[Samba] Group membership confusion, UNIX, nested, and AD

Still hoping that someone can help clear this up.


Greetings,

I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
and UNIX", Mailing list messages with the subjects "valid users = +group
doesn't work" and "Unix ADS group membership or vice versa" and all I've
gotten is more confused.

I have to move my samba servers from a Samba PDC environment to Active
Directory (AD) where they will be member servers. I will NOT be able to
make ANY changes to the AD configuration: it is dictated and controlled
by those "on high." I cannot add any groups to AD. I can only
manipulate the membership of the UNIX groups on my servers.

I already have a test samba server (3.0.28a) as a member of AD.

What I want is to be able to control access to "shares" using lines like
"valid user +www" in smb.conf as I have in the past. The groups I want
to use are the UNIX groups on the AD member samba server. I have added
AD users as members of the UNIX groups in /etc/group

It looks like Samba AD member servers will NOT look at local UNIX groups
to check and see if an AD account is a member of the UNIX group. I do
not want to have to map each and every AD user to a corresponding local
user - I thought accessing AD would cut down on the account management
workload, not increase it.

I fail to see where windbind's nested groups will help me solve this
problem - as presented in the docs it seems to solve an MS Windows issue
that I do not have. Perhaps I still do not understand what that the
nested group is supposed to provide.

Since I have no administrative access to the AD server, how am I to
create nested groups? The example shows:

net rpc group add demo -L -Uroot%not24get"

So it seems I would need some kind of administrative account to even
create the nested group. If not an AD account, I do not recall setting
up an smbpassword for root as I did in the past on my samba PDC. I am
not a member of "Domain Administrators" in out AD setup, but that is a
whole different set of questions.

How would I make such a nested group the group owner for
files/directories? Or would I then use the nested group in the "valid
user" line of smb.conf? Use groupmap to associate it with a UNIX group?
See, confusion.

At this moment it seems my worst case/quick fix calls for long "valid
user" lines listing the AD accounts that I wish to have access to
certain shares - kinda' defeats the reason to have groups. Why would
Samba be written to ignore the group memberships?

Thanks in advance to anyone that can help clear up my confusion about
groups!

-Bob Martel

--
************************************************** *********************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
r.martel@csuohio.edu -Jeff Lynne
************************************************** *********************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Robert M. Martel - CSU wrote:
> Still hoping that someone can help clear this up.
>
>
> Greetings,
>
> I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
> and UNIX", Mailing list messages with the subjects "valid users = +group
> doesn't work" and "Unix ADS group membership or vice versa" and all I've
> gotten is more confused.
>
> I have to move my samba servers from a Samba PDC environment to Active
> Directory (AD) where they will be member servers. I will NOT be able to
> make ANY changes to the AD configuration: it is dictated and controlled
> by those "on high." I cannot add any groups to AD. I can only
> manipulate the membership of the UNIX groups on my servers.
>
> I already have a test samba server (3.0.28a) as a member of AD.
>
> What I want is to be able to control access to "shares" using lines like
> "valid user +www" in smb.conf as I have in the past. The groups I want
> to use are the UNIX groups on the AD member samba server. I have added
> AD users as members of the UNIX groups in /etc/group
>
> It looks like Samba AD member servers will NOT look at local UNIX groups
> to check and see if an AD account is a member of the UNIX group. I do
> not want to have to map each and every AD user to a corresponding local
> user - I thought accessing AD would cut down on the account management
> workload, not increase it.
>
> I fail to see where windbind's nested groups will help me solve this
> problem - as presented in the docs it seems to solve an MS Windows issue
> that I do not have. Perhaps I still do not understand what that the
> nested group is supposed to provide.
>
> Since I have no administrative access to the AD server, how am I to
> create nested groups? The example shows:
>
> net rpc group add demo -L -Uroot%not24get"
>
> So it seems I would need some kind of administrative account to even
> create the nested group. If not an AD account, I do not recall setting
> up an smbpassword for root as I did in the past on my samba PDC. I am
> not a member of "Domain Administrators" in out AD setup, but that is a
> whole different set of questions.
>
> How would I make such a nested group the group owner for
> files/directories? Or would I then use the nested group in the "valid
> user" line of smb.conf? Use groupmap to associate it with a UNIX group?
> See, confusion.
>
> At this moment it seems my worst case/quick fix calls for long "valid
> user" lines listing the AD accounts that I wish to have access to
> certain shares - kinda' defeats the reason to have groups. Why would
> Samba be written to ignore the group memberships?
>
> Thanks in advance to anyone that can help clear up my confusion about
> groups!
>
> -Bob Martel
>
Hi Bob,

I recently did something similar, this page helped me the most of
anything I believe it was section 14.3
> http://samba.dsmirror.nl/samba/docs/.../idmapper.html

However I think you will need an account with privileges to join
machines to the domain, if the AD admins will not give you one it is
possible to create an account this is not a domain administrator but can
add/remove objects from the domain maybe they can create that type of
account for you.

Also here are my notes when I was setting up our fileserver, they may help:
> http://www.che.utah.edu/resources/su...tive_Directory



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Brian Gregorcy wrote:
....
> Hi Bob,
>
> I recently did something similar, this page helped me the most of
> anything I believe it was section 14.3
>> http://samba.dsmirror.nl/samba/docs/.../idmapper.html

Thank you, I'll be taking a look at that next. I am just perplexed that
samba as an AD member server cannot check UNIX groups for membership
while it can otherwise.

> However I think you will need an account with privileges to join
> machines to the domain, ...

I already have the machine in Active Directory and domain users can
access shares on it - they gave me a "Domain Admin" account long enough
to join AD, but not longer.


--
************************************************** *********************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
r.martel@csuohio.edu -Jeff Lynne
************************************************** *********************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba