Hey all,
I got a unique requirement of having AD groups map over to unix gid and existing
perms of Unix only groups being granted. Reading through the man pages it seems
this can be accomplished via idmap_nss. So my config looks like:
[global]
workgroup = SKUNKTEST
realm = SKUNKTEST.LOCAL
security = ads
preferred master = no
encrypt passwords = yes
log level = 5
log file = /var/log/samba/%m
max log size = 50
server string = Samba RnD Server
winbind enum groups = yes
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config SKUNKTEST: backend = nss
idmap config SKUNKTEST: range = 1000000-1999999
idmap config KRB: default = yes
idmap config KRB: backend = tdb
[foo]
comment = A Shared Drive
read only = no
path = /samba/arwin
When I do a "getent group" my winbindd-idmap.tdb populates with groups
from AD with gid mappings, of course winbind is running. When I access a share
via Windows and go to the security tab it will looks something like:
Everyone
arwin (Unix User\arwin)
it_posix (Unix Group\it_posix)
My problem arises here. If someone other than myself who is in the it_posix
group (LDAP) tries to access the file (perms are rwx for group), they get access
denied. So then apparently I should be able to "net groupmap" like:
net groupmap add ntgroup="testing" unixgroup=it_posix type=d
Which results in:
[root at krb samba]# net groupmap list verbose
testing
SID : S-1-5-21-471262856-1245818307-3878391063-11805
Unix gid : 5402
Unix group: itr_posix
Group type: Domain Group
Comment : Domain Unix group
Gid that is reported by Unix gid is good. Now the security tab looks like:
Everyone
arwin (Unix User\arwin)
testing (KRB\testing)
But people in that group still cannot access the file. It's only when I
turn off winbind they can access the file, but I want winbind running so acls
can be distributed for the groups in winbindd-idmap.tdb.
Any help is appreciated.
Thanks,
Arwin
