[Samba] problem with sessions

Rowland Penny rpenny at samba.org
Wed Mar 1 17:26:31 UTC 2017

On Wed, 1 Mar 2017 17:48:47 +0100
Tony Peña <emperor.cu at gmail.com> wrote:

>     server role = dc
>     server role = active directory domain controller
> i'm correct ?

Nearly, but you should only have one 'server role' line and the second
line is the correct one.
> ----
> on include shares.conf is all share directorys...i got 47 shares...
> so .. i just paste here 1 as example,, the rest are equals just
> changing the path
> [library]
>     comment = Library in common
>     path = /home/samba/shares/Library
>     browseable = Yes
>     read only = No
>     force create mode = 0660
>     force directory mode = 0660
>     vfs objects = acl_xattr full_audit
>     full_audit:failure = connect opendir disconnect unlink mkdir
> rmdir open rename

I take it you haven't read this wiki page:


You cannot use POSIX ACLs on a Samba AD DC, so your share should be
something like this:

    comment = Library in common
    path = /home/samba/shares/Library
    read only = No
    vfs objects = full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

You also had 'browseable = yes', this the default setting, but it has
no affect on a DC, there is no browsing on a Samba AD DC.

Once you have changed the share, you will need to read this wiki page:

> the filesystem is with acl,
> the filesystem on thouse are:    user : group : others
> drwxrwx---+   9 SERVERDC\administrator adm
> 4,0K mar 1 14:26 Library

You will probably need to change this to root:domain admins

Talking of which, I hope you haven't given Administrator a uidNumber.

> on resolv.conf
> root at server-dc:~# cat /etc/resolv.conf
> nameserver
> nameserver
> nameserver
> search serverdc.lcl

You should remove the google nameservers, they should be set as
forwarders in your bind9 conf files.

> the bind is ok, 

I didn't ask if it was 'ok', I asked how you have set it up, I think
you need to post your bind9 conf files.

> i register PC into domain and it's added into ldap
> so i can ping NAME_OF_PC and pinging normally and see it using
> pdbedit. this is somethings i can't understand in some how...
> normally i use openldap, but int this case is samba (simulate ldap) ?
> because i see samba run process to can see from my ldap client the
> whole directory

Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
is stored in AD, but you need to use 'samba_dlz' to connect to it. You
also need to setup bind9 correctly.


More information about the samba mailing list