[Samba] File Server member DC ACL permissions
Rowland Penny
rpenny at samba.org
Fri Aug 12 14:32:32 UTC 2016
On Fri, 12 Aug 2016 13:06:00 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:
>
>
>
> > > > Yes wbinfo shows the user but does 'getent passwd iuser' show
> > > > anything ?
> > >
> > > # wbinfo -i iuser
> > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false
> > >
> > >
> > >
> > > # getent passwd iuser
> > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false
> > >
> > >
> > > # id iuser
> > > id: iuser: no such user
>
>
> > > concentrating on the number, I missed
> > > '/home/DOMAIN/iuser:/bin/false'
>
> > > Is this on the DC ?
> > > and if so, what do get if you run the same command on the
> > > fileserver ?
>
> > > Just to double check, are you running sssd on any of the
> > > machines ?
>
> Rowland, os comandos acima foram executados no file server.
>
> I will show the output of the commands, running directly in DC:
>
> # wbinfo -i iuser
> DOMAIN\iuser:*:3000166:100:iuser:/home/DOMAIN/iuser:/bin/false
>
> # getent passwd iuser
>
>
> # id iuser
> id: iuser: no such user
>
>
>
> I need to configure winbind in the main DC?
Only if you want to use the DC as a fileserver.
>
> The sssd service is disabled in the main DC. But in the nsswitch.conf
> file set: passwd: files sss
> shadow: files sss
> group: files sss
If sssd isn't being used, then you might as well remove all instances
of 'sss' from /etc/nsswitch.conf, if you do setup winbind, then replace
'sss' with winbind except for the 'shadow' line, this line should only
have 'files'
>
> The client stations, all are Windows 10. The RSAT I have already
> installed on my PC.
>
That is not good, you don't get the 'UNIX Atrributes' tab with RSAT on
windows 10, microsoft removed it.
You will have to add the Unix Attributes with a script using ldbtools,
have you had any experience writing scripts ?
> No file server, quando compilei o pacote do Samba, eu não usei a
> opção: "--without-ad-dc"
I don't bother, I always compile Samba the same way, it is how you set
Samba up that counts.
>
> When changing the backend to rid it seems to be working, for the
> following command does not return error. Through Windows, by giving
> permission to share, I see the "Domain Admins" group:
>
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados/
>
> # getfacl /mnt/dados
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/dados
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> user:ti-infra:rwx
> group::r-x
> group:root:r-x
> group:domain\040admins:rwx
> group:ti-infra:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:user:ti-infra:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:domain\040admins:rwx
> default:group:ti-infra:rwx
> default:mask::rwx
> default:other::r-x
>
>
> About RSAT on Windows 10, I can not see the UNIX attributes options.
I already mentioned the reason.
> The smb.conf the fileserver looked like this:
>
> # Global parameters
> [global]
> netbios name = SRV16
> server string = Samba4 Server
> security = ADS
> encrypt passwords = yes
> realm = domain.local
> workgroup = DOMAIN
> log file = /var/log/samba/%m.log
> log level = 1
> #
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = Yes
> winbind nss info = RFC2307
> #idmap_ldb: Use
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> # Idmap config for domain DOMAIN
> #idmap config DOMAIN: backend = ad
> idmap config DOMAIN: backend = rid
> #idmap config DOMAIN: schema_mode = RFC2307
> idmap config DOMAIN: range = 10000-99999
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> # guest account = guest
> # guest ok=yes
>
> [data]
> comment = Folder data
> path = /mnt/dados
> read only = No
> browseable = yes
> inherit acls = Yes
> inherit permissions = Yes
> guest account = guest
> guest ok=yes
> writeable = Yes
>
>
Thats better, but can I suggest you read here:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
You will do a better job if you set the ACLs from windows.
>
> In smb.conf the primary DC, I can take this line?
>
> idmap_ldb:use rfc2307 = yes
>
No, you still need it
Rowland
More information about the samba
mailing list