, I put in [global]: groupname map = /etc/opt/samba/group.map And in the correct share, I put the following: valid users = @unixgroup read list = @unixgroup write list = @unixgroup I did not restart Samba, but from what I understand, the config file was automatically reloaded. SWAT did display the new values. The users' login were already mapped in the user.map file, and that works fine. However, after doing that, the persons in the AD group still had no access. Putting the unix users directly in the unix group does work, but of course, is a much less clean solution. Any hint or pointer to documentation? I was only able to find some for the 3.0 version, which is quite different for that :-/ TIA! Laurent
eric roseme
2005-Jan-13 18:22 UTC
[Samba] Mapping Windows groups to Unix ones on Samba 2.2
Is this Samba Opensource 2.2.12 or HP CIFS Server 2.2.12 (A.01.11.03)? "groupname map" is not a real Samba feature, I believe. See Jerry's response at:> http://marc.theaimsgroup.com/?l=samba&m=104302387220719&w=2HP CIFS Server at 2.2 was not enabled for winbind, thus there is no way to do what you want. If you go to HP CIFS Server A.02.01 (3.0.7 and 3.0.8) you get winbind and "net groupmap" - not the same syntax as below but you can map AD groups. Eric Roseme Hewlett-Packard Laurent Blume wrote:> Hi all, > > Now that I've got Samba 2.2.12 running correctly on that HP-UX box, I > need to allow write access to a given AD domain group. > > What is the right way to do it on Samba 2.2? > I added a group.map file in smb.conf, and a line inside that said: > unixgroup = "AD Domain Group" > > Then in smb.conf, I put in [global]: > groupname map = /etc/opt/samba/group.map > > And in the correct share, I put the following: > valid users = @unixgroup > read list = @unixgroup > write list = @unixgroup > > I did not restart Samba, but from what I understand, the config file was > automatically reloaded. SWAT did display the new values. > > The users' login were already mapped in the user.map file, and that > works fine. > > However, after doing that, the persons in the AD group still had no access. > > Putting the unix users directly in the unix group does work, but of > course, is a much less clean solution. > > Any hint or pointer to documentation? I was only able to find some for > the 3.0 version, which is quite different for that :-/ > > TIA! > > Laurent > >
Dr. Matthias Schlett (987)
2005-Jan-13 20:18 UTC
[Samba] Mapping Windows groups to Unix ones on Samba 2.2
In my opinion the net groupmap doesn't help you. After applying it to all my existing unix groups the right windows group names are shown, but the groupmembership is checked against the unix groups. Putting a user into a windows group is not enough, you have to put it also into the corresponding unix group. Several days I try to understand, how the mapping of users and groups between unix and windows works. The more I'm reading the more confusing it is. We have : - username map - net groupmap - idmap for uid and gid - wbinfo to show or manipulate mappings Who can explain the differences ? Regards M.Schlett