Zimbra/Samba PDC: putting users in multiple groups

[ajayrockrock]

Is there a way to put a user in multiple Samba Groups? We're a small company so thus people wear many hats and I have a guy in the Admin group and the Accounting group. The "UNIX" way would be to just throw him in each group and be done with it. But I'm not sure how to do it via the Zimbra Admin interface...

--Ajay

[RevDarkman]

Anyone figured this one out?

I've got ZCS with CentOS and Samba working! ALso managed to getr user home directories created to a fashion.

I would like to add users to multiple groups.

I assumed that smbldap-groupmod would do it but I get some bizarre replies from that....

Code:

[root@mailserver ~]# smbldap-groupshow NVQ
dn: cn=NVQ,ou=groups,dc=sipcymru,dc=co,dc=uk
objectClass: posixGroup,sambaGroupMapping
cn: NVQ
[root@mailserver ~]#

As you can see it sees the group NVQ, but when I try to add a user to that group...

Code:

[root@mailserver ~]# smbldap-groupmod -m "ifan" "NVQ"
/usr/sbin/smbldap-groupmod: group NVQ not found!

...it can't find the group!

Anyone else crack this yet? I assume if I had some kind of LDAP browser that I could manually add as described in this link...

Re: [Samba] Samba / OpenLDAP and groups

Other than that I'm pretty happy with this and I'ts going live in a couple of weeks to replace an aging postfix/dovecot box!

[chimaster]

Similar issue. I thought I had everything working fine but managed to hit an issue with multiple groups.


Here is my share

[SLVL1]
writeable = yes
path = /home/groups/SLVL1
force group = SLVL1
valid users = @ITC @Executive @Teachers @Operations @Leadership @SLVL1 @SLVL2
create mode = 0770
public = no
directory mode = 0770
wide links = no


I have two users. joe.student and joe.student2 Joe.student is a member of SLVL1 and joe.student2 is a member of SLVL2. SLVL2 has access to SLVL1 and SLVL2 and SLVL1 has access to SLVL1 only. It appears only users who are a direct member of Force Group = SLVL1 can access the share. It was working during testing, but I made some changes to the group names on request of the client and now its all screwy.

Here is a login attempt with both users.
Student is successful
root@rees:/var/log/samba# smbclient //localhost/SLVL1 -U joe.student
Password:
Domain=[RPS] OS=[Unix] Server=[Samba 3.0.28a]
smb: \>

Student2 is not
root@rees:/var/log/samba# smbclient //localhost/SLVL1 -U joe.student2
Password:
Domain=[RPS] OS=[Unix] Server=[Samba 3.0.28a]
tree connect failed: NT_STATUS_NO_SUCH_GROUP

However, if I remove the force group both users can connect. But... joe.student2 has no rights.

It appears that the NT_STATUS_NO_SUCH_GROUP is referring to the face that student2 is not a member of SLVL1 but a member of SLVL2 which should be allowed and was indeed working.

I've seen some comments regarding Netbios, Winbind etc.. but two things come to mind.

1. I'm using smbclient on the local machine
2. It was working, but I tweaked something or domain logins (which turned out to be un-necessary) but I can't recall.


getent group
ITC:*:10001:
Operations:*:10002:
Leadership:*:10004:
Executive:*:10005:
Shared:*:10006:
Guest:*:10007:
SLVL1:*:10008:
SLVL2:*:10009:
Teachers:*:10010:

root@rees:/var/log/samba# net groupmap list
ITC (S-1-5-21-3037128767-1994040998-2387843127-512) -> ITC
Operations (S-1-5-21-3037128767-1994040998-2387843127-21004) -> Operations
Leadership (S-1-5-21-3037128767-1994040998-2387843127-21008) -> Leadership
Executive (S-1-5-21-3037128767-1994040998-2387843127-21010) -> Executive
Shared (S-1-5-21-3037128767-1994040998-2387843127-21012) -> Shared
Guest (S-1-5-21-3037128767-1994040998-2387843127-514) -> Guest
SLVL1 (S-1-5-21-3037128767-1994040998-2387843127-21016) -> SLVL1
SLVL2 (S-1-5-21-3037128767-1994040998-2387843127-21018) -> SLVL2
Teachers (S-1-5-21-3037128767-1994040998-2387843127-21020) -> Teachers
root@rees:/var/log/samba#

root@rees:/var/log/samba# net rpc group list
Password:
ITC
Operations
Leadership
Executive
Shared
Guest
SLVL1
SLVL2
Teachers


Anyways, stuck and frustrated. Any thoughts? or a better way to manage multiple groups?

[chimaster]

Well four hours later (and two hours after the post) I've nailed it.

Adding Unix Group\ as a prefix to the force group has nailed it.

[SLVL1]
path = /home/groups/SLVL1
valid users = @ITC, @Executive, @Teachers, @Operations, @Leadership, @SLVL1, @SLVL2
force group = "Unix Group\SLVL1"
read only = No
create mask = 0770
directory mask = 0770

YAY Fricken Yay.