Gary, Thanks for taking the time to respond. My network is really small right now, so I can live with having to add the *nix groups locally. For some reason, I just assumed that winbind, which provided usernames for the matching UID, would do the same for *nix groups. I guess I really need to be using ldap, but that learning curve is going to be longer than I have to get these two servers in place.
Thanks again for your help. ---------- Original Message ---------------------------------- From: Gary Dale <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 09 May 2006 10:46:00 -0400 >Samba Administrator wrote: > >>Please forgive me if this post appears multiple times. I have had trouble >>posting and I cannot be sure if any of my other posts have made it to the >>list. >> >>I have 10 XP clients authenticating against a Samba PDC, using passwd as the >>passdb backend. The Samba PDC provides several shares to the XP clients. >> >>Priviledges on the Samba PDC are controlled by *nix user and group >>permissions. >> >>I do not have any Windows servers on my network, so we do not use any of the >>Windows group capabilities beyond the default groups. >> >>My Samba PDC is running out of room, so I want to move the shares to a new >>server with more storage, but I want the Samba PDC to continue to >>authenticate my XP clients. >> >>Should I maintain the definition of the shares on the Samba PDC, but actually >>store the data on the new server and make it available to the PDC via NFS. In >>other words, do not use Samba on the new server, but use NFS instead? >> >>OR >> >>Should I use Samba and winbind on the new server to provide access to the >>shares and control permissions? >> >>Any thoughts or experiences are appreciated. >>Scott Rosa >>Debian-sarge, Samba 3.0.14 >> >>--- MY CURRENT EXPERIENCE SO FAR --- >>Note: I know that the simple solution would have been to make the new box the >>PDC, which I may still do. However, I may be adding a second member server >>soon, so I needed to figure out how to integrate the member server into my >>network anyway. >> >>I have been able to get samba on the new server to use the old PDC to >>authenticate the users. And, I have been able to verify with wbinfo -u. >>However, I run into a problem with group permissions. >> >>When I do a wbinfo -r <username> on the member server, I get a list of >>numeric group ids for the user. The count matches the number of groups that >>the user belongs to on the PDC. Having virtually no experience with samba, I >>thought that might not be a big deal, especially since I could determine the >>group name by using the following commands: >> >>wbinfo -G <group-id> >>wbinfo -s <SID from the command above> >> >>For, example: >>wbinfo -G 10012 returns S-1-5-21-...-3003 >>S-1-5-21-...-3003 returns PP+fl_staff 2 >> >>However, when I tried to set up one of the directories that I want to move >>from the existing PDC to the member server, I could not assign the >>appropriate group to the directory. >> >>For examble, on the member server: >> >>chgrp PP+fl_staff pub >>chgrp "PP+fl_staff" pub >>chgrp "PP+fl_staff 2" pub >> >>all return an error: >> >>chgrp: invalid group name `PP+fl_staff' >> >>Now, if I change the group ownership to the appropriate GID (in this case, >>10012), the chgrp command works and my XP clients can access the directory >>with the appropriate permissions, which I guess I can do. But, if something >>happens to winbind idmap tables and things get renumbered for some reason, I >>don't want to have to face the task of fixing the GIDs across some files and >>directories. >> >> >> >> >>________________________________________________________________ >>Sent via the WebMail system at preventionpartners.com >> >> > > >I'd avoid using NFS in this situation. Why make the file access go through two >servers? > >If you make the new server a domain controller, you get some redundancy in >your authentication, in case your PDC has problems. To avoid remapping shares, >you can rename your PDC and file server so that the shares continue to map the >same server name. > >re. your group problem: it sounds like the group names don't exist on the new >server. Since you say you are using *nix groups instead of Windows groups, >that could be the problem. I don't think it's a big deal. As long as the group >numbers match, things should work. To get the names to show, you need to add >the *nix groups locally. You could try copying the /etc/group from your PDC, >or at least the portion with group numbers > 10000. > > ________________________________________________________________ Sent via the WebMail system at preventionpartners.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba