[Samba] Samba4: Setting up share/security permissions for shares on member server

Rowland Penny rowlandpenny at googlemail.com
Tue Oct 21 11:59:10 MDT 2014

On 21/10/14 18:39, ?icro MEGAS wrote:
> Hello,
> I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit and I am about to setup my member server. The DC was provisioned with rfc2307 and extended attributes. I have assigned to the domain group called "Domain Users" the GID=10000. My member server was prepared with ACL+user_xattr and winbind support. My /etc/nsswitch.conf is using "winbind" for passwd+group, and "getent passwd" on the member server is returning the AD user accounts, which I assigned a UID to with the ADUC tool at tab UNIX Attribute. I was told *NEVER EVER* to assign a UID through the "UNIX Attribute" tab in ADUC tool for the "Administrator" user. Here begins the problem:
> When the user "Administrator" doesn't have UID assigned as UNIX Attribute, he never will be listed in "getent passwd" on my member server and thus never will be usable as a user itself on the member server. Here I am stuck: I wanted to configure the [home] and [profiles] share on my member server according the wiki (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions) The wiki says I should grant "SeDiskOperatorPrivilege" to the "Domain Admins" group. I did execute that on the DC and ensured also on the DC with the command "net rpc rights list accounts -Uadministrator" that it was applied successfully. On the member server I created with "mkdir -p /srv/samba4_data/home" the path for the [home] share.
> Then I login to a Windows XP machine that is joined to my Samba4/AD domain with a user that is member of the domain group "Domain Admins". I do it exactly as described in (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions). Through "Computer Management" I connect to my member server and I see the [home] share. I can change and apply the  settings as described on the Wiki. But as soon as I click the  tab, everything is greyed out, I cannot change anyting there. In my understanding that is what I would expect, because there are no rights for "MYDOM\johndoe" on the path "membersrv1:/srv/samba4_data/home".
> [root at membersrv1:/srv/samba4_data$ ls -ld home
> drwxr-xr-x 2 root root 4096 Okt 21 19:11 home
> [root at membersrv1:/srv/samba4_data$ getfacl home
> # file: home
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::ra-x
> How should I be able to edit the security settings as explained on the wiki? What did I miss here? Any help appreciated.
> Mirco
OK, edit smb.conf on the member server, add this line:

username map = /etc/samba/smbmap

Now create the smbmap file:

nano /etc/samba/smbmap

!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator 

Change 'EXAMPLE' for your workgroup name

This will map the windows Administrator to the Unix root user (which is 
what you want/need)

Restart samba daemons and you should now find that everything will work 
better ;-)


More information about the samba mailing list