[Samba] chgrp "Domain Admins" on folder return invalid group "Domain Admins"

Rowland penny rpenny at samba.org
Tue Apr 5 14:33:31 UTC 2016


On 05/04/16 15:22, Jules Houantonon wrote:
> Thank you Rowland,
>
> I do not change my existing configuration as far i have already 
> indicate winbind value on both passwd and group lines in nsswitch.conf.
>
> But i execute the net cahe flush command and then try getent command 
> by providing the user name and it works.
>
> It provide outpout for a demo acount that it is only creat in AD and 
> has unix attribute assigned :
> #getent passwd demo
> demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
>
> So now, i should be able to define file or folder right from Linux OS 
> with AD users.
>
> I think that we can consider this subject Solved with your permission.

There is just one last thing you may want to know, as you can see, every 
users home path is set to '/home/DEMO/' and their shell is set to 
'/bin/false'. You can change these if you wish, but only on a domain 
basis. You probably don't need to change either if your users will never 
actually log into the DC, but if they do, these can be changed by adding 
'template homedir = /what/ever/path/you/want' & 'template shell = /bin/bash'

Rowland
>
> Many thanks again
>
> On Tue, Apr 5, 2016 at 2:52 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 05/04/16 14:32, Jules Houantonon wrote:
>
>         Thank you Rowland for your mail.
>
>         My aim is to create a fileserver with samba4 and with acl
>         supported. Users most logon through their windows that are in
>         domain to access their shares.
>
>         Samba how to and your explanations open my eyes on the
>         interaction between samba users and group with the Linux OS.
>
>         From ADUC, I assign an Unix Attribute to a user accout, and
>         automatically it is given 10000 as its UID, getent command
>         still not display it.
>
>
>     The next one should get 10001
>
>
>         So in my plan, users should only exist in active directory.
>         Does that mean that getent can still display user or group
>         information that will only exist in AD ?
>
>
>     getent will display users known to the underlying OS, this is done
>     by specifying what methods to use in /etc/nsswitch.conf. For
>     users, there is a line that starts 'passwd', this normally
>     contains 'compat ' or 'files' and will mean 'getent passwd auser'
>     will return the users info found in the file /etc/passwd. If you
>     want to user a different method to use to get a users info, you
>     would add it after 'compat ' or 'files' i.e. to use winbind
>     'passwd compat winbind'. This would mean that when you run 'getent
>     passwd auser' , the user would be found by first searching in
>     /etc/passwd (this is why you cannot have users in /etc/passwd &
>     AD) and then by asking winbind. On a DC, winbind would assign an
>     xidNumber and then store it in idmap.ldb *or* you can give each
>     user a 'uidNumber' and then this will be used instead, only
>     problem is that the old xidNumber will take precedence for a time,
>     but you can short circuit this by running:
>
>     net cache flush
>
>
>         Sorry if i am missing something.
>
>         Thank you
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> -- 
> Jules HOUANTONON
> /Phone/: (00229) 97578914
> /Email /: juleshoueto at gmail.com <mailto:juleshoueto at gmail.com>
> /Skype/ : houantonon
> /linkedin/ : www.linkedin.com/in/jhouantonon/en 
> <http://www.linkedin.com/in/jhouantonon/en>



More information about the samba mailing list