[Samba] File Server member DC ACL permissions

Ricardo Pardim Claus ricardo.claus at yahoo.com.br
Fri Aug 12 13:06:00 UTC 2016 


 
> > > Yes wbinfo shows the user but does 'getent passwd iuser' show 
> > > anything ? 
> > 
> > # wbinfo -i iuser 
> > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false 
> > 
> > 
> > 
> > # getent passwd iuser 
> > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false 
> > 
> > 
> > # id iuser 
> > id: iuser: no such user


> > concentrating on the number, I missed 
> > '/home/DOMAIN/iuser:/bin/false' 

> > Is this on the DC ? 
> > and if so, what do get if you run the same command on the fileserver ? 

> > Just to double check, are you running sssd on any of the machines ?

Rowland, os comandos acima foram executados no file server.

I will show the output of the commands, running directly in DC:

# wbinfo -i iuser 
DOMAIN\iuser:*:3000166:100:iuser:/home/DOMAIN/iuser:/bin/false

# getent passwd iuser 


# id iuser 
id: iuser: no such user 



I need to configure winbind in the main DC? 

The sssd service is disabled in the main DC. But in the nsswitch.conf file set: 
passwd: files sss 
shadow: files sss 
group: files sss

The client stations, all are Windows 10. The RSAT I have already installed on my PC.

No file server, quando compilei o pacote do Samba, eu não usei a opção: "--without-ad-dc"

When changing the backend to rid it seems to be working, for the following command does not return error. Through Windows, by giving permission to share, I see the "Domain Admins" group:

# setfacl -R -m g:"Domain Admins":rwx /mnt/dados/ 

# getfacl /mnt/dados 
getfacl: Removing leading '/' from absolute path names 
# file: mnt/dados 
# owner: root 
# group: root 
user::rwx 
user:root:rwx 
user:domain\040admins:rwx 
user:ti-infra:rwx 
group::r-x 
group:root:r-x 
group:domain\040admins:rwx 
group:ti-infra:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:user:root:rwx 
default:user:domain\040admins:rwx 
default:user:ti-infra:rwx 
default:group::r-x 
default:group:root:r-x 
default:group:domain\040admins:rwx 
default:group:ti-infra:rwx 
default:mask::rwx 
default:other::r-x 


About RSAT on Windows 10, I can not see the UNIX attributes options.
The smb.conf the fileserver looked like this:

# Global parameters 
[global] 
netbios name = SRV16 
server string = Samba4 Server 
security = ADS 
encrypt passwords = yes 
realm = domain.local 
workgroup = DOMAIN 
log file = /var/log/samba/%m.log 
log level = 1 
# 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = Yes 
winbind nss info = RFC2307 
#idmap_ldb: Use 
vfs objects = acl_xattr 
map acl inherit = Yes 
store dos attributes = Yes 
# Idmap config for domain DOMAIN 
#idmap config DOMAIN: backend = ad 
idmap config DOMAIN: backend = rid 
#idmap config DOMAIN: schema_mode = RFC2307 
idmap config DOMAIN: range = 10000-99999 
idmap config * : backend = tdb 
idmap config * : range = 2000-9999 
#       guest account = guest 
#       guest ok=yes 

[data] 
comment = Folder data 
path = /mnt/dados 
read only = No 
browseable = yes 
inherit acls = Yes 
inherit permissions = Yes 
guest account = guest 
guest ok=yes 
writeable = Yes 



In smb.conf the primary DC, I can take this line?

idmap_ldb:use rfc2307 = yes

More information about the samba mailing list