[Samba] Samba 4 AD DC and permissions

Peter Schaefer peter.schaefer at gmx.de
Mon Dec 30 13:55:30 MST 2013


As said in my earlier post, i upgraded Samba 3 to Samba 4.1.7 (Sernet) on Debian Wheezy. I now have - thanks to this 
list - installed and configured sssd to obtain user info from the AD, too. This works well.

Some questions remain:

- If i create files on a share using Windows Explorer, Samba does not honour the current user. The uid always is 3000000 
which maps to the "DOMAIN/Administrator" user. The expected behaviour would be that Samba uses the uid from the 
authenticated user as stored in the AD unix extensions (in my case this would be 1005). Bug or feature?    (IIRC the 
primary group was applied correctly)

- If i follow the "Setup and configure file shares"-Howto and use the "Computer Management" to manage the shares of the 
DC only the shares which have the flag "browseable = yes" in smb.conf are displayed. If i set "browseable = no", the 
share is not shown. Which is a pity since i don't want to have e.g. the profiles folder visible in the network 
neighborhood, but i want to be able to manage it, of course. Seems i have to change the smb.conf each time for that.

- If i use the same "Computer Management" method to change the permissions on the shared folder (i.e. not the share 
itself) via the "Security" tab then any setting that i select for "This folder only" gets applied to any sub-folder in 
the share, too. I.e. if i manage the "profiles" share and i already have (old) subfolders (e.g. "user01.v2", etc.) in 
it, the ACLs of the user folders get changed. Is this expected behaviour? In my case i added the "Domain Users" group 
and said "Traverse folder"/"List folder" limited to "This folder only" as said in the "Samba & Windows Profiles"-Howto. 
The result is, that any user can now look into any other user's profile folder - which is not the expected result?!

- This leads to the last question: Roaming Profiles seem not to work; which seems to be a permission problem on the 
profile folders (which i may have set wrong, see above). I'd be glad if someone could give some insight how the profile 
folder's permissions must be set for roaming to work.


More information about the samba mailing list