Hello again, at the beginning thank you for your support.Today I had the time to test the various proposals.Finally the "gpasswd thing" works in that way that I can add any user to local groups.Even domain users... Unfortunately the group members still can not access the shares.
I have done it in this way: 1. stop smbd & nmbd 2. add "winbind use default domain = yes" to the smb.conf 3. create a testgroup with "groupadd test1" 4. add my domain user (without the domain (domain+)) to this group with "gpasswd -a rutzki.matthias test1" 5. create a share called testshare with "valid users = @test1" in smb 6. start smbd nmbd 7. logged in domain on a WIN98 System 8. try to access the testshare 9. System asks me for a password..... So, it seems that the samba does not find my user.Same failure when I add my user with "gpasswd -a west3+rutzki.matthias test1" to the local group. Here is my winbind log: #access to testshare with "valid users = west3+rutzki.matthias" (this works perfect): ... [ 8690]: getgroups west3+rutzki.matthias [ 8690]: gid to sid 10250 [ 8690]: gid to sid 11001 [ 8690]: gid to sid 11255 [ 8690]: gid to sid 11257 ... #access to testshare with "valid users = @test1" or "valid users = +test1"(ends in password request): ... [ 8690]: getgroups west3+rutzki.matthias [ 8690]: gid to sid 10250 [ 8690]: gid to sid 11001 [ 8690]: gid to sid 11255 [ 8690]: gid to sid 11257 [ 8690]: getgroups west3+rutzki.matthias [ 8690]: getgroups west3+rutzki.matthias [ 8690]: getgroups west3+rutzki.matthias...(approx.: 30 times this message) ... Has anyone an idea what winbind is doing there? Perhaps you need some other winbind related configuration data: /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind /etc/samba/smb.conf: ... security = domain ... winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes winbind cache time = 10 winbind enum users = no #(large domain) winbind enum groups = no #(large domain) template shell = /bin/bash ... [testshare] path = /1 guest ok = no writable = no browseable = yes valid users = @test1 write list = @test1 /etc/pam.d/system-auth: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth use_first_pass nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_winbind.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so I hope that will help you.Thank you for your help. Greetings Matthias >--- David Boynton <david.boynton2 at asu.edu> wrote: >> Well, I got this to work once by manually editing >> the /etc/group file, like >> adding the line: >> >> localgroup:x:<gid>: domain+user1,domain+user2,etc >> >> I don't know if this is a safe thing to do, however. >> :) > >I don't believe you can safely manually edit this >file, as you would probably also have to edit >/etc/gshadow to match. Unix/Linux has a tool called >gpasswd that will do this for you: >gpasswd -a <user> <group> > >It lets you add users to a group without them existing >in /etc/passwd (they don't even have to exist at all). >Combine this with "winbind use default domain = yes" >in smb.conf and you're ready to go. > >For example, in the domain ABC for the user john, do >this to add him to a 'local' Unix group called >smbusers: > >gpasswd -a john smbusers > >With "winbind use default domain = yes" you don't need >to prefix it with your domain. Slick, huh? (: > >Good luck, >/dev/idal -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba