Red Hat Knowledgebase

This article applies to Red Hat Enterprise Linux 3 and 4 systems and the Samba 3.x.x RPMs available for these releases. Winbind features in previous versions may function differently or not at all.

This article assumes the winbind service is already configured properly and working. Other articles in the Red Hat Knowledgebase contain information on how to configure winbind properly.

Samba is aware of winbind, so winbind-enumerated users and groups can be used anywhere in the Samba configuration file that users and groups can be specified if proper syntax is used.

The following excerpts from an example /etc/samba/smb.conf show how to use winbind-enumerated users and groups in the permissions:

[global]

idmap uid = 15000-20000
idmap gid = 15000-20000
winbind use default domain = no
winbind separator = +
template shell = /bin/bash
template homedir = /homes/%D/%U

[share1]
comment = Non-descript read-only share
path = /apps
write list = MYDOMAIN+administrator MYDOMAIN+poweruser

	
[share2]
comment = Backups and Stuff
path = /data/backups
valid users = +"MYDOMAIN+Domain Users" 
read only = no

Some notes about the above:

In share1, the domain Administrator and another domain account named poweruser will have write access to the share. Any other user will have read-only access since this is the default condition for a share unless specified otherwise.

In share2, anyone in the domain group Domain Users will have access to the share, and since the share is set 'read only = no', all domain users will have write access to the share.

Since the group name contains a space, the group name needs to be enclosed in double quotes. The '+' symbol in front of the name lets Samba know it is a group name being specified, not just a username.

Files created by domain users on share2 will become owned by the domain user. For example, if a domain user named joe writes the file file1.txt over the share, an ls -l of the directory should show something like this:

# ls -l /data/backups

-rw-r--r--    1 MYDOMAIN+joe MYDOMAIN+Domain Users  1036 Dec 20  2004 file1.txt

Filesystem Permissions

As is always the case for Samba, the permissions on the underlying filesystem will also need to allow the intended users to write to the directory. For example, the following chmod and chown commands would set the permissions on the example /data/backups directory to allow domain users to write to the share's top directory:

# chown MYDOMAIN+administrator:"MYDOMAIN+Domain Users" /data/backups

# chmod 775 /data/backups

As in the smb.conf file, the entire group name needs to be double-quoted due to the space in the group name. Also be aware that many system functions and software on Linux systems do not understand group names containing spaces, but this does work for filesystem permissions.

For more information regarding Winbind and Samba configuration, we would recommend the following sources of information:

• The wbinfo man page, viewable by running the command man wbinfo.


• The smb.conf man page, viewable by running the command man smb.conf.


• The Samba documentation contained in /usr/share/doc/samba-<version>, on any Red Hat system with the base samba RPM installed. Complete illustrated reference manuals are provided in both PDF and HTML formats in this directory.