[Samba] File/dir user permissions on Samba fileserver in DC
Rowland Penny
rpenny at samba.org
Mon Mar 13 09:59:39 UTC 2017
On Mon, 13 Mar 2017 12:01:28 +0300
it at mdsdnr.ru wrote:
> Thank you for pointing me to errors. I've corrected'em (I think), so
> smb.conf now looks like:
>
Can I ask if you are having problems following the Samba wiki ?
You still do not seem to have set up the smb.conf correctly, if you are
having problems following the wiki, please say so and if possible give
examples. Without feedback, we do not know of any problem areas.
Having got that out of the way, I have gone through your smb.conf and
corrected it by removing default lines. I have also added some comments:
[global]
workgroup = WG
security = ADS
realm = WG.LOCAL
#netbios name = FSRV # see [1] below
log level = 0 vfs:1
#idmap config MDS:backend = ad # see [2] below
idmap config * : backend = tdb
idmap config *:range = 2000-9999
idmap config WG : backend = ad
idmap config WG : range = 10000-999999
idmap config WG : schema_mode = rfc2307 # see [3] below
winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes # see [4] below
winbind enum groups = yes # see [4] below
winbind refresh tickets = yes
max log size = 1000
syslog = 1
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
#unix password sync = yes # NO, no a thousand times NO, see [5] below
load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null
hide unreadable = yes # see [6]
log writeable files on exit = yes
deadtime = 600 # see [7]
ea support = yes # see [8]
#socket options = TCP_NODELAY IPTOS_LOWDELAY # see [9]
#======================= Share Definitions =======================
[q] # see [10]
comment = File share
path = /somepath
read only = no
delete readonly = yes
strict sync = yes
sync always = yes
inherit permissions = Yes
inherit owner = Yes
veto files = /.snap/quota*/*.vmx/autorun.inf/
valid users = +WG\all WG\admin
admin users = +WG\it WG\admin
access based share enum = yes
===
[1] this is not strictly required, provided hostname resolution is
set up correctly and if it isn't, you need to fix this, not Samba
[2] you have set workgroup to 'WG'
[3] this could also be 'template'
[4] you should only set these to for testing purposes
[5] You are using AD and with this, all your users must be stored in
AD, you cannot also store them in /etc/passwd i.e, you cannot have
the user 'fred' in AD and /etc/passwd. The same goes for groups.
[6] Do you really want to do this ? See 'man smb.conf'
[7] 10 hours ?
[8] I have never needed this
[9] You shouldn't set these any more, just rely on the kernel
[10] You will probably be better off using POSIX acls and setting access
rights from Windows
You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber
attribute ? If you haven't and want to use the 'ad' backend, you will
need to do so.
Any question, please ask.
Rowland
More information about the samba
mailing list