[plug] Samba group awarness

Adam Ashley adam_ashley at softhome.net
Thu Mar 25 21:59:05 WST 2004 

what you need to do is setup the unix group to window group mappings.
Samba 2 automatically passed them through however in samba 3 you need to
map them properly to windows samba sids and group names. this means you
can properly define the domain administrators and domain users groups
and all that stuff.

what you want is the net groupmap and net group commands. Also check out
Chapter 12. Group Mapping MS Windows and UNIX. 

We've been running a samba3 against ldap for auth with everything you
described for about 4 or 5 months now. works well

Adam Ashley

On Thu, 2004-03-25 at 12:21 +0800, Ryan wrote:

> Howdy PLUG,
> 
> Some of you may have caught on that I'm testing out Samba in my
> minuscule amounts of spare time at work with the view of replacing our
> NT file servers.  I plan to document what I discover eventually, however
> this generally hinges on the fact that I actually make some discoveries
> :)
> 
> If you can't be bothered reading all this, please don't, but I know at
> least one other person on the list doing *exactly* this and several
> others who are vaguely interested in it .. hence the post.
> 
> I've now got Samba 3.0x running as a PDC with POSIX ACLs and extended
> attributes.  I've got domain login scripts and roaming profiles all
> working fine.  The permissions side is going okay, but I'm having some
> grief with groups.
> 
> Everything below is written from the perspective that I am trying to
> replicate as much Windows client permissions management as possible.  By
> this I mean that if I am logged in with a domain administrator account
> on any client on a pure Windows network, I can perform a large degree of
> permissions management from that client on the file shares.  I can
> add/remove user/group permissions on files/directories etc. as if I was
> doing it on the box holding the shares.   This is to assist in letting
> 'complete morons' do some of the admin of file permissions without
> letting them run riot on the Linux box.
> 
> Extending this idea to the Samba network, I'd like to be able to have
> the same level of control from a Windows client over the Samba shares. 
> Currently the only way to really do what I want it from the console with
> setfacl.  I can happily assign all the permissions I want from there are
> they show up in the Properties Security tab on the file/directory on
> Windows clients.   The problem is that groups don't seem to translate
> beyond the Linux box.  For example, the groups permissions (which can be
> as extensive as you want with ACLs) set with setfacl on the console show
> up correctly on the Windows clients' security tabs, but they can't
> really be managed from there.  If I wanted to add another group to the
> file permissions, the list of accounts I have to choose from contains no
> groups, just normal users and the Windows built-in accounts.
> 
> With a pure Windows network and PDC, the list of groups appear in the
> account selection on any Windows client, so they can effectively do all
> the permissions management necessary.
> 
> Is there any way anyone knows to get the Linux groups to appear as group
> accounts on the Windows clients, or is the 'cost' of such a Samba setup
> the need to admin this kind of stuff from the console?
> 
> Mildly irrelevant banter about ACLs for those interested:
> --------------------------------------------------------
> Another note as Tony pointed out with ACLS is that only the owner of a
> file can modify them.   Despite the fact that Samba lets you define
> administator accounts, it still can't overcome this.  Luckily, those
> accounts defined as administrator accounts, can take ownership of said
> files and then adjust the permissions.  You can't then give the
> ownership of the file back to the original owner, but neither can a pure
> Windows network.
> 
> Please challenge all my conclusions, I hope I'm wrong with a lot them :)
> 
> Thanks,
> 
> Ryan
> 
> _______________________________________________
> PLUG discussion list: plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list