[Samba] Domain-member and simple read and readwrite file-permissions based on group-membership

Tue, 03 Jan 2006 11:00:14 -0800 

Hi,
I'm pretty confused about using samba as domain-member and file-server.
Assuming i have a couple of windows-users on my active directory server and there are 
mainly 2 groups defined in the AD: ReadOnlyGroup and WriteOnlyGroup.
On my samba-server there is one share which should be used by both groups and i want users in the WriteOnlyGroup to have the permission to modify/ delete all 
files/directories and the users to in the ReadOnlyGroup to only read the
files/directories. To keep it simple I don't want any other acl's at all. 


I thought that this setup should be possible by using the read/write  
list -, the

force group - and the mode - feature in the smb.conf.

Now i have 2 options to connect to my PDC.
Either I use security = ADS or I use security = domain.


For the first option as far as I know, I need to use kerberos.  
Because i'm
forced to use aix as platform for the samba-server and there is no  
kerberos-support

installed, i must use security = domain.


Runing with security = domain I think at first i'm now forced to  
replicate all active-directory
user to unix-users on my samba-server to establish a mapping between  
NT <-> Unix User ID's for the proper

ownership of files on the share's filesystem

Now my Questions:
1)

When i have done this, there is no need to use the "net groupmap" -  
Feature, because
all users are mapped to Unix-User and these Unix-Users are belonging  
to primary
unix-groups. The groupmap - Feature only makes sense if i run the  
winbindd-daemon (on top of kerberos)
and there is no complete mapping of NT<->Unix User/Group. Is this  
correct?


2)
Which kind of arguments are possible to: "read list" and "write list"?
Is it correct that only unix-users and unix-groups are possible?

Is there any way to use the ReadOnlyGroup and WriteOnlyGroup from the  
Active-Directory?
If only unix-groups are possible I although have to replicate the  
group-memberships

to the unix-system. Is this correct?

When this is correct, this is pretty painfull because I've to  
administrate 2 userdatabases now.


3)

Is this simple setup only possible with acl's on the filesystem and  
with running

winbindd?

Thank you for answers
Christian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to