[Samba] member domain idmap config ad/rid
Rowland Penny
rpenny at samba.org
Tue May 30 16:13:21 UTC 2017
On Tue, 30 May 2017 12:33:26 -0300
Elias Pereira <empbilly at gmail.com> wrote:
>
> *confs fileserver*
>
> *smb.conf*
>
> winbind nss info = rfc2307
If you are using Samba 4.6.0 or greater, then you do not use the above
line.
> idmap config ADDC:unix_nss_info = yes
> idmap config ADDC:unix_primary_group = yes
You only use the above two lines on Samba 4.6.0 or greater
> [storage]
> path = /mnt/dados
> read only = no
> admin users = "ADDC\Domain Admins" ADDC\administrator
You should set the ACLs from windows, so you not are not recommended
to have the last line above.
>
>
> *user.map*
>
> !root = ADDC\Administrator ADDC\administrator
>
I use:
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
Not sure if it makes any difference ;-)
If you are logging in to the windows machine to use ADUC as a member of
Domain Admins, then you need to set the group on the share on the Unix
domain member to Domain Admins i.e.
chown root:Domain\ Admins /mnt/dados
You will also need to give Domain Admins the rights to make changes on
the Unix domain member (aka fileserver), see here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
If you are logging in as Administrator, it should just work, this is
because Administrator is mapped to root.
Rowland
More information about the samba
mailing list