[Samba] File Server member DC ACL permissions

Rowland Penny rpenny at samba.org
Wed Aug 10 15:29:37 UTC 2016 

On Wed, 10 Aug 2016 14:18:16 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:

> Greetings, 
> 
> Previously I had set up a file server with DC on the same machine. As
> recommendations, created another machine to be the file server. I
> made the settings as far as I could do, but I can not give
> permissions on shared folders. Must give permissions on shared
> folders for groups and users of the domain. I'm using Samba 4.4.5 in
> DC's and also the file server. I joined the file server as a domain
> member. About file server member of a domain, I have not found a
> satisfactory documentation. When the second DC was playing the role
> of file server, permissions worked perfectly. What do I need to
> configure the file server recognizes the permissions of users and AD
> groups?
> 
> 
> Follow my configuration file:
> 
> 
> smb.conf
> 
> # Global parameters 
> [global] 
> netbios name = SRV16 
> server string = Samba4 Server 
> security = ADS 
> encrypt passwords = Yes 
> realm = OOMAIN.LOCAL 
> workgroup = DOMAIN 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> winbind enum users = yes 
> winbind enum groups = yes 
> winbind use default domain = Yes 
> winbind nss info = rfc2307 
> vfs objects = acl_xattr 
> map acl inherit = Yes 
> store dos attributes = Yes 
> 
> [dados] 
> comment = Pasta dados 
> path = /mnt/data 
> read only = No 
> browseable = Yes 
> inherit acls = Yes 
> inherit permissions = Yes 
> 
> 
> /etc/nsswitch.conf:
> 
> 
> passwd:     files sss winbind 
> shadow:     files sss winbind 
> group:      files sss winbind 
> 
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files 
> ethers:     files 
> netmasks:   files 
> networks:   files 
> protocols:  files 
> rpc:        files 
> services:   files sss 
> netgroup:   files sss 
> publickey:  nisplus 
> automount:  files sss 
> aliases:    files nisplus 
> 
> 
> With these commands, I can view the AD users and groups. 
> wbinfo -u 
> wbinfo -g 
> getent group 
> 
> I realized the Winbind settings as reported in Samba page. 
> When I run the following command I get error:
> 
> # setfacl -R -m default:group:"Domain Admins":rwx /mnt/data/p1 
> setfacl: /mnt/data/p1: Malformed default ACL
> `user::rwx,group::rwx,group:4294967295:rwx,mask::rwx,other::r-x':
> Duplicate entries at entry 3 setfacl: /mnt/data/p1/teste.txt:
> Malformed default ACL
> `user::rw-,group::r--,group:4294967295:rwx,mask::rwx,other::r--':
> Duplicate entries at entry 3 
> 
> 
> The missing setting?
> 

I think you may be confusing Samba by having 'sss' and 'winbind'
in /etc/nsswitch, if your version of sssd is new enough, you will have
two versions of a winbind lib installed.

Can I suggest that you choose to use one or the other, I don't think it
is a good idea to use both.

If you decide to use sssd, stop winbindd and stop it from starting,
remove 'winbind' from /etc/nsswitch. If you still have problems, then
can I also suggest asking the sssd mailing list for help, sssd is not
part of Samba

If you decide to use winbind, can I suggest you read this wiki page:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

If you have any questions after reading that page (and any sub pages it
points to), come back here and ask.

Rowland

More information about the samba mailing list