[Samba] File Server member DC ACL permissions
rpenny at samba.org
Wed Aug 10 20:11:13 UTC 2016
On Wed, 10 Aug 2016 19:47:05 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:
> I will choose to use the winbind.
> Based on the link that Rowland said:
> https://wiki.samba.org /index.php/Setup_Samba_as_an_AD_Domain_Member
> I followed the steps as described in the tutorial.
> I created symlinks.
> In the main DC I added this line in smb.conf:
> idmap_ldb: use RFC2307 = yes
If this is the first DC you provisioned, you should have already had
this line, did you provision with '--use-rfc2307' ?
Try having a look here:
> Changed /etc/nsswitch.conf
You only need 'winbind' on the 'passwd' & 'group' lines
> My smb.conf:
> # Global parameters
> netbios name = SRV16
> server string = Samba4 Server
> security = ADS
> encrypt passwords = yes
> realm = domain.local
> workgroup = DOMAIN
> log file = /var/log/samba/%m.log
> log level = 1
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = Yes
> winbind nss info = RFC2307
> #idmap_ldb: Use
> vfs objects = acl_xattr
> map acl inherit = Yes
> store the attributes = Yes
> # Idmap config for domain DOMAIN
> idmap config DOMAIN: backend = ad
> idmap config DOMAIN: schema_mode = RFC2307
> idmap config DOMAIN: 10000-99999 range =
'idmap config DOMAIN: 10000-99999 range ='
'idmap config DOMAIN: range = 10000-99999'
You should also add:
idmap config *: backend = tdb
idmap config *: range = 2000-9999
This is where the builtin users & groups are mapped
> comment = Folder data
> path = / mnt / data
> read only = No
> browseable = yes
> inherit acls = Yes
> inherit permissions = Yes
> I can view the groups and users of AD.
> The "kinit administrator" is working very well.When I try to see the
> ID of a User, it does not return anything. Also can not give
> permission through the shell of the file server, or through a Windows
> host, when logged in as domain admin.
Usual reason for this is not having any RFC2307 attributes in the users
AD object. The numbers used in uidNumber & gidNumber attributes must be
inside the '10000-99999' range you set in your smb.conf, you must also
ensure that Domain Users has a gidNumber attrbute.
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados
> setfacl: /mnt/dados: Malformed access ACL
> Missing or wrong entry at entry 5 setfacl: /mnt/dados/teste:
> Malformed access ACL
> Missing or wrong entry at entry 5
> # ldconfig -v | grep winbind
> ldconfig: Can not stat / libx32: not directory or file found
> ldconfig: Path / usr / lib 'Given more than once
> ldconfig: Path / usr / lib64 'Given more than once
> ldconfig: Can not stat / usr / libx32: not directory or file found
> libnss_winbind.so.2 -> libnss_winbind.so2
How have you set the libnss_winbind links ?
More information about the samba