[TriLUG] Group Samba authentication

Jon Carnes jonc at nc.rr.com
Mon Jul 14 22:19:45 EDT 2003


On Mon, 2003-07-14 at 20:18, Chris Bullock wrote:
> I have a quick question about authentication of samba shares.  If you can tell 
> samba to look at an NT server for user authentication why can't you tell it 
> to look at that same server for group authentication or can you?  I have an 
> NT domain that has serveral groups defined but since we have all our file 
> sharing on Samba servers the groups serve no purpose.  Everytime you create a 
> samba share, you have to create a group on the local machine and edit the 
> group file so that the appropriate people have access to the group files.  I 
> know that maybe LDAP is possibly an answer but we are not using that for 
> domain authentication, so does anyone have any suggestions?
> TIA
> --cgb

Yup, this is a bit of a PITA. You end up maintaining groups on two
Authentication domains.  There are actually migration tools that will
let you automate moving (or keeping up-to-date) the groups between the
two systems.

My preferred route is to move the windows servers in question over to
Linux/Samba servers and then use something like NIS to export the Unix
groups to the other servers.  That way you are only dealing with one
Authentication Domain.

At my former employer, I couldn't move every server over to Linux/Samba,
but I could centralize the fileserver aspects of all the departmental
servers to one very large very redundant Linux server running Samba.
This simplified management and allowed several questionably licensed
servers to be moved over to workstation status.

The savings to the company were substantial enough that even now they
run that 6 year old mega-server as their main filesever (and the new
admin hates linux).

Jon "let's shift the paradigm" Carnes




More information about the TriLUG mailing list