[Samba] Samba as ADS Fileserver
Noah Dain
noahdain at gmail.com
Wed Jun 29 15:51:13 GMT 2005
On 6/28/05, Warwick Bruce Chapman <warwick at thusa.co.za> wrote:
> Dear All
>
> I've been working at building a file server to provide file sharing for a
> Windows 2003 Active Directory Domain.
>
> Our requirements are for the Windows Server Administrator to be able to create
> all the users' home folders in the Samba share and apply restrictive
> permissions. Ie. User joe, //samba/joe$ or //samba/share/joe (Dfs), with
> permissions for only the user "joe" and "domain admins".
they don't need to create anything for home dirs. just use the 'root
preexec' directive to call a script which creates the home dir on
demand if needed.
[homes]
comment = %U's Home Directory
path = /home/%D/%U
read only = No
browseable = No
root preexec = /etc/samba/scripts/mk_sambadir %D %U %G
samba knows which user is connecting (%U), their primary group (%G)
and domain (%D). the actual share is created dynamically. in ad, set
their profile to \\server\%username%
mk_sambadir is a shell script, run as root *before* the user is
actually granted access to the share (as it may not even exist yet).
At my main site, it just checks for existance of the domain directory
(/home/DOMAIN), and then the user's home directory
(/home/DOMAIN/USER). If any of these don't exist, they are created.
Permissions are then set.
it all just takes a few lines of code for a simple setup.
hope this helps
>
> So basically, is what I am trying to do possible? Can I configure Samba so that
> an MCSE can create a folder on the a samba share (Dfs) and assign that user
> rights to the folder via the "Permissions" tab of the folder properties dialog?
> Ie. Can it be setup so clickety-clickers can manage the permissions and create
> new folders within a Dfs share?
>
> So far, I have:
>
> - mit-krb5 1.4 successfully compiled and configured, and has been successfully
> authenticated to the realm with kinit.
>
> - samba 3.0.14a successfully compiled with ADS, IDMAP, ACL, LDAP, Winbind,
> MS-Dfs and Krb5 support. (smb.conf/output of smbd -b is attached)
>
> ** I'm experiencing odd behaviour from the ACL support, where when I use the
> Windows "Permissions" tab on a share or folder within a share, and changes I
> make are lost on clicking the Apply button. Like Windows is not allowed to
> write ACLs back to the linux box. **
>
> - kernel, filesystem (mounted acl,user_attr) and library support for POSIX ACLs.
> smbd -b | grep ACL returns the two flags confirming samba acl support. Confirmed
> that the setfacl and getfacl commands work. Output from from mount command:
> /dev/md0 / reiserfs defaults,acl,user_xattr 1 1
>
> - nsswitch.conf configured:
> passwd: compat winbind
> shadow: compat
> group: compat winbind
>
> - a public share for testing which is root:users 755. I couldn't browse to it as
> Administrator from the Windows 2003 Server if it was 750. Must I user the
> username map functionality at all?
>
> - tried to configure a Dfs share, but I think it may not be the same sort of
> thing I used to use in Windows 2000. In Windows 2000 I used a root Dfs share
> in order to share on directory, eg. \\server\users$, and in that directory each
> user's home directory existed with their specific permissions.
>
> - wbinfo -t returns: "checking the trust secret via RPC calls succeeded"
> - wbinfo -u returns: "Error looking up domain users"
>
> ** I'm assuming this is where the error is? Is it that winbind cannot list the
> users therefore when a Windows user connects, Samba think that user does not
> exist and boots it for lack of permission? **
>
> - wbinfo -g returns the AD groups:
> BUILTIN/system operators
> BUILTIN/replicators
> BUILTIN/guests
> BUILTIN/power users
> BUILTIN/print operators
> BUILTIN/administrators
> BUILTIN/account operators
> BUILTIN/backup operators
> BUILTIN/users
> domain computers
> domain controllers
> schema admins
> enterprise admins
> domain admins
> domain users
> domain guests
> group policy creator owners
> dnsupdateproxy
> call_centre
> finance
>
> Ciao
> Warwick Chapman
> Marketing and Operations
> Thusa Business Support cc
>
> Cellular: +27 83 7797 094
> Telephone: +27 31 563 1180
> Facsimile: +27 31 563 1182
> Website: http://www.thusa.co.za
>
> -- There are 10 types of people in this world. Those who understand binary, and
> those who don't.
>
> ----------------------------------------------------------------
> Sent with Thusa Internet Gateway Services http://www.thusa.co.za
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
>
--
Noah Dain
noahdain at gmail.com
More information about the samba
mailing list