Here's my situation, hoping that some of you who are running Samba in
an AD environment will have insight:
Samba is acting as a member file server in an AD domain. In addition
to the domain containing Samba, there are two other domains in the AD
forest. All three domains have full trust between them. Each domain
has a Global Security Group called ACAD_ENGR. Samba (through
winbind) sees them as DOM1+ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3
+ACAD_ENGR. I'd like members from all three groups to have write
access to a particular directory. This needs to be done with
filesystem permissions, not share permissions, because underneath
each directory there are further subdirectories that have varying
access rights matched to other groups in the three domains.
Thoughts? Is this possible with Samba?
Under Windows there would be two ways to achieve it:
1) Assign all three ACAD_ENGR groups rights to each folder. In
theory, this could be achieved in Linux by using ACLs. But it is not
an easily manageable solution - should we add a fourth domain, we
would have to go back and add its groups to every folder.
2) In the domain where the files are actually hosted, create a Domain
Local group and then add the ACAD_ENGR groups from each domain to
it. Then assign rights on the filesystem to the single Domain Local
group. This is considered the "best practice" - down the road,
adding or removing access is as simple as a group membership change.
Number 2 is what I'm trying to do, but Samba doesn't seem to allow
it. I cannot see the Domain Local group through "wbinfo -g". I
*can* explicitly pull its ID with "getent group DOM1+localgroup", but
it shows as having no members. Since getent sees it, I can assign it
as group owner of a directory, but Samba will not let any of the
members have access.
Am I just doing something wrong?
--
Joshua Penix http://www.binarytribe.com
Binary Tribe Linux Integration Services & Network Consulting
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
