[Samba] File Server member DC ACL permissions

Rowland Penny rpenny at samba.org
Wed Aug 10 20:11:13 UTC 2016


On Wed, 10 Aug 2016 19:47:05 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:

> 
> 
> I will choose to use the winbind. 
> Based on the link that Rowland said: 
> 
> https://wiki.samba.org /index.php/Setup_Samba_as_an_AD_Domain_Member 
> 
> I followed the steps as described in the tutorial. 
> 
> I created symlinks. 
> 
> In the main DC I added this line in smb.conf: 
> 
> idmap_ldb: use RFC2307 = yes 

If this is the first DC you provisioned, you should have already had
this line, did you provision with '--use-rfc2307' ?

Try having a look here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

> 
> 
> Changed /etc/nsswitch.conf 
> 

You only need 'winbind' on the 'passwd' & 'group' lines

> 
> My smb.conf: 
> 
> # Global parameters 
> [global] 
>         netbios name = SRV16 
>         server string = Samba4 Server 
>         security = ADS 
>         encrypt passwords = yes 
>         realm = domain.local 
>         workgroup = DOMAIN 
>         log file = /var/log/samba/%m.log 
>         log level = 1 
>         # 
>         winbind enum users = yes 
>         winbind enum groups = yes 
>         winbind use default domain = Yes 
>         winbind nss info = RFC2307 
>         #idmap_ldb: Use 
>         vfs objects = acl_xattr 
>         map acl inherit = Yes 
>         store the attributes = Yes 
>         # Idmap config for domain DOMAIN 
>        idmap config DOMAIN: backend = ad 
>        idmap config DOMAIN: schema_mode = RFC2307 
>        idmap config DOMAIN: 10000-99999 range = 

'idmap config DOMAIN: 10000-99999 range =' 

should be 

'idmap config DOMAIN: range = 10000-99999'

You should also add:

	idmap config *: backend = tdb
	idmap config *: range = 2000-9999

This is where the builtin users & groups are mapped

> 
> 
> [data] 
>         comment = Folder data 
>         path = / mnt / data 
>         read only = No 
>         browseable = yes 
>         inherit acls = Yes 
>         inherit permissions = Yes 
> 
> I can view the groups and users of AD. 
> The "kinit administrator" is working very well.When I try to see the
> ID of a User, it does not return anything. Also can not give
> permission through the shell of the file server, or through a Windows
> host, when logged in as domain admin.

Usual reason for this is not having any RFC2307 attributes in the users
AD object. The numbers used in uidNumber & gidNumber attributes must be
inside the '10000-99999' range you set in your smb.conf, you must also
ensure that Domain Users has a gidNumber attrbute.

> 
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados 
> setfacl: /mnt/dados: Malformed access ACL
> `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx':
> Missing or wrong entry at entry 5 setfacl: /mnt/dados/teste:
> Malformed access ACL
> `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx':
> Missing or wrong entry at entry 5
> 
> # ldconfig -v | grep winbind 
> ldconfig: Can not stat / libx32: not directory or file found 
> ldconfig: Path / usr / lib 'Given more than once 
> ldconfig: Path / usr / lib64 'Given more than once 
> ldconfig: Can not stat / usr / libx32: not directory or file found 
>         libnss_winbind.so.2 -> libnss_winbind.so2
> 
> 

How have you set the libnss_winbind links ?

Rowland





More information about the samba mailing list