Bingo Tuk
2015-Apr-16 08:57 UTC
[Samba] Group Mapping: All Users from a Domain group should be able to write to a local group
Hello Mailinglist, I have created a local user "localuser" who is in the local group "localgroup" $ id uid=1001(localuser) gid=1001(localgroup) groups=1001(localgroup) My machine authenticates against Active Directory - works The AD-User "aduser" belongs to a domain group "adgroup" $ id uid=6161(aduser) gid=5513(dom?nen-benutzer) groups=5513(dom?nen-benutzer),10656(adgroup) I have mapped the local group and the adgroup with the command net groupmap add ntgroup="adgroup" unixgroup=localgroup rid=10656 type=d That works also # net groupmap list adgroup (S-1-5-21-000098831-0000488756-4286701815-10656) -> localgroup Anyway, the user "aduser" can't write a file with the group "localgroup" What am I missing? Any hints? Thank you very much
Rowland Penny
2015-Apr-16 09:53 UTC
[Samba] Group Mapping: All Users from a Domain group should be able to write to a local group
On 16/04/15 09:57, Bingo Tuk wrote:> Hello Mailinglist, > > I have created a local user "localuser" who is in the local group > "localgroup" > > $ id > uid=1001(localuser) gid=1001(localgroup) groups=1001(localgroup) > > My machine authenticates against Active Directory - works > > The AD-User "aduser" belongs to a domain group "adgroup" > $ id > uid=6161(aduser) gid=5513(dom?nen-benutzer) > groups=5513(dom?nen-benutzer),10656(adgroup) > > I have mapped the local group and the adgroup with the command > net groupmap add ntgroup="adgroup" unixgroup=localgroup rid=10656 type=d > > That works also > # net groupmap list > adgroup (S-1-5-21-000098831-0000488756-4286701815-10656) -> localgroup > > Anyway, the user "aduser" can't write a file with the group "localgroup" > > What am I missing? Any hints? > > Thank you very muchYou are missing the fact that you don't map groups any more with AD, that is an NT-4 style PDC thing. Just give the AD group a uidNumber and use the winbind 'ad' backend or use the 'rid' winbind backend, in which case you do not need to do anything. Rowland
Bingo Tuk
2015-Apr-16 11:37 UTC
[Samba] Group Mapping: All Users from a Domain group should be able to write to a local group
Thank you very much. Our problem is solved now. I've changed the local GID and now everything is fine. $ id uid=1001(localuser) gid=10656(localgroup) groups=10656(localgroup) $ id uid=6161(aduser) gid=5513(dom?nen-benutzer) groups=5513(dom?nen-benutzer), 10656(adgroup) Have a nice day. On Thu, Apr 16, 2015 at 11:53 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 16/04/15 09:57, Bingo Tuk wrote: > >> Hello Mailinglist, >> >> I have created a local user "localuser" who is in the local group >> "localgroup" >> >> $ id >> uid=1001(localuser) gid=1001(localgroup) groups=1001(localgroup) >> >> My machine authenticates against Active Directory - works >> >> The AD-User "aduser" belongs to a domain group "adgroup" >> $ id >> uid=6161(aduser) gid=5513(dom?nen-benutzer) >> groups=5513(dom?nen-benutzer),10656(adgroup) >> >> I have mapped the local group and the adgroup with the command >> net groupmap add ntgroup="adgroup" unixgroup=localgroup rid=10656 type=d >> >> That works also >> # net groupmap list >> adgroup (S-1-5-21-000098831-0000488756-4286701815-10656) -> localgroup >> >> Anyway, the user "aduser" can't write a file with the group "localgroup" >> >> What am I missing? Any hints? >> >> Thank you very much >> > > You are missing the fact that you don't map groups any more with AD, that > is an NT-4 style PDC thing. Just give the AD group a uidNumber and use the > winbind 'ad' backend or use the 'rid' winbind backend, in which case you do > not need to do anything. > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba