Gary,
Thanks for taking the time to respond. My network is really small right now,
so I can live with having to add the *nix groups locally. For some reason, I
just assumed that winbind, which provided usernames for the matching UID, would
do the same for *nix groups. I guess I really need to be using ldap, but that
learning curve is going to be longer than I have to get these two servers in
place.
Thanks again for your help.
---------- Original Message ----------------------------------
From: Gary Dale <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 09 May 2006 10:46:00 -0400
>Samba Administrator wrote:
>
>>Please forgive me if this post appears multiple times. I have had trouble
>>posting and I cannot be sure if any of my other posts have made it to the
>>list.
>>
>>I have 10 XP clients authenticating against a Samba PDC, using passwd as the
>>passdb backend. The Samba PDC provides several shares to the XP clients.
>>
>>Priviledges on the Samba PDC are controlled by *nix user and group
>>permissions.
>>
>>I do not have any Windows servers on my network, so we do not use any of the
>>Windows group capabilities beyond the default groups.
>>
>>My Samba PDC is running out of room, so I want to move the shares to a new
>>server with more storage, but I want the Samba PDC to continue to
>>authenticate my XP clients.
>>
>>Should I maintain the definition of the shares on the Samba PDC, but actually
>>store the data on the new server and make it available to the PDC via NFS. In
>>other words, do not use Samba on the new server, but use NFS instead?
>>
>>OR
>>
>>Should I use Samba and winbind on the new server to provide access to the
>>shares and control permissions?
>>
>>Any thoughts or experiences are appreciated.
>>Scott Rosa
>>Debian-sarge, Samba 3.0.14
>>
>>--- MY CURRENT EXPERIENCE SO FAR ---
>>Note: I know that the simple solution would have been to make the new box the
>>PDC, which I may still do. However, I may be adding a second member server
>>soon, so I needed to figure out how to integrate the member server into my
>>network anyway.
>>
>>I have been able to get samba on the new server to use the old PDC to
>>authenticate the users. And, I have been able to verify with wbinfo -u.
>>However, I run into a problem with group permissions.
>>
>>When I do a wbinfo -r <username> on the member server, I get a list of
>>numeric group ids for the user. The count matches the number of groups that
>>the user belongs to on the PDC. Having virtually no experience with samba, I
>>thought that might not be a big deal, especially since I could determine the
>>group name by using the following commands:
>>
>>wbinfo -G <group-id>
>>wbinfo -s <SID from the command above>
>>
>>For, example:
>>wbinfo -G 10012 returns S-1-5-21-...-3003
>>S-1-5-21-...-3003 returns PP+fl_staff 2
>>
>>However, when I tried to set up one of the directories that I want to move
>>from the existing PDC to the member server, I could not assign the
>>appropriate group to the directory.
>>
>>For examble, on the member server:
>>
>>chgrp PP+fl_staff pub
>>chgrp "PP+fl_staff" pub
>>chgrp "PP+fl_staff 2" pub
>>
>>all return an error:
>>
>>chgrp: invalid group name `PP+fl_staff'
>>
>>Now, if I change the group ownership to the appropriate GID (in this case,
>>10012), the chgrp command works and my XP clients can access the directory
>>with the appropriate permissions, which I guess I can do. But, if something
>>happens to winbind idmap tables and things get renumbered for some reason, I
>>don't want to have to face the task of fixing the GIDs across some files and
>>directories.
>>
>>
>>
>>
>>________________________________________________________________
>>Sent via the WebMail system at preventionpartners.com
>>
>>
>
>
>I'd avoid using NFS in this situation. Why make the file access go through two
>servers?
>
>If you make the new server a domain controller, you get some redundancy in
>your authentication, in case your PDC has problems. To avoid remapping shares,
>you can rename your PDC and file server so that the shares continue to map the
>same server name.
>
>re. your group problem: it sounds like the group names don't exist on the new
>server. Since you say you are using *nix groups instead of Windows groups,
>that could be the problem. I don't think it's a big deal. As long as the group
>numbers match, things should work. To get the names to show, you need to add
>the *nix groups locally. You could try copying the /etc/group from your PDC,
>or at least the portion with group numbers > 10000.
>
>
________________________________________________________________
Sent via the WebMail system at preventionpartners.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
