[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.

Jason Long hack3rcon at yahoo.com
Sun Dec 28 23:38:51 MST 2014

Thank you so much.
You right, My realm is "jasondomaini.jasondomain.jj"  and I change configure as below :

workgroup = JASONDOMAINI
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = ADS
passdb backend = tdbsam
load printers = yes
cups options = raw
idmap config *:backend = tdb
idmap config *:range = 70001-80000
#idmap config SAMDOM:backend = ad
idmap config JASONDOMAINI:backend = ad
idmap config JASONDOMAINI:schema_mode = rfc2307
idmap config JASONDOMAINI:range = 500-40000

When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :

1- Why it show root partition?
2- I can't browse it via Windows explorer!!!

I want to know use AD users in Linux is Hard?

In your opinion I used a correct command to set ACL?

#getfacl test/

# file: test/
# group: JASONDOMAINI\134grp-JASON-rw

and in "getent group" it show me below group :


in your idea, Am I use correct command to set permission?

On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
On 28/12/14 15:48, Jason Long wrote:
> Thank you so much.
> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
> How about Workgroup? is must change "JASONDOMAIN" too?
> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
> What is your idea?
> Thanks.

I am loosing track here a bit, but if your dns domain is example.com, 
then your windows AD realm should be something like internal.example.com 
and your workgroup/domain name should be INTERNAL, that is, they all 
rely on each other.

So anywhere that you come across these, you should use the relevant one, 
this is the relevant parts from a Unix client on my domain:

         workgroup = INTERNAL
         security = ADS
         realm = INTERNAL.EXAMPLE.COM
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config INTERNAL : backend  = ad
         idmap config INTERNAL : range = 10000-999999
         idmap config INTERNAL : schema_mode = rfc2307

As for using 'PUTTY', this was just a way of testing whether you can 
connect to the Unix machine.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list