[Fedora-directory-users] Question regarding FDS and Samba Integration re: group security

Jeff Gamsby JFGamsby at lbl.gov
Thu Jun 8 21:33:09 UTC 2006


Your question is probably more suited for the Samba mailing list, but 
this may be of some help.

Make sure that your configuration is working properly and do a `getent 
group`, you should see your LDAP groups.

/usr/local/samba/bin/net groupmap add ntgroup="%g" unixgroup="%g" should 
do the group mappings.

There are smb-ldap-tools which are perl scripts that should automate 
this for you. You can also use the NT4 svrmgr tools to do this

In my setup, to get permissions to work right this is what I do:

[share]
     comment = Share
     path = /u0/samba/share
     read only = no
     valid users = @group
     write list =  @group
     force group = +group
     create mode = 000
     force create mode = 770
     directory mask = 770

Run 'id' as an LDAP user. It should show you group membership. Try from 
the Windows side


timmmyyy at mts.net wrote:
> Greetings,
>
> I have been a linux user for sometime, but have only recently started working with LDAP after hearing about the Fedora Directory Server.  I have been using it primarily with integration into Samba as a replacement for Active Directory, and it has been working well thus far.  I have deployed a servers into a production environment, and it's working great.
>
> I followed the howto for Samba found on the main page, and the server is setup in this way.
>
> My question though relates to group security.  Since I wish to delegate access to files on the samba fileserver via group membership, how can I accomplish this  using FDS and Samba?  Am I able to create a group using the Admin Console, add the user accounts to be members of the group, and then set security on shares based on group?  Or is there a specific procedure to follow?  I'm becoming fairly versed at samba, but LDAP is still quite new to me.  Obviously the more I can do using the Admin console, the happier I, and my customers are.  
>
> I have tried creating a share in samba, allowing only access to the group that I created in the directory, then adding a user to that group, but the user is unable to access the share, as samba doesn't seem to be aware of the group created in the directory.
>
> A bit of searching has told me that samba wants the group to be a posix group, or to exist in the /etc/group file on the system.  Several LDAP/Samba howtos have also suggested at needing to run a net groupmap command to map the ldap group to a posix id.  This makes sense, as in the Fedora howto this is necessary to create the well-known groups which users are added to later on, but then how is group membership managed?  The well-known groups that are created during the initial howto appear differently in the administration console, and double clicking them only opens the advanced the properties, and not the ability to add additional members to the group.
>
> I apologize for any parts that don't make sense, but hopefully someone will catch what I'm actually meaning and be able to offer some help.  If any more information is required, please ask, and I will gladly provide.
>
> Tim Friesen
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   




More information about the 389-users mailing list