Joshua Penix wrote: > Here's my situation, hoping that some of you who are running Samba in an > AD environment will have insight: > > Samba is acting as a member file server in an AD domain. In addition to > the domain containing Samba, there are two other domains in the AD > forest. All three domains have full trust between them. Each domain > has a Global Security Group called ACAD_ENGR. Samba (through winbind) > sees them as DOM1+ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3+ACAD_ENGR. I'd > like members from all three groups to have write access to a particular > directory. This needs to be done with filesystem permissions, not share > permissions, because underneath each directory there are further > subdirectories that have varying access rights matched to other groups > in the three domains. > > Thoughts? Is this possible with Samba? > > Under Windows there would be two ways to achieve it: > > 1) Assign all three ACAD_ENGR groups rights to each folder. In theory, > this could be achieved in Linux by using ACLs. But it is not an easily > manageable solution - should we add a fourth domain, we would have to go > back and add its groups to every folder. > > 2) In the domain where the files are actually hosted, create a Domain > Local group and then add the ACAD_ENGR groups from each domain to it. > Then assign rights on the filesystem to the single Domain Local group. > This is considered the "best practice" - down the road, adding or > removing access is as simple as a group membership change. > > Number 2 is what I'm trying to do, but Samba doesn't seem to allow it. > I cannot see the Domain Local group through "wbinfo -g". I *can* > explicitly pull its ID with "getent group DOM1+localgroup", but it shows > as having no members. Since getent sees it, I can assign it as group > owner of a directory, but Samba will not let any of the members have > access. > > Am I just doing something wrong?
I'm pretty rusty on samba, but do believe your question is quite a nice match to postings on the samba (general) list that, in the past, I have seen get pretty timely and good responses from _the_ real experts. The samba list used to be kind of lengthy, but in digest form, it wasn't too bad. Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
