[Samba] Adding a new share
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Sep 11 17:33:03 UTC 2015
On 11/09/15 18:12, Robert Moskowitz wrote:
>
>
> On 09/11/2015 12:30 PM, Rowland Penny wrote:
>> On 11/09/15 17:16, Robert Moskowitz wrote:
>>> From:
>>>
>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Preparatory_work
>>>
>>>
>>> It instructions:
>>>
>>> setfacl -m g:"domain admins":rwx /srv/samba/Demo/
>>>
>>> or use another group or user.
>>>
>>> Where are these defined, and when I do a
>>>
>>> ls -ls /srv/samba/Demo/
>>>
>>> what will I see?
>>>
>>> I did try the above command and got:
>>>
>>> setfacl: Option -m: Invalid argument near character 3
>>>
>>>
>>> So I need more help than what I see in the wiki. But that is not
>>> new! ;)
>>>
>>>
>>>
>>
>> Ah, 'setfacl' has an opposite, 'getfacl' , so try 'getfacl
>> /srv/samba/Demo'
>
> # getfacl /srv/samba/Demo
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/Demo
> # owner: root
> # group: users
> # flags: -s-
> user::rwx
> group::rwx
> other::---
>
>
>>
>> I 'think' your problem is that before you can set the ACL with
>> setfacl, your Unix box needs to be able to resolve "domain admins",
>> so, do you get anything if you run 'getent group Domain\ Admins' ?
>
> Nothing.
>
>
Thought so, as standard AD users and groups do not have a uidNumber or
gidNumber, but to be visible to Unix they need one. If you run samba on
a member server with the 'ad' idmap backend, even if you give every user
a uidNumber they will still not be shown by getent unless you also give
Domain Users a gidNumber. If you want Domain Admins to also be visible,
you will also have to give the group a gidNumber.
There is yet another 'gotcha' on a DC, you need to set up
/etc/nsswitch.conf to use winbind and have the relevant links in place,
see here for more info:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list