[Samba] File/dir user permissions on Samba fileserver in DC

Rowland Penny rpenny at samba.org
Wed Mar 15 10:09:11 UTC 2017 

OK, use this smb.conf. DO NOT CHANGE ANYTHING, DO NOT ADD ANYTHING.

This is based on what you have posted. 
If WG isn't your workgroup, change it to your actual workgroup
If WG.LOCAL isn't your realm, change it to your actual realm
NOTE: if '.local' is your TLD, then turn off Avahi if it is running.

[global]
    workgroup = WG
    security = ADS
    realm = WG.LOCAL

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    log level = 10 vfs:1

    idmap config * : backend = tdb
    idmap config * : range = 2000-10000

    idmap config WG : backend = ad
    idmap config WG : schema_mode = rfc2307
    idmap config WG : range = 500000-600000

    winbind use default domain = yes
    winbind nss info = rfc2307
    winbind refresh tickets = yes

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    max log size = 1000
    syslog = 10

    load printers = no
    printing = bsd
    show add printer wizard = no
    disable spoolss = yes
    printcap name = /dev/null

#======================= Share Definitions =======================

[q]
     comment = File share
     path = /opt/q
     read only = no

Create the user.map referenced above.

nano /etc/samba/user.map

!root = WG\Administrator WG\administrator Administrator administrator

Now create an LDIF on the DC, again change 'wg' and 'local' if required.
You will also probably need to change '500000' to the next free GID number in the
'500000-600000' range

nano /tmp/DU.ldif

dn: CN=Domain Users,CN=Users,DC=wg,DC=local 
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: wg
-
add: msSFU30Name
msSFU30Name: Domain Users
-
add: gidNumber
gidNumber: 500000
-

Now add the gidNumber to Domain Users with:

ldbmodify -H /var/lib/samba/private/sam.ldb -U Administrator /tmp/DU.ldif

NOTE: you may have to install the ldb-tools package.

Back to the client and leave the domain:

First stop all Samba processes

net ads leave -U Administrator

Alter /etc/krb5.conf to just this:

[libdefaults]
     default_realm = WG.LOCAL
     dns_lookup_realm = false
     dns_lookup_kdc = true

Then, re-join:

net ads join -U Administrator


> > Yes, but have you given Domain Users a gidNumber ???
> Samba-4.3.5 is used.
> Domain group "all" was set up: in UNIX Attributes "NIS domain" set up
> as "WG", Group ID set up as 550000. But when I check "Unix
> Attributes" tab in group properties it gives me a window "Unvilling
> to perform" (in translation from russian), but it saves changes I
> make there. Same done for user: NIS Domain set to "WG", UID is set up
> to 500010, Primary group name is set to "all". No errors as above,
> when selecting tab "Unix Attributes" is shown.

The 'unwilling to perform error' is fairly common and can be ignored.

By setting the 'NIS DOMAIN' to 'all' , all you are doing is adding the
gidNumber for 'all' to the user, this doesn't affect the users primary
group, which windows and winbind expects to be 'Domain Users', this
means that 'Domain Users' must have a gidNumber, if 'Domain Users'
doesn't have a gidNumber, then ALL your users will be ignored by
winbind.
If you later upgrade to Samba 4.6.x, you will be able to use the 'NIS
Domain as the users Unix primary group.

Rowland

More information about the samba mailing list