[Samba] File Server recognize users and groups AD

Ricardo Pardim Claus ricardo.claus at yahoo.com.br
Thu Aug 4 19:26:23 UTC 2016 

Dear,
I'm having trouble Samba recognizes the permissions assigned to groups and users created in AD.
Scenario:

DC1 = Primary DC
DC2 = secondary DC + file server

Both running the 4.4.5 version of Samba (Centos 7).

When I add permissions to a folder using a Windows desktop, I get to set permission for AD users and groups.
What do I need to set up the groups and AD users are recognized on the permissions of the Samba?
In the end, I'm trying to see the permissions using the following commands:

getfacl /mnt/data/share

The result is this:


getfacl: Removing leading '/' from absolute path names 
# file: mnt/data/share
# owner: 3000000 
# group: users 
user::rwx 
user:3000016:rwx 
group::r-x 
group:users:r-x 
group:3000000:rwx 
group:3000016:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:user:3000000:rwx 
default:user:3000016:rwx 
default:group::r-x 
default:group:users:r-x 
default:group:3000016:rwx 
default:mask::rwx 
default:other::r-x 



Follows the smb.conf my DC2 (secondary DC + file server):

# Global parameters 
[global] 
bind interfaces only = Yes 
interfaces = lo eth0 
netbios name = SRV15 
realm = DOMAIN.LOCAL 
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
workgroup = DOMAIN 
server role = active directory domain controller 
comment = 
log file = /var/log/samba/%m.log 
log level = 1 
# 
# Default idmap config used for BUILTIN and local accounts/groups 
idmap config *:backend = tdb 
idmap config *:range = 2000-9999 

# idmap config for domain DOMAIN 
idmap config DOMAIN:backend = ad 
idmap config DOMAIN:schema_mode = rfc2307 
idmap config DOMAIN:range = 10000-99999 

# Use settings from AD for login shell and home directory 
winbind nss info = rfc2307 

vfs objects = acl_xattr 
map acl inherit = Yes 
store dos attributes = Yes 

[netlogon] 
path = /usr/local/samba/var/locks/sysvol/domain.local/scripts 
read only = No 

[sysvol] 
path = /usr/local/samba/var/locks/sysvol 
read only = No 

[dados] 
comment = Share 

path = /mnt/data/share
read only = No 

browseable = Yes 
inherit acls = Yes 
inherit permissions = Yes 



When I try to set a permission: 

setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share 
setfacl: Option -m: Argument invalid character near 15

More information about the samba mailing list