Hi Jerry,

>> I guess my question now boils down to the following: when I access a
>> share as domain user DOMAIN\lz, is there a way to apply "valid users"
>> check based on the Unix group membership of the Unix user "lz". From
>> what you are saying I am getting the impression that the asnwer is no;
>> is this really so?

> If you setup a "username map" and define "lz = DOMAIN\lz", then
> when you login as DOMAIN\lz you should only be assigned the
> groups belonging to the local user "lz". But you will not
> get the domain user's group membership.

This doesn't seem to work. The log shows:

[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501
contains 4 SIDs
SID[ 0]: S-1-5-21-3395643079-1670520419-2869919353-501
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-32-546
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 99
Primary group is 99 and contains 0 supplementary groups

The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend
= nss.

Actually, even if this works, it would be inconvenient to map every user
that needs to access the share.

I hoped Samba would treat local Unix group similar to how Windows treat
local groups. I wouldn't mind if a Unix group needed some "blessing" before
Samba uses it (i.e. a SID is somehow created for it). Is it not possible?


> cheers, jerry
> - --
> ================================================== ===================
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPN mPszKSgwCgzbE/
> u8DONjtZc1zf+wXNTuCFHgM=
> =ti50

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba