[Samba] File/dir user permissions on Samba fileserver in DC
Rowland Penny
rpenny at samba.org
Wed Mar 15 10:09:11 UTC 2017
OK, use this smb.conf. DO NOT CHANGE ANYTHING, DO NOT ADD ANYTHING.
This is based on what you have posted.
If WG isn't your workgroup, change it to your actual workgroup
If WG.LOCAL isn't your realm, change it to your actual realm
NOTE: if '.local' is your TLD, then turn off Avahi if it is running.
[global]
workgroup = WG
security = ADS
realm = WG.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
log level = 10 vfs:1
idmap config * : backend = tdb
idmap config * : range = 2000-10000
idmap config WG : backend = ad
idmap config WG : schema_mode = rfc2307
idmap config WG : range = 500000-600000
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
max log size = 1000
syslog = 10
load printers = no
printing = bsd
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null
#======================= Share Definitions =======================
[q]
comment = File share
path = /opt/q
read only = no
Create the user.map referenced above.
nano /etc/samba/user.map
!root = WG\Administrator WG\administrator Administrator administrator
Now create an LDIF on the DC, again change 'wg' and 'local' if required.
You will also probably need to change '500000' to the next free GID number in the
'500000-600000' range
nano /tmp/DU.ldif
dn: CN=Domain Users,CN=Users,DC=wg,DC=local
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: wg
-
add: msSFU30Name
msSFU30Name: Domain Users
-
add: gidNumber
gidNumber: 500000
-
Now add the gidNumber to Domain Users with:
ldbmodify -H /var/lib/samba/private/sam.ldb -U Administrator /tmp/DU.ldif
NOTE: you may have to install the ldb-tools package.
Back to the client and leave the domain:
First stop all Samba processes
net ads leave -U Administrator
Alter /etc/krb5.conf to just this:
[libdefaults]
default_realm = WG.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
Then, re-join:
net ads join -U Administrator
> > Yes, but have you given Domain Users a gidNumber ???
> Samba-4.3.5 is used.
> Domain group "all" was set up: in UNIX Attributes "NIS domain" set up
> as "WG", Group ID set up as 550000. But when I check "Unix
> Attributes" tab in group properties it gives me a window "Unvilling
> to perform" (in translation from russian), but it saves changes I
> make there. Same done for user: NIS Domain set to "WG", UID is set up
> to 500010, Primary group name is set to "all". No errors as above,
> when selecting tab "Unix Attributes" is shown.
The 'unwilling to perform error' is fairly common and can be ignored.
By setting the 'NIS DOMAIN' to 'all' , all you are doing is adding the
gidNumber for 'all' to the user, this doesn't affect the users primary
group, which windows and winbind expects to be 'Domain Users', this
means that 'Domain Users' must have a gidNumber, if 'Domain Users'
doesn't have a gidNumber, then ALL your users will be ignored by
winbind.
If you later upgrade to Samba 4.6.x, you will be able to use the 'NIS
Domain as the users Unix primary group.
Rowland
More information about the samba
mailing list