[svlug] User directory shares with Samba, Winbind, and Win2k domain

Richard Sharpe rsharpe at ns.aus.com
Wed Jul 31 14:24:02 PDT 2002


On Wed, 31 Jul 2002, Robert Hajime Lanning wrote:

> ---- As written by Daniel Curry:
> > I would like to recreate this, but am not certain how to, considering the
> > combination of Win2k Domain groups and users with unix/linux users and
> > groups.

I did not notice the original message, so I am responding here.
 
> Samba does an SUID call to switch to the user that the connection was
> authenticated as.  So, you will need to create the groups (/etc/group)
> that mimic the NT Domain groups and make the propper users a member of
> the groups.

While I am sure that Robert did not mean that Samba is SUID, I thought 
that I would inject a small clarification here. smbd does a 
setreuid/setregid as needed to become the user and assume the groups that 
the user is in when performing file operations.

> Then you will need to chgrp the shared directory to the group that needs
> access.  Also, setting the SGID bit on the directory would be a good
> idea.  If you need multiple groups to have access then you will need to
> just open up the permissions on the directories and handle it all in the
> smb.conf entries.

Since you mention Domain groups and winbindd, this is complicated by the 
SID to UID/GID translation stuff that winbindd does and smbd interacts 
with winbindd as needed.

You might be better off to use Samba-3.0alpha18, since it allows, AFAIK, 
mapping of UNIX groups to domain groups.

You might also consider using the ACL stuff from acl.bestbits.at, as that 
can make for more flexible permissions at time, and combined with 
winbindd, it is neat to see DOMAIN\user or DOMAIN\group when you setfacl a 
file with a domain group or user.

> Then edit your smb.conf, for each share you will need to give the propper
> rights for the groups.
> 
> Share rights:
> 
> force create mode = 0775
> force directory mode = 2775
> read list = @readonlygroup
> write list = @writeonlygroup
> valid users = @readonlygroup, @writeonlygroup
> 
> This is only to start.  There are a lot of tweaks that can be done.
> 
> 

-- 
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com




More information about the svlug mailing list