[Samba] Fileserver and access groups

[jd at ionica.lv]

Citēju Rowland Penny <rowlandpenny at googlemail.com>:

> On 30/03/15 18:00, jd at ionica.lv wrote:
>> Hi!
>>
>> I have Samba AD DC and Samba fileserver (hereafter-FS) as domain  
>> member. I need to organize access to the specific shares on FS for  
>> a groups of specific domain users. Where should I make the domain  
>> user groups - on DC, on FS or on both?
>>
>> Does the FS need any local Samba users at all? What if domain  
>> users' homes are located on FS?


> All your users & groups should be stored in AD, except for users  
> like 'root' (yes korashi I am looking at you) or www-data, ntp etc  
> i.e. any user or group that has an ID less than 1000.
>
> You use ACLs for users homes stored on the fileserver, the  
> fileserver needs to be joined to the domain.

can you elaborate a bit on this?

fileserver is joined to the domain, but seems not getting something  
(or the cfg I made is wrong - it does not allow me to open my home  
\\fs\user while being logged on to the domain (ok, I am logged into  
the domain over VPN and it seems to be enough for domain  
administration using windows tools)

wbinfo -u (executed on FS) lists all domain users, as well as wbinfo  
-g - groups.

But if I try to get info on myself using wdinfo -i user at DOMAIN, i get
"Failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND"

Another thing I do not understand is: how can I set permissions for  
shares on FS in the form of DOMAIN\user or DOMAIN\group?

Janis