[Samba] Samba4: Setting up share/security permissions for shares on member server

?icro MEGAS micromegas at mail333.com
Tue Oct 21 11:39:58 MDT 2014 

Hello,

I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit and I am about to setup my member server. The DC was provisioned with rfc2307 and extended attributes. I have assigned to the domain group called "Domain Users" the GID=10000. My member server was prepared with ACL+user_xattr and winbind support. My /etc/nsswitch.conf is using "winbind" for passwd+group, and "getent passwd" on the member server is returning the AD user accounts, which I assigned a UID to with the ADUC tool at tab UNIX Attribute. I was told *NEVER EVER* to assign a UID through the "UNIX Attribute" tab in ADUC tool for the "Administrator" user. Here begins the problem:

When the user "Administrator" doesn't have UID assigned as UNIX Attribute, he never will be listed in "getent passwd" on my member server and thus never will be usable as a user itself on the member server. Here I am stuck: I wanted to configure the [home] and [profiles] share on my member server according the wiki (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions) The wiki says I should grant "SeDiskOperatorPrivilege" to the "Domain Admins" group. I did execute that on the DC and ensured also on the DC with the command "net rpc rights list accounts -Uadministrator" that it was applied successfully. On the member server I created with "mkdir -p /srv/samba4_data/home" the path for the [home] share.

Then I login to a Windows XP machine that is joined to my Samba4/AD domain with a user that is member of the domain group "Domain Admins". I do it exactly as described in (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions). Through "Computer Management" I connect to my member server and I see the [home] share. I can change and apply the  settings as described on the Wiki. But as soon as I click the  tab, everything is greyed out, I cannot change anyting there. In my understanding that is what I would expect, because there are no rights for "MYDOM\johndoe" on the path "membersrv1:/srv/samba4_data/home". 

[root at membersrv1:/srv/samba4_data$ ls -ld home
drwxr-xr-x 2 root root 4096 Okt 21 19:11 home

[root at membersrv1:/srv/samba4_data$ getfacl home
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

How should I be able to edit the security settings as explained on the wiki? What did I miss here? Any help appreciated.

Mirco

More information about the samba mailing list