On Jan 18, 2007, at 6:54 AM, Gerald (Jerry) Carter wrote:
The nest group functionality is for a local BUILTIN\Administrators
or MACHINE\localgrp type of group. The patch in question I was
referring to was to expand local group membership in getgrnam().
These are different things. Not sure which one you are looking for
if either.
Hrm, then I'm not quite sure either. Here's the goal --
Samba is acting as a member file server in an AD domain. In addition
to the domain containing Samba, there are two other domains in the AD
forest. All three domains have full trust between them. Each domain
has a Global Security Group called ACAD_ENGR. Samba sees them as DOM1
+ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3+ACAD_ENGR. I'd like members
from all three groups to have write access to a particular
directory. This needs to be done with filesystem permissions, not
share permissions, because underneath each directory there are
further subdirectories that have varying access rights matched to
other groups in the three domains.
Thoughts? Is this possible with Samba?
Under Windows there would be two ways to achieve it:
1) Assign all three ACAD_ENGR groups rights to each folder. In
theory, this could be achieved in Linux by using ACLs. But it is not
an easily manageable solution - should we add a fourth domain, we
would have to go back and add it to every folder.
2) In the domain where the files are actually hosted, create a Domain
Local group and then add the ACAD_ENGR groups from each domain to
it. Then assign rights on the filesystem to the single Domain Local
group. This is considered the best practice - down the road,
adding or removing access is as simple as a group membership change.
Number 2 is what I'm trying to do, but Samba doesn't seem to allow
it. I cannot see the Domain Local group through wbinfo -g. I
*can* explicitly pull its ID with getent group DOM1+localgroup, but
it shows as having no members. Since getent sees it, I can assign it
as group owner of a directory, but Samba will not let any of the
members have access.
Am I just doing something wrong?
--
Joshua Penixhttp://www.binarytribe.com
Binary Tribe Linux Integration Services Network Consulting
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba