Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Q: windbind, local groups and domain user membership?

4 views
Skip to first unread message

Albrecht Dreß

unread,
Apr 29, 2005, 3:13:55 AM4/29/05
to
Hi,

I run a Fedora 2 box with Samba 3.0.10 as a domain member. The PDC is a
Win server with AD.

Running winbind, all domain users and groups are visible on the Samba box.

To grant a special group of domain users access to parts of a samba
share, I would like to

- add a *local* group on the samba box (*not* in AD!) and
- add some *domain* users to this new group.

Unfortunately the trick of adding a local unix group doesn't work as
samba apparently doesn't take them into account, so I guess I have to
add the group to winbind. However, the wbinfo man page only describes
how I could add a local user to a local group, not a domain user.

Maybe I'm just too dumb to understand the man pages - any advice how to
get this setup working would be really welcome!

Cheers,
Albrecht

--
LIOS Technology GmbH
Dr. Albrecht Dreß
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 Köln
Germany

Phone +49 221 676 2742
Fax +49 221 676 2069
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Joris De Pooter

unread,
Apr 29, 2005, 6:14:14 AM4/29/05
to
Albrecht Dreß a écrit :

> Hi,
>
> I run a Fedora 2 box with Samba 3.0.10 as a domain member. The PDC is
> a Win server with AD.
>
> Running winbind, all domain users and groups are visible on the Samba
> box.
>
> To grant a special group of domain users access to parts of a samba
> share, I would like to
>
> - add a *local* group on the samba box (*not* in AD!) and
> - add some *domain* users to this new group.
>
> Unfortunately the trick of adding a local unix group doesn't work as
> samba apparently doesn't take them into account, so I guess I have to
> add the group to winbind. However, the wbinfo man page only describes
> how I could add a local user to a local group, not a domain user.
>
> Maybe I'm just too dumb to understand the man pages - any advice how
> to get this setup working would be really welcome!
>
> Cheers,
> Albrecht
>

To manipulates a domain user, you have to use its FQN (fully qualified
name):
assuming you have a domain called CRAPULE and a user called brigand, and
the winbind separator = + (in smb.conf)
then, it's name is CRAPULE+brigand

--
Joris De Pooter

Albrecht Dreß

unread,
Apr 29, 2005, 6:32:15 AM4/29/05
to
Joris De Pooter schrieb:

> To manipulates a domain user, you have to use its FQN (fully qualified
> name):
> assuming you have a domain called CRAPULE and a user called brigand, and
> the winbind separator = + (in smb.conf)
> then, it's name is CRAPULE+brigand

That doesn't work for me:

[root@srv-lios2 root]# wbinfo -C local-special-group
[root@srv-lios2 root]# wbinfo -o DOMAIN_user:local-special-group
Could not add user to group

The messages don't contain any further error information. I am sure,
though, that the grouf has been created, as trying to add it again
results in an error message there.

Thanks,
Albrecht

--
LIOS Technology GmbH
Dr. Albrecht Dreß
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 Köln
Germany

Phone +49 221 676 2742
Fax +49 221 676 2069

Joris De Pooter

unread,
May 2, 2005, 6:44:19 AM5/2/05
to
Albrecht Dreß a écrit :

> Joris De Pooter schrieb:
>
>> To manipulates a domain user, you have to use its FQN (fully
>> qualified name):
>> assuming you have a domain called CRAPULE and a user called brigand,
>> and the winbind separator = + (in smb.conf)
>> then, it's name is CRAPULE+brigand
>
>
> That doesn't work for me:
>
> [root@srv-lios2 root]# wbinfo -C local-special-group
> [root@srv-lios2 root]# wbinfo -o DOMAIN_user:local-special-group
> Could not add user to group
>
> The messages don't contain any further error information. I am sure,
> though, that the grouf has been created, as trying to add it again
> results in an error message there.
>
> Thanks,
> Albrecht
>

Oops, i thought you wanted to create a local unix group.
Why not consider this option ?

--
Joris De Pooter

Albrecht Dreß

unread,
May 3, 2005, 7:27:42 AM5/3/05
to
Joris De Pooter schrieb:

> Oops, i thought you wanted to create a local unix group.
> Why not consider this option ?

That's not possible - local UNIX user groups are ignored when using
AD/winbind authentication.

Cheers, Albrecht.

--
LIOS Technology GmbH
Dr. Albrecht Dreß
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 Köln
Germany

Phone +49 221 676 2742
Fax +49 221 676 2069

0 new messages