Rowland penny
2019-Jun-18 08:22 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 17/06/2019 22:12, Rowland penny via samba wrote:> As far as I am aware, very little. One thing I am now aware of is GPO > for Unix, there is also the caching of sudo rules from AD, but sudo > now has a command to create sudo rules from ldap and I am sure that > this could be scripted around to cache them instead. The one thing I > am unsure about is the one real thing you mention, security groups, > and this is only because I have never tried it, I do feel that you > should be able to do this with winbindd, if only because sssd can do > it and they use a version of part of the winbindd code. I will do some > testing and get back to you ;-)OK, I created a new share and two new unix groups and set ownership to 'root' and one of the new groups. I added the second group to the first group as a member (and its only member) and then added a user to the second group. Logged into win7 as the user, opened Windows Explorer -> Network and navigated to the share and created a new txt document, which worked. So, yes, it looks like nested groups work with winbindd. Rowland
Goetz, Patrick G
2019-Jun-18 11:47 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 6/18/19 3:22 AM, Rowland penny via samba wrote:> > OK, I created a new share and two new unix groups and set ownership to > 'root' and one of the new groups. I added the second group to the first > group as a member (and its only member) and then added a user to the > second group. > > Logged into win7 as the user, opened Windows Explorer -> Network and > navigated to the share and created a new txt document, which worked. So, > yes, it looks like nested groups work with winbindd. >Where did you create the unix groups?
Rowland penny
2019-Jun-18 11:59 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 18/06/2019 12:47, Goetz, Patrick G via samba wrote:> On 6/18/19 3:22 AM, Rowland penny via samba wrote: >> OK, I created a new share and two new unix groups and set ownership to >> 'root' and one of the new groups. I added the second group to the first >> group as a member (and its only member) and then added a user to the >> second group. >> >> Logged into win7 as the user, opened Windows Explorer -> Network and >> navigated to the share and created a new txt document, which worked. So, >> yes, it looks like nested groups work with winbindd. >> > Where did you create the unix groups? > >I would have thought that was obvious due to the fact that you cannot add a group to a group on Unix ;-) But anyway, I created them in AD using samba-tool: samba-tool group add nesttestA --nis-domain=samdom --gid-number=10015 However, it wasn't until after I posted that I realised I have been using nested groups for years. I use a Unix group called 'Unix Admins', which is a member of 'Domain Admins'. I do this so I do not have to give 'Domain Admins' a gidNumber, 'Unix Admins' inherits all of 'Domain Admins' permissions. Rowland