Samba domain member server (DMS) group permissions in network with a Samba PDC
Background:
About 18 months ago, we successfully replaced our w2k server running active directory with a linux server (debian-woody, now sarge) running samba (3.0.14) to serve as our PDC. We are a small shop with less than 10 WinXP clients authenticating against the PDC. The server provides home directories for each user and a couple of shares. We are using /etc/passwd for the passdb backend.
Challenge:
As simply as possible, we want to migrate all the samba shares from the samba PDC to a samba domain member server that has more storage than the existing PDC. We want to continue to authenticate against the existing PDC with the unix user and group credentials getting passed through to the domain member server to control access to the samba shares on the domain member server.
Approach:
I followed the instructions in section 7.3.2 in Samba-3 by Example to add a samba domain member server using NSS and Winbind, which can be found here: my.samba.org/samba/docs/man/Samba-Guide/unixclients.html
Also, I looked at:
us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html
us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html
To test my setup, I created one share on the new member server with the same name as one of the shares to be migrated from the PDC.
From the command line on the member server, when I touched a file and tried to change the owner to one of the users from the PDC, it worked.
However, from the command line on the member server, when I tried to change the group to a group on the PDC, it failed.
Problem:
-From my WinXP clients, I can modify and save the existing file, but I cannot create any new folders or files. The share is setup with 775 permissions.
-How do I get the PDC to pass through group permissions to the member server?
-Given that we do not have a w2k server providing any authentication and we do not use windows groups to control access to resources or shares, should I even be using samba at all on the domain member server? I assumed that if I wanted to provide visibility to WinXP clients that I needed to.
Configuration for Domain Member Server:
-winbind is running on the domain member server only
-nscd is not installed, so it is not running
-have not set a password for wbinfo yet
nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns winbind
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
smb.conf
[global]
workgroup = myworkgroup
netbios name = dms1
security = domain
encrypt passwords = yes
;username map = /etc/samba/smbusers
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10000
smb ports = 139
name resolve order = wins bcast hosts
wins server = 192.168.168.10
password server = fileserver0
os level = 245
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
;winbind separator =
allow hosts = 192.168.168. 192.168.3.
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = yes
writeable = yes
invalid users =
create mode = 700
directory mode = 700
hide dot files = no
[pub]
comment = Public share
browseable = yes
writeable = yes
invalid users =
create mode = 775
directory mode = 775
path = /home/pub
follow symlinks = no
net groupmap list | sort
Account Operators (S-1-5-32-548) -> -1
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-2085308812-1240886966-3975267953-512) -> -1
Domain Admins (S-1-5-21-3011377730-1923039063-3553163437-512) -> -1
Domain Admins (S-1-5-21-3674331429-3500157320-2370650088-512) -> -1
Domain Admins (S-1-5-21-443014615-1857750776-3794749928-512) -> -1
Domain Guests (S-1-5-21-2085308812-1240886966-3975267953-514) -> -1
Domain Guests (S-1-5-21-3674331429-3500157320-2370650088-514) -> -1
Domain Guests (S-1-5-21-443014615-1857750776-3794749928-514) -> -1
Domain Users (S-1-5-21-2085308812-1240886966-3975267953-513) -> -1
Domain Users (S-1-5-21-3011377730-1923039063-3553163437-513) -> -1
Domain Users (S-1-5-21-3674331429-3500157320-2370650088-513) -> -1
Domain Users (S-1-5-21-443014615-1857750776-3794749928-513) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1
|