SAMBA4 separate member and file server - Update

Craig SHONE craig.shone at
Mon Jun 22 14:35:20 MDT 2015

Just adding a bit more info:


Running wbinfo -t on the file server results in a successful trust secret
check via RPC

Running wbinfo -u on the file server returns all my AD users

Running wbinfo -g on the file server returns all my AD groups

Running wbinfo -p on the file server results in a successful ping to


I have used the basic smb.conf on the wiki page for the file/member server,
but no luck trying to set the ACL's on my shares with the command: setfacl
-m g:domain_admins:rwx /data/shares/admin, it just results in error.


I've tried running the command wbinfo on both the file server and domain
controller and I get different results.


>From the member/file server:


[root at hnpmb01 ~]# wbinfo -i craig

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Could not get info for user craig


>From the domain controller:


[root at hnpmb02 ~]# wbinfo -i craig

craig:*:3000047:100:Craig Shone:/home/HN/craig:/bin/false


It's almost as if setfacl cannot see the list of AD groups and accounts?  Do
I have to add the UNIX mappings on the DC if wanting to use a separate SAMBA
4 file server?





From: Craig SHONE [mailto:craig.shone at] 
Sent: 22 June 2015 03:06 PM
To: 'samba at'
Subject: SAMBA4 member and file server


Hi everyone


Needing some advice with regards to setting up a SAMBA 4 file server in a
SAMBA 4 AD domain (I come from Windows so bear with me please).


I've followed the wiki guidelines and successfully setup a SAMBA4 domain
controller in ESXI, created some test user accounts and joined my
workstation to the domain, DNS works fine, can log in with no problem,
Windows RSAT tools runs fine in creating the test user accounts, etc.  DC
was provisioned with --use-rfc2307.


Now I'm trying to setup a separate SAMBA4 file server, have created the
smb.conf as per the wiki, joined the file server to the domain and granted
Domain Admins SeDiskOperatorPrivilege.


Issue I'm facing is in creating shares and setting ACL's on them for Domain
Admins to change the permissions via a Windows machine.   Pretty sure I have
to set uid and gid using the RSAT tools for the various groups and users I
have created as I didn't set Domain Users to 10000 before adding more users
and groups and letting SAMBA increment them automatically.


Can anyone confirm if my assumption is correct and point me to the right
procedure to assign what is needed so that I can set the ACL's on my file


Thank you




More information about the samba-technical mailing list