samba - Jan 2005 - Mapping Windows groups to Unix ones on Samba 2.2

Hi all,

Now that I've got Samba 2.2.12 running correctly on that HP-UX box, I 
need to allow write access to a given AD domain group.

What is the right way to do it on Samba 2.2?
I added a group.map file in smb.conf, and a line inside that said:
unixgroup = "AD Domain Group"

Then in smb.conf, I put in [global]:
         groupname map = /etc/opt/samba/group.map

And in the correct share, I put the following:
         valid users = @unixgroup
         read list = @unixgroup
         write list = @unixgroup

I did not restart Samba, but from what I understand, the config file was 
automatically reloaded. SWAT did display the new values.

The users' login were already mapped in the user.map file, and that 
works fine.

However, after doing that, the persons in the AD group still had no access.

Putting the unix users directly in the unix group does work, but of 
course, is a much less clean solution.

Any hint or pointer to documentation? I was only able to find some for 
the 3.0 version, which is quite different for that :-/

TIA!

Laurent

Is this Samba Opensource 2.2.12 or HP CIFS Server 2.2.12 (A.01.11.03)?

"groupname map" is not a real Samba feature, I believe.  See
Jerry's
response at:
> http://marc.theaimsgroup.com/?l=samba&m=104302387220719&w=2
HP CIFS Server at 2.2 was not enabled for winbind, thus there is no way 
to do what you want.  If you go to HP CIFS Server A.02.01 (3.0.7 and 
3.0.8) you get winbind and "net groupmap" - not the same syntax as
below
but you can map AD groups.

Eric Roseme
Hewlett-Packard

Laurent Blume wrote:
> Hi all,
> 
> Now that I've got Samba 2.2.12 running correctly on that HP-UX box, I 
> need to allow write access to a given AD domain group.
> 
> What is the right way to do it on Samba 2.2?
> I added a group.map file in smb.conf, and a line inside that said:
> unixgroup = "AD Domain Group"
> 
> Then in smb.conf, I put in [global]:
>         groupname map = /etc/opt/samba/group.map
> 
> And in the correct share, I put the following:
>         valid users = @unixgroup
>         read list = @unixgroup
>         write list = @unixgroup
> 
> I did not restart Samba, but from what I understand, the config file was 
> automatically reloaded. SWAT did display the new values.
> 
> The users' login were already mapped in the user.map file, and that 
> works fine.
> 
> However, after doing that, the persons in the AD group still had no access.
> 
> Putting the unix users directly in the unix group does work, but of 
> course, is a much less clean solution.
> 
> Any hint or pointer to documentation? I was only able to find some for 
> the 3.0 version, which is quite different for that :-/
> 
> TIA!
> 
> Laurent
> 
>

In my opinion the net groupmap doesn't help you.
After applying it to all my existing unix groups the right windows group names
are shown, but the groupmembership is checked against the unix groups.
Putting a user into a windows group is not enough, you have to put it also
into the corresponding unix group.
Several days I try to understand, how the mapping of users and groups between
unix and
windows works. The more I'm reading the more confusing it is.
We have :
- username map
- net groupmap
- idmap for uid  and  gid
- wbinfo to show or manipulate mappings

Who can explain the differences ?

Regards
M.Schlett