[Samba] File Server member DC ACL permissions
Ricardo Pardim Claus
ricardo.claus at yahoo.com.br
Fri Aug 12 13:06:00 UTC 2016
> > > Yes wbinfo shows the user but does 'getent passwd iuser' show
> > > anything ?
> >
> > # wbinfo -i iuser
> > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false
> >
> >
> >
> > # getent passwd iuser
> > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false
> >
> >
> > # id iuser
> > id: iuser: no such user
> > concentrating on the number, I missed
> > '/home/DOMAIN/iuser:/bin/false'
> > Is this on the DC ?
> > and if so, what do get if you run the same command on the fileserver ?
> > Just to double check, are you running sssd on any of the machines ?
Rowland, os comandos acima foram executados no file server.
I will show the output of the commands, running directly in DC:
# wbinfo -i iuser
DOMAIN\iuser:*:3000166:100:iuser:/home/DOMAIN/iuser:/bin/false
# getent passwd iuser
# id iuser
id: iuser: no such user
I need to configure winbind in the main DC?
The sssd service is disabled in the main DC. But in the nsswitch.conf file set:
passwd: files sss
shadow: files sss
group: files sss
The client stations, all are Windows 10. The RSAT I have already installed on my PC.
No file server, quando compilei o pacote do Samba, eu não usei a opção: "--without-ad-dc"
When changing the backend to rid it seems to be working, for the following command does not return error. Through Windows, by giving permission to share, I see the "Domain Admins" group:
# setfacl -R -m g:"Domain Admins":rwx /mnt/dados/
# getfacl /mnt/dados
getfacl: Removing leading '/' from absolute path names
# file: mnt/dados
# owner: root
# group: root
user::rwx
user:root:rwx
user:domain\040admins:rwx
user:ti-infra:rwx
group::r-x
group:root:r-x
group:domain\040admins:rwx
group:ti-infra:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:user:ti-infra:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:ti-infra:rwx
default:mask::rwx
default:other::r-x
About RSAT on Windows 10, I can not see the UNIX attributes options.
The smb.conf the fileserver looked like this:
# Global parameters
[global]
netbios name = SRV16
server string = Samba4 Server
security = ADS
encrypt passwords = yes
realm = domain.local
workgroup = DOMAIN
log file = /var/log/samba/%m.log
log level = 1
#
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nss info = RFC2307
#idmap_ldb: Use
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Idmap config for domain DOMAIN
#idmap config DOMAIN: backend = ad
idmap config DOMAIN: backend = rid
#idmap config DOMAIN: schema_mode = RFC2307
idmap config DOMAIN: range = 10000-99999
idmap config * : backend = tdb
idmap config * : range = 2000-9999
# guest account = guest
# guest ok=yes
[data]
comment = Folder data
path = /mnt/dados
read only = No
browseable = yes
inherit acls = Yes
inherit permissions = Yes
guest account = guest
guest ok=yes
writeable = Yes
In smb.conf the primary DC, I can take this line?
idmap_ldb:use rfc2307 = yes
More information about the samba
mailing list