[Samba] File/dir user permissions on Samba fileserver in DC

Rowland Penny rpenny at samba.org
Tue Mar 14 17:18:57 UTC 2017 

On Tue, 14 Mar 2017 18:50:54 +0300
it at mdsdnr.ru wrote:


> I've corrected your marks, now config looks like:
> 

Still not really right ;-)

encrypt passwords = yes # you do not need this, it is a default setting
auth methods = winbind # remove this, it is not required

winbind trusted domains only = no # you do not need this,
                                    it is a default setting

passdb backend = tdbsam # you do not need this, it is a default setting
obey pam restrictions = yes # remove this, it is not required

> 
> os level = 1
> case sensitive = no
> hide unreadable = yes
> log [q]
>      comment = File share
>      browseable = yes
>      path = /opt/q
>      guest ok = no
>      read only = no
>      delete readonly = yes
>      strict sync = yes
>      sync always = yes
> 
>      inherit permissions = Yes
>      inherit acls = Yes
>      inherit owner = Yes
>      map acl inherit = yes
>      nt acl support = yes
> 
>      map system = yes
>      veto files = /.snap/quota*/*.vmx/autorun.inf/
> 
>      valid users = @WG\all WG\srvadmin
>      admin users = @WG\it WG\administrator WG\srvadmin
> 
>      hide unreadable = yes
>      vfs objects= full_audit, recycle, acl_xattr
>      writeable files on exit = yes
>      access based share enum = yes
>      map acl inherit = yes
>      map system = yes

Words fail me on the above, default lines, duplicate lines, acl_xattr
is a share and in global, the other two 'vfs objects' don't have any of
the other required lines to make them actually work.
Can I suggest you use Windows ACLs (the info howto is on the SAmba
wiki) and remove all that clutter.

> ===
> > You are using the winbind 'ad' backend, have you given your users a
> > unique uidNumber attribute and also given Domain Users a gidNumber
> > attribute ? If you haven't and want to use the 'ad' backend, you
> > will need to do so.
> 
> Using MMC from Win PC in domain, in group properties tab "UNIX 
> attributes" assigned gid to domain group "all" from range
> 500000-600000, as in domain, for user srvadmin in same tab add
> "primary group name/GID" 

Yes, but have you given Domain Users a gidNumber ???

> - group "all". As I understood this from here: 
> https://wiki.samba.org/index.php/Installing_RSAT and here: 
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC

If you haven't given Domain Users a gidNumber and are using Samba
4.6.x, you can follow the info here:

https://wiki.samba.org/index.php/Idmap_config_ad

> 
> Result:
> wbinfo -u - shows users
> wbinfo -p - ping OK
> wbinfo -n srvadmin - shows user SID (srvadmin - domain user)
> wbinfo -i srvadmin - error:
> id srvadmin says 'no such user'.

Probably because you haven't given Domain Users a gidNumber, have you
spotted the running theme here yet ?


> What additional info is needed? I'll post more and more. Simply I'm 
> trying not to post too long messages...
> Sometimes wiki has too few info about something, or too unclear what
> has to be set up or done.

Unless we are told what any possible problems on the wiki are, we
cannot fix them, or you could register and fix them yourself ;-)

Rowland

More information about the samba mailing list