Christian Rost
2006-Jan-03 18:58 UTC
[Samba] Domain-member and simple read and readwrite file-permissions based on group-membership
Hi, I'm pretty confused about using samba as domain-member and file-server. Assuming i have a couple of windows-users on my active directory server and there are mainly 2 groups defined in the AD: ReadOnlyGroup and WriteOnlyGroup. On my samba-server there is one share which should be used by both groups and i want users in the WriteOnlyGroup to have the permission to modify/ delete all files/directories and the users to in the ReadOnlyGroup to only read the files/directories. To keep it simple I don't want any other acl's at all. I thought that this setup should be possible by using the read/write list -, the force group - and the mode - feature in the smb.conf. Now i have 2 options to connect to my PDC. Either I use security = ADS or I use security = domain. For the first option as far as I know, I need to use kerberos. Because i'm forced to use aix as platform for the samba-server and there is no kerberos-support installed, i must use security = domain. Runing with security = domain I think at first i'm now forced to replicate all active-directory user to unix-users on my samba-server to establish a mapping between NT <-> Unix User ID's for the proper ownership of files on the share's filesystem Now my Questions: 1) When i have done this, there is no need to use the "net groupmap" - Feature, because all users are mapped to Unix-User and these Unix-Users are belonging to primary unix-groups. The groupmap - Feature only makes sense if i run the winbindd-daemon (on top of kerberos) and there is no complete mapping of NT<->Unix User/Group. Is this correct? 2) Which kind of arguments are possible to: "read list" and "write list"? Is it correct that only unix-users and unix-groups are possible? Is there any way to use the ReadOnlyGroup and WriteOnlyGroup from the Active-Directory? If only unix-groups are possible I although have to replicate the group-memberships to the unix-system. Is this correct? When this is correct, this is pretty painfull because I've to administrate 2 userdatabases now. 3) Is this simple setup only possible with acl's on the filesystem and with running winbindd? Thank you for answers Christian
Adam Nielsen
2006-Jan-04 04:30 UTC
[Samba] Domain-member and simple read and readwrite file-permissions based on group-membership
> Runing with security = domain I think at first i'm now forced to > replicate all active-directory user to unix-users on my samba-server > to establish a mapping between NT <-> Unix User ID's for the proper > ownership of files on the share's filesystemYou can use winbind to do this more or less automatically. It makes a bunch of UNIX users appear on your system of the form "DOMAIN\user".> When i have done this, there is no need to use the "net groupmap" - > Feature, because all users are mapped to Unix-User and these > Unix-Users are belonging to primary unix-groups. The groupmap - > Feature only makes sense if i run the winbindd-daemon (on top of > kerberos) and there is no complete mapping of NT<->Unix User/Group. > Is this correct?That sounds correct. If you run winbind though, you have two options - either create a UNIX group holding all your NT accounts, or just use the NT groups.> Which kind of arguments are possible to: "read list" and "write list"? > Is it correct that only unix-users and unix-groups are possible?Yes, technically only UNIX users and groups are possible, but winbind will make your NT accounts appear as UNIX users and groups. This means that once winbind is configured, you could put this in your smb.conf: [share] path = /some/share/path valid users = @DOMAIN\ReadOnlyGroup @DOMAIN\WriteOnlyGroup write list = @DOMAIN\WriteOnlyGrouop Or something similar. Probably not the best way of doing it as Samba will then allow anyone in "WriteOnlyGroup" access to the share, but the underlying UNIX permissions may decide the user doesn't have write access anyway. In this case you'll also need to use the "force user" and/or "force group" option so that all filesystem operations are done as a user who definitely has access.> When this is correct, this is pretty painfull because I've to > administrate 2 userdatabases now.You should definitely use winbind then, since that will mean you only have the one user database to look after. Cheers, Adam.