[Samba] Samba as ADS Fileserver

Noah Dain noahdain at gmail.com
Wed Jun 29 15:51:13 GMT 2005

On 6/28/05, Warwick Bruce Chapman <warwick at thusa.co.za> wrote:
> Dear All
> I've been working at building a file server to provide file sharing for a
> Windows 2003 Active Directory Domain.
> Our requirements are for the Windows Server Administrator to be able to create
> all the users' home folders in the Samba share and apply restrictive
> permissions.  Ie. User joe, //samba/joe$ or //samba/share/joe (Dfs), with
> permissions for only the user "joe" and "domain admins".

they don't need to create anything for home dirs.  just use the 'root
preexec' directive to call a script which creates the home dir on
demand if needed.

    comment = %U's Home Directory
    path = /home/%D/%U
    read only = No
    browseable = No
    root preexec = /etc/samba/scripts/mk_sambadir %D %U %G

samba knows which user is connecting (%U), their primary group (%G)
and domain (%D).  the actual share is created dynamically.  in ad, set
their profile to \\server\%username%

mk_sambadir is a shell script, run as root *before* the user is
actually granted access to the share (as it may not even exist yet). 
At my main site, it just checks for existance of the domain directory
(/home/DOMAIN), and then the user's home directory
(/home/DOMAIN/USER).  If any of these don't exist, they are created. 
Permissions are then set.

it all just takes a few lines of code for a simple setup.

hope this helps

> So basically, is what I am trying to do possible?  Can I configure Samba so that
> an MCSE can create a folder on the a samba share (Dfs) and assign that user
> rights to the folder via the "Permissions" tab of the folder properties dialog?
>  Ie.  Can it be setup so clickety-clickers can manage the permissions and create
> new folders within a Dfs share?
> So far, I have:
> - mit-krb5 1.4 successfully compiled and configured, and has been successfully
> authenticated to the realm with kinit.
> - samba 3.0.14a successfully compiled with ADS, IDMAP, ACL, LDAP, Winbind,
> MS-Dfs and Krb5 support. (smb.conf/output of smbd -b is attached)
> ** I'm experiencing odd behaviour from the ACL support, where when I use the
> Windows "Permissions" tab on a share or folder within a share, and changes I
> make are lost on clicking the Apply button.  Like Windows is not allowed to
> write ACLs back to the linux box. **
> - kernel, filesystem (mounted acl,user_attr) and library support for POSIX ACLs.
> smbd -b | grep ACL returns the two flags confirming samba acl support. Confirmed
> that the setfacl and getfacl commands work. Output from from mount command:
> /dev/md0        /           reiserfs    defaults,acl,user_xattr         1   1
> - nsswitch.conf configured:
> passwd:         compat winbind
> shadow:         compat
> group:          compat winbind
> - a public share for testing which is root:users 755. I couldn't browse to it as
> Administrator from the Windows 2003 Server if it was 750. Must I user the
> username map functionality at all?
> - tried to configure a Dfs share, but I think it may not be the same sort of
> thing I used to use in Windows 2000.  In Windows 2000 I used a root Dfs share
> in order to share on directory, eg. \\server\users$, and in that directory each
> user's home directory existed with their specific permissions.
> - wbinfo -t returns: "checking the trust secret via RPC calls succeeded"
> - wbinfo -u returns: "Error looking up domain users"
> ** I'm assuming this is where the error is?  Is it that winbind cannot list the
> users therefore when a Windows user connects, Samba think that user does not
> exist and boots it for lack of permission? **
> - wbinfo -g returns the AD groups:
> BUILTIN/system operators
> BUILTIN/replicators
> BUILTIN/guests
> BUILTIN/power users
> BUILTIN/print operators
> BUILTIN/administrators
> BUILTIN/account operators
> BUILTIN/backup operators
> BUILTIN/users
> domain computers
> domain controllers
> schema admins
> enterprise admins
> domain admins
> domain users
> domain guests
> group policy creator owners
> dnsupdateproxy
> call_centre
> finance
> Ciao
> Warwick Chapman
> Marketing and Operations
> Thusa Business Support cc
> Cellular: +27 83 7797 094
> Telephone: +27 31 563 1180
> Facsimile: +27 31 563 1182
> Website: http://www.thusa.co.za
> -- There are 10 types of people in this world. Those who understand binary, and
> those who don't.
> ----------------------------------------------------------------
> Sent with Thusa Internet Gateway Services http://www.thusa.co.za
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

Noah Dain
noahdain at gmail.com

More information about the samba mailing list