[Samba] Fileserver and access groups

[Rowland Penny]

On 04/04/15 19:11, jd at ionica.lv wrote:
>
> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>
>> On 30/03/15 18:00, jd at ionica.lv wrote:
>>> Hi!
>>>
>>> I have Samba AD DC and Samba fileserver (hereafter-FS) as domain 
>>> member. I need to organize access to the specific shares on FS for a 
>>> groups of specific domain users. Where should I make the domain user 
>>> groups - on DC, on FS or on both?
>>>
>>> Does the FS need any local Samba users at all? What if domain users' 
>>> homes are located on FS?
>
>
>> All your users & groups should be stored in AD, except for users like 
>> 'root' (yes korashi I am looking at you) or www-data, ntp etc i.e. 
>> any user or group that has an ID less than 1000.
>>
>> You use ACLs for users homes stored on the fileserver, the fileserver 
>> needs to be joined to the domain.
>
> can you elaborate a bit on this?

Not much can be said on this really, you CANNOT have any local Unix 
users that are also required to be AD domain users, this also goes for 
groups.

>
> fileserver is joined to the domain, but seems not getting something 
> (or the cfg I made is wrong - it does not allow me to open my home 
> \\fs\user while being logged on to the domain (ok, I am logged into 
> the domain over VPN and it seems to be enough for domain 
> administration using windows tools)
>
> wbinfo -u (executed on FS) lists all domain users, as well as wbinfo 
> -g - groups.
>

What wbinfo shows is only what is possible, unless 'getent' shows 
results, you ain't going any further.

> But if I try to get info on myself using wdinfo -i user at DOMAIN, i get
> "Failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND"
>
> Another thing I do not understand is: how can I set permissions for 
> shares on FS in the form of DOMAIN\user or DOMAIN\group?
>

Easiest way is to use windows tools, but you need to get uid & gids from 
AD on the Unix machines

Can I suggest that you read the samba wiki.

Rowland
> Janis
>