[Samba] File/dir user permissions on Samba fileserver in DC

Rowland Penny rpenny at samba.org
Thu Mar 16 09:58:45 UTC 2017

On Thu, 16 Mar 2017 10:13:10 +0300
it at mdsdnr.ru wrote:

> Another big thanks for help!
> All done as you wrote on samba filesrver. In tab "UNIX Attributes"
> GID was assigned, two users: "usr1", "usr2" gets UID from same tab
> and set to "Domain Users" primary group. Also these users in one
> group in domain. Tried to do same for other groups like "all" - same
> result. Now, on file server, 'id usr1' shows user info. Same for
> "usr2". Another users, not "shared" from "UNIX attributes" tab don't
> "visible" by 'id' command These users can access share, but all is
> the same, as was written in first message of this topic: "usr1" can
> create files/folders, also as "usr2", but "usr2" can't delete file
> objects, created by "usr1", and vice versa.
> I'don't uderstand next: all you wrote to did is, in general, mapping 
> domain credentials to linux host. To work commands like 'id', 
> gethostbyname() system calls and so on. Earlier (and now) winbind did 
> "all things" with domain "conversations" and all has to be done on 
> domain member to work with domain credentials, is correctly set up 
> NSswitch and libs for it. Then, why so complicate "things" have to be 
> done (modifying LDAP, adding fileds, incremets, mapping users/groups
> "by hand" in RSAT, etc) is needed, If all I need is filesrver for MS
> Win clients in domain and domain is running Samba too?
> If there may be problems that first filesrver was set up with
> idmap_rid, and now - idmap_ad is used? I did 'net cache flush'. Did
> leave/join domain.

The only problem there may be, files and dirs might be owned by the
wrong users and groups.

If you are connecting a windows user to a Unix machine running
Samba, there are three ways that the user can connect. 

Use the winbind 'rid' backend, this is the easiest way to map a windows
user to a Unix user as the Unix ID is calculated from the windows users

Use the winbind 'ad' backend, this involves (at a minimum) giving the
user a unique uidNumber in AD AND giving the users primary group
(usually Domain Users) a gidNumber. You will also need to set the
'idmap config DOMAIN' range in smb.conf based on the numbers you use.
Note: this has changed slightly with Samba 4.6.0, you can now use the
users gidNumber attribute for the users Unix primary group.

Add 'map to guest = Bad User' to smb.conf, with this, users unknown to
Samba will be mapped to the guest account and allowed access.

To test if a user is known to the OS, you need to run 'getent passwd
username' or 'id username'. If you don't get any output, the user is
unknown to the OS and hence Samba. Testing if a user exists with
'wbinfo -u' will not tell you if the OS is aware of the user, it just
tells you that the user exists in AD.

Hope this helps 


More information about the samba mailing list