[Samba] Group membership confusion, UNIX, nested, and AD - Samba

This is a discussion on [Samba] Group membership confusion, UNIX, nested, and AD - Samba ; Still hoping that someone can help clear this up. Greetings, I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows and UNIX", Mailing list messages with the subjects "valid users = +group doesn't work" and "Unix ADS group membership ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Group membership confusion, UNIX, nested, and AD

  1. [Samba] Group membership confusion, UNIX, nested, and AD

    Still hoping that someone can help clear this up.


    Greetings,

    I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
    and UNIX", Mailing list messages with the subjects "valid users = +group
    doesn't work" and "Unix ADS group membership or vice versa" and all I've
    gotten is more confused.

    I have to move my samba servers from a Samba PDC environment to Active
    Directory (AD) where they will be member servers. I will NOT be able to
    make ANY changes to the AD configuration: it is dictated and controlled
    by those "on high." I cannot add any groups to AD. I can only
    manipulate the membership of the UNIX groups on my servers.

    I already have a test samba server (3.0.28a) as a member of AD.

    What I want is to be able to control access to "shares" using lines like
    "valid user +www" in smb.conf as I have in the past. The groups I want
    to use are the UNIX groups on the AD member samba server. I have added
    AD users as members of the UNIX groups in /etc/group

    It looks like Samba AD member servers will NOT look at local UNIX groups
    to check and see if an AD account is a member of the UNIX group. I do
    not want to have to map each and every AD user to a corresponding local
    user - I thought accessing AD would cut down on the account management
    workload, not increase it.

    I fail to see where windbind's nested groups will help me solve this
    problem - as presented in the docs it seems to solve an MS Windows issue
    that I do not have. Perhaps I still do not understand what that the
    nested group is supposed to provide.

    Since I have no administrative access to the AD server, how am I to
    create nested groups? The example shows:

    net rpc group add demo -L -Uroot%not24get"

    So it seems I would need some kind of administrative account to even
    create the nested group. If not an AD account, I do not recall setting
    up an smbpassword for root as I did in the past on my samba PDC. I am
    not a member of "Domain Administrators" in out AD setup, but that is a
    whole different set of questions.

    How would I make such a nested group the group owner for
    files/directories? Or would I then use the nested group in the "valid
    user" line of smb.conf? Use groupmap to associate it with a UNIX group?
    See, confusion.

    At this moment it seems my worst case/quick fix calls for long "valid
    user" lines listing the AD accounts that I wish to have access to
    certain shares - kinda' defeats the reason to have groups. Why would
    Samba be written to ignore the group memberships?

    Thanks in advance to anyone that can help clear up my confusion about
    groups!

    -Bob Martel

    --
    ************************************************** *********************
    Bob Martel,System Administrator I met someone who looks a lot like you
    Levin College of Urban Affairs She does the things you do
    Cleveland State University But she is an IBM
    (216) 687-2214
    r.martel@csuohio.edu -Jeff Lynne
    ************************************************** *********************
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] Group membership confusion, UNIX, nested, and AD

    Robert M. Martel - CSU wrote:
    > Still hoping that someone can help clear this up.
    >
    >
    > Greetings,
    >
    > I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
    > and UNIX", Mailing list messages with the subjects "valid users = +group
    > doesn't work" and "Unix ADS group membership or vice versa" and all I've
    > gotten is more confused.
    >
    > I have to move my samba servers from a Samba PDC environment to Active
    > Directory (AD) where they will be member servers. I will NOT be able to
    > make ANY changes to the AD configuration: it is dictated and controlled
    > by those "on high." I cannot add any groups to AD. I can only
    > manipulate the membership of the UNIX groups on my servers.
    >
    > I already have a test samba server (3.0.28a) as a member of AD.
    >
    > What I want is to be able to control access to "shares" using lines like
    > "valid user +www" in smb.conf as I have in the past. The groups I want
    > to use are the UNIX groups on the AD member samba server. I have added
    > AD users as members of the UNIX groups in /etc/group
    >
    > It looks like Samba AD member servers will NOT look at local UNIX groups
    > to check and see if an AD account is a member of the UNIX group. I do
    > not want to have to map each and every AD user to a corresponding local
    > user - I thought accessing AD would cut down on the account management
    > workload, not increase it.
    >
    > I fail to see where windbind's nested groups will help me solve this
    > problem - as presented in the docs it seems to solve an MS Windows issue
    > that I do not have. Perhaps I still do not understand what that the
    > nested group is supposed to provide.
    >
    > Since I have no administrative access to the AD server, how am I to
    > create nested groups? The example shows:
    >
    > net rpc group add demo -L -Uroot%not24get"
    >
    > So it seems I would need some kind of administrative account to even
    > create the nested group. If not an AD account, I do not recall setting
    > up an smbpassword for root as I did in the past on my samba PDC. I am
    > not a member of "Domain Administrators" in out AD setup, but that is a
    > whole different set of questions.
    >
    > How would I make such a nested group the group owner for
    > files/directories? Or would I then use the nested group in the "valid
    > user" line of smb.conf? Use groupmap to associate it with a UNIX group?
    > See, confusion.
    >
    > At this moment it seems my worst case/quick fix calls for long "valid
    > user" lines listing the AD accounts that I wish to have access to
    > certain shares - kinda' defeats the reason to have groups. Why would
    > Samba be written to ignore the group memberships?
    >
    > Thanks in advance to anyone that can help clear up my confusion about
    > groups!
    >
    > -Bob Martel
    >

    Hi Bob,

    I recently did something similar, this page helped me the most of
    anything I believe it was section 14.3
    > http://samba.dsmirror.nl/samba/docs/.../idmapper.html


    However I think you will need an account with privileges to join
    machines to the domain, if the AD admins will not give you one it is
    possible to create an account this is not a domain administrator but can
    add/remove objects from the domain maybe they can create that type of
    account for you.

    Also here are my notes when I was setting up our fileserver, they may help:
    > http://www.che.utah.edu/resources/su...tive_Directory




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] Group membership confusion, UNIX, nested, and AD

    Brian Gregorcy wrote:
    ....
    > Hi Bob,
    >
    > I recently did something similar, this page helped me the most of
    > anything I believe it was section 14.3
    >> http://samba.dsmirror.nl/samba/docs/.../idmapper.html


    Thank you, I'll be taking a look at that next. I am just perplexed that
    samba as an AD member server cannot check UNIX groups for membership
    while it can otherwise.

    > However I think you will need an account with privileges to join
    > machines to the domain, ...


    I already have the machine in Active Directory and domain users can
    access shares on it - they gave me a "Domain Admin" account long enough
    to join AD, but not longer.


    --
    ************************************************** *********************
    Bob Martel,System Administrator I met someone who looks a lot like you
    Levin College of Urban Affairs She does the things you do
    Cleveland State University But she is an IBM
    (216) 687-2214
    r.martel@csuohio.edu -Jeff Lynne
    ************************************************** *********************
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread