for what I know, ADS is a new kind of M$ made security : security by complexity. Mean this damn thing is so dark, creepy and badly documented that any evil hacker will get discouraged by it and so won't try to hack it (that's what M$ staff think at least).
So if you spend 4 days ONLY to make it works, using Samba (call Micro$oft, they will prolly try to convince you that ADS will never work with samba and that you need a Windoze 2003 server), you are a very good sysadmin lol.
So I voted "somewhat complex"

If you were here I would give you a big kiss....not really, but I express my sincere gratitude for this post. I have lost hair and what was left turned gray over this topic. Through this post and some black magic I finally had success.

To those still having some problems, I had to do one more thing that I found a book titled "The Official SAMBA-3 HOWTO and Reference Guide" on page 168. From a Windows 200x or XP Pro, connect to the share using netbiosname\root (example: fedora\root) and the root password. Find the Samba server through the Computer Management console. Go to the Shared Folders and then double click on the share. Click the Share Permissions tab and then add the desired user or group for access control entities. After that I was successful with an ADS account.

yes, i think the answer is in this thread, up to the reader to make heads or tails

I thought I had everything working correctly. ADS authenication seems to work somewhat but I am having some issues that I was hoping someone can point me in the right direction.

"wbinfo -u and -g," and "net group" both show the correct information. For an example...I have a directory called test. If I assign the group root or Domain Admins, I do not have access to the directory using an account that is a member of Domain Admins. The only way i can get it to work is assign the group Domain Users to the directory. But needless to say everybody has permission. It seems to assume that all users are only a member of the Domain Users and nothing else.

Any help given would be greatly appreciated.

did you edit your /etc/nsswitch.conf and /etc/samba/smbusers files and restart smb?

Yes. I am hopeing this is not a limitation of Linux, I really want to replace some Windows fileservers. Samba seems to only recognize one group for each user. It basis the group on the users primay group in AD. Example: if i have a directory called test with the group permission set to Domain Admins and and attach with a user who is in the group Domain Admins, he will not have access. If I change the users primary group to Domain Admins and resart Samba he can then access the directory. However he will not be able to access directories that have the group Domain Users, because that is no longer his primary group. If I open SWAT and look at the Status I see that it tags one group to the user that is accessing the share.

Is this just the way it is or is there a work-around? This is a huge stepback for me if it is. Am I also wrong in assuming that I can only add one group per directory?

Well, it's with SAMBA just like with WINDOWS - you better wait for the next version The 3.0.2a has a (bad) bug with secondary groups, they are ignored if the option "winbind use default domain" is set to "yes" (and this way switching off the own domain is enforced). Latest Pre has this bug fixed among others, but is not (yet) recommended for production systems....
For the stable version it helps to disable the default domain, and after a restart of the winbind-deamon (and maybe SAMBA too) it honoures all groups the user is member of. Just tested successfully with a W2K-server and a Mandrake 9.2 with SAMBA 3.0.2a as client - it works like a charm: Locked out user's primary group (Domain Users) completely by ACL and enabled full access to the 3rd group the user is member of (a global group). Result: I'm able to create new folders and documents within the changed folder, granted by the additional group.

Another hint for all (future...) SAMBA+Winbind+ADS-Users: When using the Linux/UNIX "id" to lookup group membership (in addition to "net user info <name>") write the name exactly the same way it is listed in the AD, just one letter spelled wrong (upper-/ lowercase) returns only the primary group....

ciao

Michael

Looking at the steps you folks have followed to make this work it seems I'm missing the info in the smbusers file. Exactly what needs to be done with this file?

Thanks

do yourself a huge favor and just buy the book i mentioned in my earlier post. everything you need is in there. i just got my copy, and it's a great book to have. and it explains this ADServer/Samba hell in great detail in Chapter 9.

as far as your question's answer, it's in this thread, you just have to read it.

Thank you HackThor for the information. I will give that a try as the workaround. I work for a medium sized company and really need the differnet groups to work. I also have a need for many different people to have different access to the same areas. This is where it has been a little challenging since Linux only has one user/group/others for permissions. But this will get me going again.

Thanks again Harry...I will go buy the book today. I bought what I thought was the book you were mentioning, but i click on the link and the cover is different. Mine is "The Official Samba 3", written by the same people but I guess this one is more up todate and with more information on the areas I need.

Sam

buy it if you like, but you can download it for free at samba.org. it is 748 pages in pdf format. http://us1.samba.org/samba/docs/Samb...Collection.pdf

trust me, it is plenty confusing, although it is a good technical reference, it is definitely not my idea of a "howto".

however, i did just place an order at amazon for Samba 3: By Example ... by John Terpstra. same guy wrote both books, but this one is supposed to be the cookbook.

we will see.

I've been looking into converting a couple of file servers from Windows -> Linux.

From what I've heard you can use ACL to control permissions on the files and directories on the SAMBA server, against users in the windows AD.

The only problem is that this is disabled in the default build and rpm's.
Trying to build samba with with acl, winbind, ldap and kerberos seems to work not all.

Is this wrong?
Is there way to configure user and group permissions without the acl support in SAMBA 3.0.2a (or 3.0.3) that has just been released, or are you just linking windows groups against a linux group?

// Henrik, Sweden.

From what I have experienced you only user ACL to set the share access. Once in the share you use Linux, Kerberos, or LDAP. I am using Kerberos and I don't need to map groups to windows groups. I can actully see all the AD groups from my Linux box and add the AD groups and users directly. I was having a probem getting Samba see all the AD groups that a user was a member. It only wanted to use the users primary AD group. This was a bug and was fixed in the beta version 3.0.3pre2.

Sam

Cheers for the thread, I'm about to do the same thing (win > nix fileserver), you've saved me a lot of aggro.

I tried to do this with Suse 9.0 for 3 months and failed, now since Suse 9.1 comes with Samba 3.0.2a I try again since some days, and I think I am quite cloth.
I can join the domain
I can run a wbinfo -u works correct
I can run a kinit and it works
at the logon screen I see all my domainusers but as soon I try to login as a domainmeber I get an error says X-session login is disabled
but from any MS machine I can use this profile. I am afraid this has to do with pam but I do not know much about it, may be somebody can help
cause of I start dreaming of smb.conf