Re: [Samba] Winbind nested groups not working

2007-01-18 Thread Joshua Penix 

On Jan 18, 2007, at 6:54 AM, Gerald (Jerry) Carter wrote:


The nest group functionality is for a local BUILTIN\Administrators
or MACHINE\localgrp type of group.  The patch in question I was
referring to was to expand local group membership in getgrnam().
These are different things.  Not sure which one you are looking for
if either.


Hrm, then I'm not quite sure either.  Here's the goal --

Samba is acting as a member file server in an AD domain.  In addition  
to the domain containing Samba, there are two other domains in the AD  
forest.  All three domains have full trust between them.  Each domain  
has a Global Security Group called ACAD_ENGR.  Samba sees them as DOM1 
+ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3+ACAD_ENGR.  I'd like members  
from all three groups to have write access to a particular  
directory.  This needs to be done with filesystem permissions, not  
share permissions, because underneath each directory there are  
further subdirectories that have varying access rights matched to  
other groups in the three domains.


Thoughts?  Is this possible with Samba?

Under Windows there would be two ways to achieve it:

1) Assign all three ACAD_ENGR groups rights to each folder.  In  
theory, this could be achieved in Linux by using ACLs.  But it is not  
an easily manageable solution - should we add a fourth domain, we  
would have to go back and add it to every folder.


2) In the domain where the files are actually hosted, create a Domain  
Local group and then add the ACAD_ENGR groups from each domain to  
it.  Then assign rights on the filesystem to the single Domain Local  
group.  This is considered the best practice - down the road,  
adding or removing access is as simple as a group membership change.


Number 2 is what I'm trying to do, but Samba doesn't seem to allow  
it.  I cannot see the Domain Local group through wbinfo -g.  I  
*can* explicitly pull its ID with getent group DOM1+localgroup, but  
it shows as having no members.  Since getent sees it, I can assign it  
as group owner of a directory, but Samba will not let any of the  
members have access.


Am I just doing something wrong?

--
Joshua Penixhttp://www.binarytribe.com
Binary Tribe   Linux Integration Services  Network Consulting


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind nested groups not working

2007-01-15 Thread Joshua Penix 
Is the winbind nested groups functionality not currently working in  
Samba 3.0.23d?  The readme files seem to indicate it should be (since  
3.0.3), but then this message by Jerry to the list...


http://groups.google.com/group/linux.samba/msg/5ecc575f70af3c8c

...seems to indicate that there's some patch waiting for 3.0.24.   
Unfortunately he's not specific as to what it solves.


I've actually tried it with the 3.0.10 that comes with RHEL4, 3.0.23d  
straight from Samba.org, and 3.0.22 from Ubuntu on three different  
servers.  I have no trouble getting winbind talking to AD on any of  
them, but all of them absolutely refuse to resolve membership of  
anything nested in a local group.


My smb.conf is as follows:

[global]
workgroup = DOM1
realm = DOM1.DOMAIN.COM
security = ADS
password server = 192.168.1.37 192.168.1.33
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind nested groups = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = no
allow trusted domains = yes

The goal is to create a local group on DOM1 that contains a global  
group of users from DOM1 as well as a global group from trusted  
domain DOM2.  I'd like to assign rights to the local group, and  
therefore allow anyone in either of the global groups access.


Am I just missing something?

--
Joshua Penixhttp://www.binarytribe.com
Binary Tribe   Linux Integration Services  Network Consulting


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba