[Samba] Adding a new share
Robert Moskowitz
rgm at htt-consult.com
Fri Sep 11 17:42:05 UTC 2015
On 09/11/2015 01:33 PM, Rowland Penny wrote:
> On 11/09/15 18:12, Robert Moskowitz wrote:
>>
>>
>> On 09/11/2015 12:30 PM, Rowland Penny wrote:
>>> On 11/09/15 17:16, Robert Moskowitz wrote:
>>>> From:
>>>>
>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Preparatory_work
>>>>
>>>>
>>>> It instructions:
>>>>
>>>> setfacl -m g:"domain admins":rwx /srv/samba/Demo/
>>>>
>>>> or use another group or user.
>>>>
>>>> Where are these defined, and when I do a
>>>>
>>>> ls -ls /srv/samba/Demo/
>>>>
>>>> what will I see?
>>>>
>>>> I did try the above command and got:
>>>>
>>>> setfacl: Option -m: Invalid argument near character 3
>>>>
>>>>
>>>> So I need more help than what I see in the wiki. But that is not
>>>> new! ;)
>>>>
>>>>
>>>>
>>>
>>> Ah, 'setfacl' has an opposite, 'getfacl' , so try 'getfacl
>>> /srv/samba/Demo'
>>
>> # getfacl /srv/samba/Demo
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/Demo
>> # owner: root
>> # group: users
>> # flags: -s-
>> user::rwx
>> group::rwx
>> other::---
>>
>>
>>>
>>> I 'think' your problem is that before you can set the ACL with
>>> setfacl, your Unix box needs to be able to resolve "domain admins",
>>> so, do you get anything if you run 'getent group Domain\ Admins' ?
>>
>> Nothing.
>>
>>
>
> Thought so, as standard AD users and groups do not have a uidNumber or
> gidNumber, but to be visible to Unix they need one. If you run samba
> on a member server with the 'ad' idmap backend, even if you give every
> user a uidNumber they will still not be shown by getent unless you
> also give Domain Users a gidNumber. If you want Domain Admins to also
> be visible, you will also have to give the group a gidNumber.
>
> There is yet another 'gotcha' on a DC, you need to set up
> /etc/nsswitch.conf to use winbind and have the relevant links in
> place, see here for more info:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
I will get to the Member Server next week, after the New Year. Right
now I was hoping to do some initial testing with an XP workstation to
the AD and access a Demo share.
I am trying to follow directions for setting up a share, but doing it on
the AD.
More information about the samba
mailing list