[Samba] File Server member DC ACL permissions

Rowland Penny rpenny at samba.org
Fri Aug 12 14:32:32 UTC 2016 

On Fri, 12 Aug 2016 13:06:00 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:

> 
> 
>  
> > > > Yes wbinfo shows the user but does 'getent passwd iuser' show 
> > > > anything ? 
> > > 
> > > # wbinfo -i iuser 
> > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false 
> > > 
> > > 
> > > 
> > > # getent passwd iuser 
> > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false 
> > > 
> > > 
> > > # id iuser 
> > > id: iuser: no such user
> 
> 
> > > concentrating on the number, I missed 
> > > '/home/DOMAIN/iuser:/bin/false' 
> 
> > > Is this on the DC ? 
> > > and if so, what do get if you run the same command on the
> > > fileserver ? 
> 
> > > Just to double check, are you running sssd on any of the
> > > machines ?
> 
> Rowland, os comandos acima foram executados no file server.
> 
> I will show the output of the commands, running directly in DC:
> 
> # wbinfo -i iuser 
> DOMAIN\iuser:*:3000166:100:iuser:/home/DOMAIN/iuser:/bin/false
> 
> # getent passwd iuser 
> 
> 
> # id iuser 
> id: iuser: no such user 
> 
> 
> 
> I need to configure winbind in the main DC? 

Only if you want to use the DC as a fileserver.

> 
> The sssd service is disabled in the main DC. But in the nsswitch.conf
> file set: passwd: files sss 
> shadow: files sss 
> group: files sss

If sssd isn't being used, then you might as well remove all instances
of 'sss' from /etc/nsswitch.conf, if you do setup winbind, then replace
'sss' with winbind except for the 'shadow' line, this line should only
have 'files'
 
> 
> The client stations, all are Windows 10. The RSAT I have already
> installed on my PC.
>

That is not good, you don't get the 'UNIX Atrributes' tab with RSAT on
windows 10, microsoft removed it.
You will have to add the Unix Attributes with a script using ldbtools,
have you had any experience writing scripts ?
 
> No file server, quando compilei o pacote do Samba, eu não usei a
> opção: "--without-ad-dc"

I don't bother, I always compile Samba the same way, it is how you set
Samba up that counts.

> 
> When changing the backend to rid it seems to be working, for the
> following command does not return error. Through Windows, by giving
> permission to share, I see the "Domain Admins" group:
> 
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados/ 
> 
> # getfacl /mnt/dados 
> getfacl: Removing leading '/' from absolute path names 
> # file: mnt/dados 
> # owner: root 
> # group: root 
> user::rwx 
> user:root:rwx 
> user:domain\040admins:rwx 
> user:ti-infra:rwx 
> group::r-x 
> group:root:r-x 
> group:domain\040admins:rwx 
> group:ti-infra:rwx 
> mask::rwx 
> other::r-x 
> default:user::rwx 
> default:user:root:rwx 
> default:user:domain\040admins:rwx 
> default:user:ti-infra:rwx 
> default:group::r-x 
> default:group:root:r-x 
> default:group:domain\040admins:rwx 
> default:group:ti-infra:rwx 
> default:mask::rwx 
> default:other::r-x 
> 
> 
> About RSAT on Windows 10, I can not see the UNIX attributes options.

I already mentioned the reason.

> The smb.conf the fileserver looked like this:
> 
> # Global parameters 
> [global] 
> netbios name = SRV16 
> server string = Samba4 Server 
> security = ADS 
> encrypt passwords = yes 
> realm = domain.local 
> workgroup = DOMAIN 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> winbind enum users = yes 
> winbind enum groups = yes 
> winbind use default domain = Yes 
> winbind nss info = RFC2307 
> #idmap_ldb: Use 
> vfs objects = acl_xattr 
> map acl inherit = Yes 
> store dos attributes = Yes 
> # Idmap config for domain DOMAIN 
> #idmap config DOMAIN: backend = ad 
> idmap config DOMAIN: backend = rid 
> #idmap config DOMAIN: schema_mode = RFC2307 
> idmap config DOMAIN: range = 10000-99999 
> idmap config * : backend = tdb 
> idmap config * : range = 2000-9999 
> #       guest account = guest 
> #       guest ok=yes 
> 
> [data] 
> comment = Folder data 
> path = /mnt/dados 
> read only = No 
> browseable = yes 
> inherit acls = Yes 
> inherit permissions = Yes 
> guest account = guest 
> guest ok=yes 
> writeable = Yes 
> 
> 

Thats better, but can I suggest you read here:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

You will do a better job if you set the ACLs from windows.

> 
> In smb.conf the primary DC, I can take this line?
> 
> idmap_ldb:use rfc2307 = yes
> 

No, you still need it

Rowland

More information about the samba mailing list