[Samba] File Server member DC ACL permissions
Ricardo Pardim Claus
ricardo.claus at yahoo.com.br
Thu Aug 11 18:39:14 UTC 2016
Dear Rowland,
This Samba 4 domain was not provisioned from scratch.
Here in the company we had a DC Windows 2008. The Samba was provided to secondary DC.
Then, the primary DC remains Windows, but will be removed this weekend. Samba DC will be the primary DC.
In the file server file krb5.conf, I informed the KDC servers pointing to the Samba DC.
Follows the smb.conf my DC Samba 4:
# Global parameters
[global]
#bind interfaces only = Yes
interfaces = lo eth0
netbios name = SRV14
realm = DOMAIN.LOCAL
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
comment =
log file = /var/log/samba/%m.log
log level = 1
#
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/lojacorr.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
> How have you set the libnss_winbind links ?
I set the links to libnss_winbind this:
My system is a Centos 7 x86_64:
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so2# ldconfig
Now I can see the id of the User, with the command:
# wbinfo -i iuser
iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false
Follow the file server smb.conf:
# Global parameters
[global]
netbios name = SRV16
server string = Samba4 Server
security = ADS
encrypt passwords = yes
realm = lojacorr.local
workgroup = DOMAIN
log file = /var/log/samba/%m.log
log level = 1
#
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nss info = RFC2307
#idmap_ldb: Use
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Idmap config for domain DOMAIN
idmap config DOMAIN: backend = ad
idmap config DOMAIN: schema_mode = RFC2307
idmap config DOMAIN: range = 10000-99999
guest account = guest
[data]
comment = Folder data
path = /mnt/dados
read only = No
browseable = yes
inherit acls = Yes
inherit permissions = Yes
guest account = guest
guest ok=yes
Follow the file server nsswitch.conf:
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
I configured this permission for SeDiskOperatorPrivilege:
# net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'domain\administrator'
When I try to set the permissions via shell, I get the same error:
# setfacl -R -m g:"Domain Admins":rwx /mnt/dados
setfacl: /mnt/dados: Malformed access ACL `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or wrong entry at entry 5
The disc I am sharing was formatted with XFS file system.
Still denied access when trying to set permissions on the shared folder.
More information about the samba
mailing list