Cost Control

Nested Groups

On Windows, it is common to collect users on the domain controller in a group and then assign this group to a local group on a file server. The local groups are then granted filesystem permissions. This also works with Samba; the procedure is known as nested groups. To use it, you must have a domain and Winbind must be configured. The steps also include modifying the /etc/nsswitch.conf file as follows:

passwd:    compat winbind
group:     compat winbind

In the [global] section of your smb.conf file, add winbind nested groups **= yes. Afterwards, you can set up nested groups (Listing 12). All of these steps are the responsibility of the domain administrator.

root@samba:~# net rpc group add localgroup -L -Uadministrator
Enter administrator's password:
Added alias 'localgroup'.
root@samba:~# net rpc group addmem localgroup domainusers -Uadministrator
Enter administrator's password:
root@samba:~# net rpc group members localgroup -Uadministrator
Enter administrator's password:
ADMINDOM\Domainusers

The first step uses the -L parameter to create a local group to which the domain groups are then added as members. The second step adds the domainusers group as a member of the localgroup. The third step checks the success. Now, when you assign rights for the filesystem to the local group, all members of the domainusers group also inherit this right for the filesystem. Because Linux does not support nested groups, getent group or wbinfo -g does not show the local group. All actions concerning the group need the net rpc group command.

An LDAPsam Back End

As promised, I will now look at configuring LDAP as a passdb back end. This undertaking requires a working LDAP server with the samba.schema in place because, in addition to POSIX attributes, you also need to create Samba attributes for the users.

The great benefit of using LDAP is that the users and groups only need to be created once. For user management, you can then use the smbldap-tools script collection [3] or do things graphically with the LDAP Account Manager [4], a web-based tool. Listing 13 shows how to modify the [global] section for the use of LDAP on both the PDC and all BDCs.

  passdb backend = ldapsam:ldap://samba.example.net
  ldap admin dn = cn=admin,dc=example,dc=net
  ldap suffix = dc=example,dc=net
  ldap group suffix = ou=groups
  ldap machine suffix = ou=hosts
  ldap user suffix = ou=users
  ldap passwd sync = yes
  ldap ssl = no

Samba now uses LDAP as the passdb back end. To also allow Samba to add the objects to LDAP, you need to add the password for the LDAP administrator to the secrets.tdb file. The command for this is smbpasswd -W. Samba will then create an LDAP object for the Samba domain. From this time on, Samba uses the LDAP server for user management.

The Future

Following the December release of version 4 of Samba, many things changed. Besides setting up Primary or Backup Domain Controllers, you can now also create Active Directory domain controllers, and you can set up Samba 4 as an additional AD controller. It is even possible to set up an entire Active Directory forest without the use of a Windows domain controller by Microsoft with Samba 4's own LDAP server that manages all the objects.

User and group management can also be handled with the Microsoft Windows Remote Server Administration Tools. You will need a Windows 7 machine to run the tools, but the software can be downloaded free of charge [5].