[Samba] Adding a new share

Rowland Penny rowlandpenny241155 at gmail.com
Fri Sep 11 18:06:32 UTC 2015 

On 11/09/15 18:42, Robert Moskowitz wrote:
>
>
> On 09/11/2015 01:33 PM, Rowland Penny wrote:
>> On 11/09/15 18:12, Robert Moskowitz wrote:
>>>
>>>
>>> On 09/11/2015 12:30 PM, Rowland Penny wrote:
>>>> On 11/09/15 17:16, Robert Moskowitz wrote:
>>>>> From:
>>>>>
>>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Preparatory_work 
>>>>>
>>>>>
>>>>> It instructions:
>>>>>
>>>>> setfacl -m g:"domain admins":rwx /srv/samba/Demo/
>>>>>
>>>>> or use another group or user.
>>>>>
>>>>> Where are these defined, and when I do a
>>>>>
>>>>> ls -ls /srv/samba/Demo/
>>>>>
>>>>> what will I see?
>>>>>
>>>>> I did try the above command and got:
>>>>>
>>>>> setfacl: Option -m: Invalid argument near character 3
>>>>>
>>>>>
>>>>> So I need more help than what I see in the wiki.  But that is not 
>>>>> new!  ;)
>>>>>
>>>>>
>>>>>
>>>>
>>>> Ah, 'setfacl' has an opposite, 'getfacl' , so try 'getfacl 
>>>> /srv/samba/Demo'
>>>
>>> # getfacl /srv/samba/Demo
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: srv/samba/Demo
>>> # owner: root
>>> # group: users
>>> # flags: -s-
>>> user::rwx
>>> group::rwx
>>> other::---
>>>
>>>
>>>>
>>>> I 'think' your problem is that before you can set the ACL with 
>>>> setfacl, your Unix box needs to be able to resolve "domain admins", 
>>>> so, do you get anything if you run 'getent group Domain\ Admins' ?
>>>
>>> Nothing.
>>>
>>>
>>
>> Thought so, as standard AD users and groups do not have a uidNumber 
>> or gidNumber, but to be visible to Unix they need one. If you run 
>> samba on a member server with the 'ad' idmap backend, even if you 
>> give every user a uidNumber they will still not be shown by getent 
>> unless you also give Domain Users a gidNumber. If you want Domain 
>> Admins to also be visible, you will also have to give the group a 
>> gidNumber.
>>
>> There is yet another 'gotcha' on a DC, you need to set up 
>> /etc/nsswitch.conf to use winbind and have the relevant links in 
>> place, see here for more info:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> I will get to the Member Server next week,  after the New Year. Right 
> now I was hoping to do some initial testing with an XP workstation to 
> the AD and access a Demo share.
>
> I am trying to follow directions for setting up a share, but doing it 
> on the AD.
>

Yes, I know :-)
You use the same basic winbind setup on the DC as on a member server. 
You need to ensure that the winbind links are in place, if you are using 
packages, these should be there, but if you compile samba yourself, they 
won't be, see the member server wiki page. To make winbind work with 
getent, you need to alter /etc/nsswitch.conf, find the passwd & group 
lines and add 'winbind' to the end, getent should now work.

Rowland

More information about the samba mailing list