[Samba] Samba 4 AD DC and permissions
peter.schaefer at gmx.de
Mon Dec 30 13:55:30 MST 2013
As said in my earlier post, i upgraded Samba 3 to Samba 4.1.7 (Sernet) on Debian Wheezy. I now have - thanks to this
list - installed and configured sssd to obtain user info from the AD, too. This works well.
Some questions remain:
- If i create files on a share using Windows Explorer, Samba does not honour the current user. The uid always is 3000000
which maps to the "DOMAIN/Administrator" user. The expected behaviour would be that Samba uses the uid from the
authenticated user as stored in the AD unix extensions (in my case this would be 1005). Bug or feature? (IIRC the
primary group was applied correctly)
- If i follow the "Setup and configure file shares"-Howto and use the "Computer Management" to manage the shares of the
DC only the shares which have the flag "browseable = yes" in smb.conf are displayed. If i set "browseable = no", the
share is not shown. Which is a pity since i don't want to have e.g. the profiles folder visible in the network
neighborhood, but i want to be able to manage it, of course. Seems i have to change the smb.conf each time for that.
- If i use the same "Computer Management" method to change the permissions on the shared folder (i.e. not the share
itself) via the "Security" tab then any setting that i select for "This folder only" gets applied to any sub-folder in
the share, too. I.e. if i manage the "profiles" share and i already have (old) subfolders (e.g. "user01.v2", etc.) in
it, the ACLs of the user folders get changed. Is this expected behaviour? In my case i added the "Domain Users" group
and said "Traverse folder"/"List folder" limited to "This folder only" as said in the "Samba & Windows Profiles"-Howto.
The result is, that any user can now look into any other user's profile folder - which is not the expected result?!
- This leads to the last question: Roaming Profiles seem not to work; which seems to be a permission problem on the
profile folders (which i may have set wrong, see above). I'd be glad if someone could give some insight how the profile
folder's permissions must be set for roaming to work.
More information about the samba