[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)
Petros
Petros.Listig at fdrive.com.au
Sun Nov 10 18:05:24 MST 2013
Hi Trent,
Quoting "Trent W. Buck" <trentbuck at gmail.com>
> My samba thinks its own groups don't exist.
I am in a similar situation, using samba-4.0.8 under FreeBSD 9 (and
want to migrate from an older samba 3.6 fileserver). However,
everything seems to work for me, including force group etc.
(BTW: I am using s3fs (the same as under Linux) - not ntvfs)
> Background: I had a samba3 server operating as a NAS with some desktops
> joined to the domain. I'm migrating it to samba 4.0.9 as an AD domain.
>
> Users can log in and browse their home share -- but the other shares
> aren't working. They're per-project shares set up to allow that
> project's group access, and to forcibly make all files uploaded
> accessible to that group:
>
> [fnord]
> comment = Project Fnord
> path = /srv/share/fnord
> create mask = 0664
> force create mode = 0664
> directory mask = 0775
> force directory mode = 0775
> read only = no
> force group = fnord
> valid users = @fnord
>
> With those settings, and "cyber" in the fnord group,
>
> $ smbclient -U cyber //gumbo/fnord
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> If I comment out the last two lines, it works.
Here my attempt:
From the smb4.cfg
[global]
workgroup = DOMAIN
realm = DOMAIN.FDA
netbios name = SAMBA4
server role = active directory domain controller
dns forwarder = 192.168.50.223
# From the services - at the end only nbt removed
server services = rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd,kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
vfs objects = zfsacl
nsupdate command = /usr/local/bin/samba-nsupdate -g
# Test according to
# http://forums.freebsd.org/showthread.php?p=226901
interfaces = bce0
bind interfaces only = yes
# hosts allow does not seem to work
# it blocks socket communications from Winbind?
# According to https://glsan.com/community/samba4/zfs-share-setup/
ea support = yes
csc policy = disable
store dos attributes = yes
[petertestet]
path = /shares/petertestet
read only = no
browseable = yes
guest ok = no
delete readonly = yes
valid users = @petertestet
force group = petertestet
create mask = 0770
directory mask = 2770
I have a domain user petertest in a domain group petertestet:
# id petertest
uid=3000007(DOMAIN\petertest) gid=20(staff)
groups=20(staff),3000020(DOMAIN\petertestet)
At the moment, I have a Windows 7 and a XP VM joined to the domain,
and could connect (map network drive) and create a document with
expected permissions:
# ls -lisa /shares/petertestet
total 4
17037 2 drwxrws--- 2 DOMAIN\petertest DOMAIN\petertestet 3 Nov 11 11:40 .
16817 2 drwxr-xr-x 4 root wheel 4 Nov 11 11:32 ..
17046 1 -rw-rw---- 1 DOMAIN\petertest DOMAIN\petertestet 6 Nov 11
11:40 dada.txt
I changed /etc/nsswitch.conf:
group: files winbind
passwd: files winbind
So it looks as "my samba" is happy with winbind domain groups and can
deal with "force group" etc.
Regards
Peter
More information about the samba
mailing list