Re: [Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
Hello, On Wed, Jun 18, 2008 at 2:16 PM, Charlie <[EMAIL PROTECTED]> wrote: [...] > > At each site, we have a separate domain, a samba PDC/WINS server, a > print server, multiple samba file servers, and multiple ethernet > segments. If four or five WAN links go down simultaneously it's > possible that people at one site will not be able to change their > passwords until connectivity is restored, but everything will still > work fine (including network browsing). If there was some reason > connectivity could not be restored within 24 hours, the on-site staff > would promote a local LDAP replica (the "site master") and I would > manually merge any changes after the connectivity was restored with a > little shell scripting. Sure... since you have multiple domains, that's a different story, multiple pdcs/dmbs, etc. I'm interested in experiences with only one domain, across multiple offices, using samba dcs/openldap multimaster, to see if it's a reliable solution. > > All our POSIX hosts and samba servers implement LDAP failover, so that > I can take LDAP replicas in and out of service temporarily without > worrying about breaking anything. The giant HP-UX monsters use HP's > ldap-ux, the linux systems use PADL's nss_ldap and pam_ldap. Samba is > compiled to use the OpenLDAP libraries (we use Red Hat packages as > much as possible, and I build custom RPMs when Red Hat's packages are > insufficient). I have no kerberos but we have LDAP-integrated RADIUS > in our switches and routers. > Sure, i also have 10 slaves. > We have a lot of WAN links, to our own remote sites, and also to more > than 50 other organizations that we serve. Our LDAP infrastructure > has been fully functional for a long time (since before syncrepl was > invented) and is pretty mature. Now that syncrepl seems to be stable > technology, I am thinking about multi-mastering again, but I am not in > a hurry to re-architect everything. I will probably have to set up > kerberos eventually and I guess I will revisit all aspects of > infrastructure design at that time. > > A well-integrated LDAP directory can provide single sign-on to > hundreds of applications at more than 50 sites with HIPAA-compliant > audit traces and access controls. Samba expands what you can do with > LDAP even more, because samba allows arbitrarily defined actions to be > triggered by network logon and file access events. > Yeah... we all love LDAP! :-) -- Carlos Eduardo Pedroza Santiviago - http://softwarelivre.net | Passo-a-passo rumo à liberdade! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
Hi, On Tue, Jun 17, 2008 at 5:39 PM, Charlie <[EMAIL PROTECTED]> wrote: > Lots of folks have samba 3 running over OpenLDAP. Syncrepl is what > I'd use if I was setting it up today, but I have a very reliable and > mature implementation already running slurpd, so I am going to stick > with that for the moment. [...] > > We have one PDC and WINS server per physical site, which is more > reliable and fault-tolerant than anything else I've tried, but it does > make LDAP configuration a bit dicey since the Samba Team doesn't yet > understand why anyone would want to combine a unified authentication > infrastructure with geographically localized network control. Setting > up domain trusts with our configuration is tricky. > Humm, so you're not using the same domain for the entire company? In my situation, we have 5 remote offices, and all using the same domain, and if for some unknown reason our links (yes, we do have redundant links) go down, these offices should be able to work with minimal interruption (by saying this i mean, users should be able to change their passwords, machines also should be able to update their accounts, etc). -- Carlos Eduardo Pedroza Santiviago - http://softwarelivre.net | Passo-a-passo rumo à liberdade! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
Hi, I'd like to know if any of you have ever implemented Samba 3 with OpenLDAP multimaster (using syncrepl, maybe) or Fedora-DS. The basic idea would be: - WAN link dies, the remote office's BDC would promote itself to PDC (using some kind of monitoring script), and will start accepting changes to the user base. Also, some change to the local WINS server would be necessary. - WAN link returns, the changes are replicated back to the original PDC, and the WAN's PDC is demoted to BDC again, and changes again the WINS database. From what i've read, NT4 seems to do this "automagically", and i'm having some complaints about that. What do you guys think? Best regards, -- Carlos Eduardo Pedroza Santiviago - http://softwarelivre.net | Passo-a-passo rumo à liberdade! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Subversion VFS Module
Hi, On 7/27/07, Adam Tauno Williams <[EMAIL PROTECTED]> wrote: [...] > > Is there any page where we can see the results of the Summer Of Code > > Projects? I'm interested in the administrative logs project. > > See the archives of the Samba Technical list; if I recall correctly > there was some discussion about a logging project awhile ago. > Yup, i followed that too. But what i really want to know is if that administrative project done by Michael Krax (IIRC), will ever hit the official archive. There were some great modifications done by him, that would help to audit the modifications done. -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Subversion VFS Module
Hi, On 7/26/07, Gerald (Jerry) Carter <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Christian Huldt wrote: > > I read about a Subversion VFS Module > > at http://www.samba.org/samba/projects/summercode06.html > > > > Is this still moving? > > Nope. > Is there any page where we can see the results of the Summer Of Code Projects? I'm interested in the administrative logs project. thank you, -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.24 and disappearing ACL entries
Hi, On 5/1/07, Aaron Kincer <[EMAIL PROTECTED]> wrote: I've been working at this for a few days now and I can't figure out what is broken. Google turns up similar issues from years back, but I hope this is a bug resurfacing. ACL entries are being deleted when files are saved. Here is an example: Any info on this? I'm having similar problems, when a user with the M$ Suite saves his files. $ getfacl * # file: teste.doc # owner: cadu # group: XXXEMP user::rwx group::rwx group:XXXAED:rwx group:XXXEXT:r-x group:XXXGES:rwx mask::rwx other::--- # file: teste.ods # owner: cadu # group: XXXEMP user::rwx group::rwx group:XXXAED:rwx group:XXXEMP:rwx group:XXXEXT:r-x group:XXXGES:rwx mask::rwx other::--- After saving file "teste.doc", it removed the ACL for the EMP group. That didn't happen when i saved "teste.ods", using OpenOffice suite. -- Carlos Eduardo Pedroza Santiviago -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.23 ldapsam:trusted=yes problem
Hi, On 3/15/07, Asier Baranguán <[EMAIL PROTECTED]> wrote: Hi all! I've a running Samba PDC (LDAP backend) with windows clients. All the users are in the LDAP, including the 'guest' user. All except the 'root' user which is a regular user. Then change in the smb.conf ldapsam:trusted = yes ldapsam:editposix = yes and noticed some speed-up when listing groups, look file ownerships, and so on. But I can't add machines to the domain: neither with the 'root' user, neither some users with privileges to join computers. If I comment the ldapsam:trusted/editposix everything is fine and machines get added to teh domain. ¿Why? All the users are in the LDAP so ldapsam:trusted should work :-? IIRC, when you use the editposix flag, samba tries to manage all user/groups functions and doesn't use the smbldap scripts you've defnied. But i don't know if this is already finished. Maybe simo can answer this? For now, just use ldapsam:trusted, since it will speed things a lot. -- Carlos Eduardo Pedroza Santiviago -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
Hi, On 12/4/06, Ben Wheare <[EMAIL PROTECTED]> wrote: Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have "real" user accounts in /etc/passwd etc. Is there a way to stop this being allowed? Check your sshd (/etc/ssh/sshd_config) configuration, specially the AllowUsers and/or AllowGroups options. -- Carlos Eduardo Pedroza Santiviago -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: AIX Testers Needed.
Hi, I've installed the pware package in our testbed AIX 5.3. However, i am unable to change permissions on my own home directory, when trying to add a domain user to it. I have the following situation: - 1 SLES9 Samba/PDC with OpenLDAP (master) - 1 AIX 5.3 updated (53-003 IIRC), using secldapclntd (AIX's native LDAP client), and Samba 3.0.23c. This host was added as a domain member. I start nmbd, smbd and winbindd, but AFAICT, it cannot translate uid <-> sid mappings. Any clue? I'll generate a loglevel10 of this ASAP. -- Carlos Eduardo Pedroza Santiviago -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: AIX Testers Needed.
Hi, On 9/12/06, William Jojo <[EMAIL PROTECTED]> wrote: Hello AIX folks, I am changing the packaging of Samba for AIX. Presently Samba is built with a truckload of static libs and bound up in a package that has no other support for the supporting infrastructure. That's good news! What I'd like to do instead is make as much of the package dependant upon shared libs and to allow for completeness of the package. In other words, BDB, OpenSSL, OpenLDAP, SASL, KRB5, libiconv and gcc shared libs are all included as *complete* packages; you'll have an LDAP server, Kerberos support, SSL and Berkeley tools for hot backups and recovery. Great, i'll test here in a 5.3 server and give some feedback about its behavior. Have you tried using it with Symas CDS? -- Carlos Eduardo Pedroza Santiviago -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba, AIX and Winbind
[...] - Has anyone been able to do something like this? I mean, using a unique UID across multiple environments? More on this: $ ldapsearch -b ou=idmap,dc=domain -x # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # # Idmap, DOMAIN dn: ou=Idmap,dc=DOMAIN objectClass: organizationalUnit objectClass: sambaUnixIdPool ou: Idmap gidNumber: 10010 uidNumber: 10001 # S-1-5-21-112207604-471413004-518595180-18138, Idmap, domain dn: sambaSID=S-1-5-21-112207604-471413004-518595180-18138,ou=Idmap,dc=domain objectClass: sambaIdmapEntry objectClass: sambaSidEntry uidNumber: 1 sambaSID: S-1-5-21-112207604-471413004-518595180-18138 As i see above, when using winbind to map SID to UID, and using LDAP as backend, it'll map every entry below ou=Idmap,dc=domain. But, why doesn't it use the same uid for my user? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, AIX and Winbind
Hi, I'm having some problems in the following situation: - a SLES9 PDC (Samba/OpenLDAP) - a IBM NAS500 Gateway, supposed to be a storage with SMB features, but Samba is far better than that I've got Samba 3.0.23 working, and i can see my LDAP users/groups (through aix native ldap client -- i mean, the "id" command returns every user found in the base). However, i'm not able to assign new permissions to my folders, since i get this error: create_canon_ace_lists: unable to map SID S-1-5-21-112207604-471413004-518595180-18138 to uid or gid. I was told that i needed to use winbindd, and that really worked (thanks Idra), BUT, that raises another problem: since i have to specify idmap ranges for uid/gid, i lost my unique uid stored in the LDAP base. I've tried to use idmap "backend = ldap:ldap://myserver";, but, i still have to specify those ranges, otherwise i get this error: [2006/08/09 10:49:59, 0] nsswitch/winbindd_util.c:winbindd_param_init(787) winbindd: idmap uid range missing or invalid [2006/08/09 10:49:59, 0] nsswitch/winbindd_util.c:winbindd_param_init(788) winbindd: cannot continue, exiting. [2006/08/09 10:49:59, 1] nsswitch/winbindd.c:main(986) Could not init idmap -- netlogon proxy only Finally, Some questions: - Why do i have to still specify idmap ranges when using backend = ldap? - Does winbindd ldap support work with OpenLDAP? - Has anyone been able to do something like this? I mean, using a unique UID across multiple environments? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Attributes
Hi, [...] I was asked to implement logon and logoff control in our network. I read in the link below that those parameters are no used (unless not yet). Is there any other way to do it? Or any hope that it will be implemented soon? http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html sambaLogonTimeInteger value currently unused. sambaLogoffTimeInteger value currently unused. [...] Maybe this can help you: http://lists.samba.org/archive/samba/2006-January/115883.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and CUPS
Hi again, I'd like to know if it's possible to configure samba to not list classes stored in CUPS? I've a lot of classes here, and listing printers shared on my samba server takes some time... where it should list only the printer queues and not printer queues plus classes. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and CUPS
Hi, I'd like to know if it's possible to configure samba to not list classes stored in CUPS? I've a lot of classes here, and listing printers shared on my samba server takes some time... where it should list only the printer queues and not printer queues plus classes. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Auditing user/group management
Hi, I'd like to know if samba offers any way to audit user/group management tasks. I need to audit those events. AFAIK, i can change the smbldap-tools scripts to do some debugging, but doing it from samba would be nice. Is there any way? Maybe increasing the log level? How about some audit option in the config file? thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trust relationship and LDAP backend
Hi, I have a domain using LDAP backend, and recently we've managed to establish a trust relation with another domain in our network, which uses a pure NT4 server. After that, some accounts from the trusted domain started being created in our base. The user created doesn't have the same attributes as a valid user (he doesn't have sambaSamAccount, for example). But for auditing purposes, this shouldn't happen. Is this a normal behaviour? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trust relationship and LDAP backend
Hi, I have a domain using LDAP backend, and recently we've managed to establish a trust relation with another domain in our network, which uses a pure NT4 server. After that, some accounts from the trusted domain started being created in our base. The user created doesn't have the same attributes as a valid user (he doesn't have sambaSamAccount, for example). But for auditing purposes, this shouldn't happen. Is this a normal behaviour? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Updating sambaLogonTime when user logs in
Hi, I've made a quick and dirty Samba config. to update the sambaLogonTime timestamp when user logs in (LDAP backend). Here, i have an specific share that all users connect when they log in, besides the netlogon. However i think you can use the netlogon to modify it too (maybe add some verification in case of "Guest" connects, which is left to you). Basically, you have to add: [netlogon] ... root preexec = /usr/bin/updateLogonTime.sh "%u" ... And updateLogonTime.sh: __BEGIN__ #!/bin/bash TIMESTAMP=$(date +%s) /usr/bin/ldapctl YOURDOMAIN replace $1 sambaLogonTime "$TIMESTAMP" __EOF__ Easy, huh? ldapctl is a fucking awesome tool i found while surfing around. You can grab it here: http://sneakymustard.com/blog/code/python/ldapctl.shtml In some organizations, the sambaLogonTime is required to met their policy. Of course, other modifications could be done as well. cya, -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sambaLogonHours again...
Hi all, I've been playing around with the sambaLogonHours attribute to lock down access from some users. This is the real scenario: 1. Admin user "ADM" wants to allow user "foo" only from 6am to 6pm, so he opens his favourite tool usrmgr.exe and set this restriction for user "foo". 2. Next day, some minutes before 8am user "foo" tries to log in, in his supposed "allowed" time and gets an error, saying he's not allowed to log in that time. An error is appended to the domain controller's logs. So, we have a real problem here. Going further, "ADM" tries to discover what could be wrong, and decides to check all the timezones. GMT-2 in the server, GMT-2 in the client, GMT-2 in the "ADM"'s machine. Looks fine. Trying to "decrypt" the sambaLogonHours attribute, "ADM" finds out that the restriction time was really stored in GMT format, and so, the user "foo" will only be allowed to logon *after 2 hours* the restriction imposed! I've read the archives, some users had the same problem, and looks like there's no known solution AFAIK. Browsing the the samba code, auth_sam.c, logon_hours_ok(), seems that the verification of the restriction is done checking the server's localtime. Changing the server's time solves the problem (of course), but that's not the best solution IMHO. Has anyone got a better soluction? thanks, -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] List all computers from WINS?
Em Oct 03, 2005 08:31 AM, Tomasz Chmielewski <[EMAIL PROTECTED]> escreveu: > Carlos Eduardo Pedroza Santiviago schrieb: > > Hi, > > > > I know NMBLOOKUP can query a WINS server about its entries by name, > > or > > IP. When using broadcast, i can specify "*" as the query filter. > > However, i cannot get all entries from a WINS server using "*". > > > > Is there any other way to accomplish this? Please note that using > > broadcast is not a good solution. :) > > generally, WINS entries are stored in wins.dat file. > > perhaps viewing it is what you want? > Sorry, i forgot to mention that my WINS server is Windows based. :-) -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] List all computers from WINS?
Hi, I know NMBLOOKUP can query a WINS server about its entries by name, or IP. When using broadcast, i can specify "*" as the query filter. However, i cannot get all entries from a WINS server using "*". Is there any other way to accomplish this? Please note that using broadcast is not a good solution. :) -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and IBM TotalStorage NAS500
Hi, Has anyone ever configured a NAS500 TotalStorage from IBM to do pass-through authentication to Samba servers? AFAIK, NAS500 only "speaks" NTLM, and Samba should support it. The other problem is that i tried to mount its exported directories, using smbfs, but i can't list its contents. With cifs file system, i wasn't able to mount it. -- Carlos Eduardo Pedroza Santiviago - <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Local groups support
Hi all, Has anyone been able to get local groups support with a Samba Server through winbindd? Specifically, i am able to store several SIDs in sambaSIDList, but i can't get winbind working to retrieve (or expand) its members. Is Winbindd supposed to work _only_ with NT servers? -- Carlos Eduardo Pedroza Santiviago Analista de Suporte <[EMAIL PROTECTED]> Prognus Soluções Livres em TI http://www.prognus.com.br +55 45 3520-5867 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sambaLogonHours - Really GMT?
Hi, I'm using BRST timezone (Brazilian East), and AFAIK[1], sambaLogonHours stores it in GMT timezone. IIRC, the NT PDC is comparing with its local time. For example, if the user is allowed to log between 6am to 6pm, it will work with BRST timezone, even usrmgr.exe hours restriction is supposed to be in GMT time. However, when trying to log on a Samba machine, with LDAP backend, it is comparing with that time-3 (GMT-3). I'm starting to think that because of the localization of the PDC NT (pt_BR), it is storing that time in BRST zone. I've tried a lot of things, from changing the timezone to GMT, GMT-3, and even messing with "time offset" in smb.conf. What am i missing? Thanks. [1]: http://lists.samba.org/archive/samba-technical/2004-December/038271.html -- Carlos Eduardo Pedroza Santiviago Analista de Suporte <[EMAIL PROTECTED]> Prognus Soluções Livres em TI http://www.prognus.com.br +55 45 3520-5867 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 Limitations?
Hi, Gerald (Jerry) Carter ([EMAIL PROTECTED]) escrito: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Carlos Eduardo Pedroza Santiviago wrote: > > | - User Rights and Privileges: This is kinda new in latest > | Samba release, 3.0.11, but doesn't implement yet > | all NT4 funcionalities. Specifically here, they use the privileges > | called "Log on as a service" and "Logon as a batch > | job", and the others, too. I am not a NT4 master, but AFAIK, > | this can be changed to local policies (in windows machines, > | 2003 atm) insted of using the Domain ones. Am i right? > > Windows privileges are local to the machine on which they are assigned. > The privlieges assigned on the Samba host have no relation to > privileged on the local clients. Yeah, but through "User Manager->Policies->User Rights". Aren't that rights supposed to work with all domain computers? > > | - Local groups: AFAIK, NT4 Admins used them to ease the > | administration of permissions ACLs, but how implement it > | using Samba3+OpenLDAP? Or the only way is to change all > | the local groups to domain groups and redo the acl stuff? > | (the ntadmins will cry) > > Local groups on domain members ? or domain local groups on > the DC's. I'm not sure exactly what you are asking for here. > You can have domain local groups using the group mapping > functionality, but IIRC domain local groups (in nt4) are only > available between DC's. Domain local groups, which could be created using User Manager? ("User->New local group"). So samba implements that via group mapping (idmap with ldap backend?)? Thanks! -- Carlos Eduardo Pedroza Santiviago - Tel: 0xx45 5206359/6608 Visite: http://www.psl-trinacional.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 Limitations?
Hi, Recently, i worked in a pilot project to migrate a NT4 Domain to Samba3 + OpenLDAP. They have a quite large user base, approx. 2500 accounts, plus approx. 1800 groups, which 200 are local groups. Unfortunately, we faced some problems, and i'd like to know if anyone has faced them too, and how overcame them: - User Rights and Privileges: This is kinda new in latest Samba release, 3.0.11, but doesn't implement yet all NT4 funcionalities. Specifically here, they use the privileges called "Log on as a service" and "Logon as a batch job", and the others, too. I am not a NT4 master, but AFAIK, this can be changed to local policies (in windows machines, 2003 atm) insted of using the Domain ones. Am i right? - Local groups: AFAIK, NT4 Admins used them to ease the administration of permissions ACLs, but how implement it using Samba3+OpenLDAP? Or the only way is to change all the local groups to domain groups and redo the acl stuff? (the ntadmins will cry) Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba