[Samba] Unable to set up home share correctly

Rowland Penny rpenny at samba.org
Fri Oct 14 16:18:07 UTC 2016 

On Fri, 14 Oct 2016 17:52:33 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:


> However it is not very specific as to what permissions should
> actually be configured: "Go to the "Security" tab, click the "Edit"
> button and configure the desired Windows ACLs".
> 

What it means is, you need to add/change the users and groups and set
permissions to meet your requirements.

> >
> > Also, when you changed the ranges in smb.conf, have you changed th
> > uidNumber & gidNumber attributes in AD ?
> 
> Not necessary in my opinion as I only modified the "overkill" range
> of the * domain (100000 -  2^32 -1) .
> 
> BTW: There is no range checking in the code. I started with 2^32 = 
> 4294967296 as the upper limit and the mapping didn't work at all. 
> Discovered later in the logs the range was parsed into "range
> 100000-0".
> 
> Two questions:
> 
> 1) Do you agree with the directions given by L.P.H. van Belle: Create 
> new user "Admin" and remove all the already filled in accounts (much 
> like in the screenshot on the 
> <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?

This is up to you, by doing what Louis is suggesting, is security
through obscurity. It means that anybody trying to get into your system
has to know (or obtain by whatever means) not only the password, they
also have to know the username to go with it.
As for removing the accounts, you need to decide just who has access
and how much access they have, this may mean removing, altering or
adding accounts.


> 
> 2) Can you elaborate on this?
>

i think I just did ;-)
 
> I have removed the rfc2307-IDs now. I guess going to the "Unix
> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
> sufficient?
> 
> --> No, it should show your domain name.
> 
> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
> mydomain (in lower case this time) a UID Number is automatically
> assigned, when I choose <none> the fields are greyed out. So "no
> uidNumber" and "should show your domain name" don't work at the same
> time. Or should I choose mydomain and delete the remaining field
> entries?

If the windows machine that ADUC is running on is joined to the domain,
it normally allows you to set the domain on the 'Unix Attributes' tab
and setting this, fills in all the other boxes (uidNumber etc)

Rowland

More information about the samba mailing list