[Samba] Restricting access to [homes]

steve steve at steve-ss.com
Wed May 23 07:30:07 MDT 2012

On 23/05/12 13:40, NdK wrote:
> Il 23/05/2012 09:11, Jorell ha scritto:

> exit 0
> I've had to obtain DOMAIN\domin_users gid before chown or it gave an
> error (maybe due to a clash from a trusted domain -- still trying to
> understand how can it happen).
> And I'm still having issues with setfacl (I never used ACLs before, so I
> have to study a bit).
> BTW it's been a great leap forward!
> BYtE,
>   Diego.

If the gidNumber for the gid is stored in AD (as the 2008 and samba4 
schema allow) then there can be no clash. It is then no problem in 
extracting it and applying it using normal /etc/nsswitch.conf format. 
Look in ldap rather than winbind. e.g. using nss-pam-ldapd.

passwd: files ldap
group: files ldap

with /etc/nslcd.conf something like:

map	passwd	uid              samAccountName
map	passwd	homeDirectory    unixHomeDirectory
map	group 	uniqueMember	member

With ldapd/nslcd running, you can chown and chmod using the names of the 
AD groups and users exactly as advertised in getent passwd or wbinfo 
calls. It is then reflected perfectly by the filer. OK, with samba4 and 
cifs/s3fs there are currently a few problems but under 3.6 it maps 


More information about the samba mailing list