I'm using samba 3.0.28 as distributed by SUN on solaris 10 x86_64 5_08.

Samba and kerberos are configured to authenticate to a domain, and
domain user authentication, and access to shares goes smoothly.

I need to limit access to the samba shares to a few select groups.
The problem is those groups aren't showing neither in getent groups
nor in wbinfo -g.

A conversation with the domain admin revealed that the groups that I need
were created as "Universal" as they contain members from several different
domains (with trust relationships).

I guessed that a good work-around for this would be to create local _unix_
groups and add the domain users to these groups.
I've tried this, but without success (the user still logs-in, but can't write
unless the directory has write access to everyone).
Is there a config option that must be enabled on smb.conf (or somewhere
else) for this to work ?
What is the correct way add a domain user to a _unix_ group ?
I'v tried both:
lclgrp::15757OMAIN+domuser
lclgrp::15757:domuser

Also, can't login with a local unix user. Is the use of winbind mutually
exclusive of local logins ?
If not, how can I enable it ?

Thanks for your help,
Duarte Alencastre

smb.conf follows:

[global]
workgroup = DOMAIN
dns proxy = yes
security = ads
password server = *
wins server = wins.server.ip.address
netbiosname = myhost
#winbind separator = . # This isn't used in the configuration anywhere
winbind separator= +

#### disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

idmap uid = 15000-20000
idmap gid = 15000-20000

winbind enum users = yes
winbind enum groups = yes

# This template can include the domain name if required
template homedir = /export/home/%U
template shell = /usr/bin/bash

# Allows login in as "username" instead of "NTDOMAIN.username"
winbind use default domain = Yes
allow trusted domains = Yes

[share_a]
comment= share_a
path = /storage/share_a
#Disabled acl check permissions and zfsacl due to zfsacl issues encountered
Solaris 08/07 w/ Samba 3.0.25
acl check permissions = False
public = yes
writable = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba