[Samba] File Server recognize users and groups AD

Thu Aug 4 20:44:03 UTC 2016

On Thu, 4 Aug 2016 19:26:23 +0000 (UTC)
Ricardo Pardim Claus <ricardo.claus at yahoo.com.br> wrote:

> Dear,
> I'm having trouble Samba recognizes the permissions assigned to
> groups and users created in AD. Scenario:
> 
> DC1 = Primary DC
> DC2 = secondary DC + file server
> 
> Both running the 4.4.5 version of Samba (Centos 7).
> 
> When I add permissions to a folder using a Windows desktop, I get to
> set permission for AD users and groups. What do I need to set up the
> groups and AD users are recognized on the permissions of the Samba?
> In the end, I'm trying to see the permissions using the following
> commands:
> 
> getfacl /mnt/data/share
> 
> The result is this:
> 
> 
> getfacl: Removing leading '/' from absolute path names 
> # file: mnt/data/share
> # owner: 3000000 
> # group: users 
> user::rwx 
> user:3000016:rwx 
> group::r-x 
> group:users:r-x 
> group:3000000:rwx 
> group:3000016:rwx 
> mask::rwx 
> other::r-x 
> default:user::rwx 
> default:user:3000000:rwx 
> default:user:3000016:rwx 
> default:group::r-x 
> default:group:users:r-x 
> default:group:3000016:rwx 
> default:mask::rwx 
> default:other::r-x 
> 
> 
> 
> Follows the smb.conf my DC2 (secondary DC + file server):
> 
> # Global parameters 
> [global] 
> bind interfaces only = Yes 
> interfaces = lo eth0 
> netbios name = SRV15 
> realm = DOMAIN.LOCAL 
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN 
> server role = active directory domain controller 
> comment = 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> # Default idmap config used for BUILTIN and local accounts/groups 
> idmap config *:backend = tdb 
> idmap config *:range = 2000-9999 
> 
> # idmap config for domain DOMAIN 
> idmap config DOMAIN:backend = ad 
> idmap config DOMAIN:schema_mode = rfc2307 
> idmap config DOMAIN:range = 10000-99999 
> 
> # Use settings from AD for login shell and home directory 
> winbind nss info = rfc2307 
> 
> vfs objects = acl_xattr 
> map acl inherit = Yes 
> store dos attributes = Yes 
> 
> [netlogon] 
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts 
> read only = No 
> 
> [sysvol] 
> path = /usr/local/samba/var/locks/sysvol 
> read only = No 
> 
> [dados] 
> comment = Share 
> 
> path = /mnt/data/share
> read only = No 
> 
> browseable = Yes 
> inherit acls = Yes 
> inherit permissions = Yes 
> 
> 
> 
> When I try to set a permission: 
> 
> setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share 
> setfacl: Option -m: Argument invalid character near 15
> 

Sorry, but the lines you have added to the [global] section of
your smb.conf will do nothing on an AD DC.

Does 'getent group Domain\ Admins' produce any output ?
If not you need to set up libnss-winbind.

Rowland