[Samba] File Server recognize users and groups AD
Rowland Penny
rpenny at samba.org
Thu Aug 4 20:44:03 UTC 2016
On Thu, 4 Aug 2016 19:26:23 +0000 (UTC)
Ricardo Pardim Claus <ricardo.claus at yahoo.com.br> wrote:
> Dear,
> I'm having trouble Samba recognizes the permissions assigned to
> groups and users created in AD. Scenario:
>
> DC1 = Primary DC
> DC2 = secondary DC + file server
>
> Both running the 4.4.5 version of Samba (Centos 7).
>
> When I add permissions to a folder using a Windows desktop, I get to
> set permission for AD users and groups. What do I need to set up the
> groups and AD users are recognized on the permissions of the Samba?
> In the end, I'm trying to see the permissions using the following
> commands:
>
> getfacl /mnt/data/share
>
> The result is this:
>
>
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/data/share
> # owner: 3000000
> # group: users
> user::rwx
> user:3000016:rwx
> group::r-x
> group:users:r-x
> group:3000000:rwx
> group:3000016:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000016:rwx
> default:group::r-x
> default:group:users:r-x
> default:group:3000016:rwx
> default:mask::rwx
> default:other::r-x
>
>
>
> Follows the smb.conf my DC2 (secondary DC + file server):
>
> # Global parameters
> [global]
> bind interfaces only = Yes
> interfaces = lo eth0
> netbios name = SRV15
> realm = DOMAIN.LOCAL
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN
> server role = active directory domain controller
> comment =
> log file = /var/log/samba/%m.log
> log level = 1
> #
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain DOMAIN
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [dados]
> comment = Share
>
> path = /mnt/data/share
> read only = No
>
> browseable = Yes
> inherit acls = Yes
> inherit permissions = Yes
>
>
>
> When I try to set a permission:
>
> setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share
> setfacl: Option -m: Argument invalid character near 15
>
Sorry, but the lines you have added to the [global] section of
your smb.conf will do nothing on an AD DC.
Does 'getent group Domain\ Admins' produce any output ?
If not you need to set up libnss-winbind.
Rowland
More information about the samba
mailing list