[Samba] member domain idmap config ad/rid

Elias Pereira empbilly at gmail.com
Tue May 30 18:05:56 UTC 2017 

Rowland,

AD: 4.5.8
Fileserver: 4.6.3

root at fileserver:~# samba -Version
Version 4.6.3-Debian

root at fileserver:~# net rpc rights list privileges SeDiskOperatorPrivilege
-U "ADDC\administrator"
Enter ADDC\administrator's password:
SeDiskOperatorPrivilege:
  ADDC\Domain Admins
  BUILTIN\Administrators

chown root:Domain\ Admins /mnt/dados >>>> ok
chmod 0770  /mnt/dados >>>> ok

root at fileserver:~# getfacl /mnt/dados/
getfacl: Removing leading '/' from absolute path names
# file: mnt/dados/
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

win7 machine with RSAT Tools.

The security tab as shown in the link below does not appear for me.
https://wiki.samba.org/index.php/File:Demo_Share_Security.png

For me it's that way.
http://i.imgur.com/LRuLR03l.png

Any idea?

On Tue, May 30, 2017 at 1:13 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 30 May 2017 12:33:26 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> >
> > *confs fileserver*
> >
> > *smb.conf*
> >
> > winbind nss info = rfc2307
>
> If you are using Samba 4.6.0 or greater, then you do not use the above
> line.
>
> > idmap config ADDC:unix_nss_info = yes
> > idmap config ADDC:unix_primary_group = yes
>
> You only use the above two lines on Samba 4.6.0 or greater
>
> > [storage]
> > path = /mnt/dados
> > read only = no
> > admin users = "ADDC\Domain Admins" ADDC\administrator
>
> You should set the ACLs from windows, so you not are not recommended
> to have the last line above.
>
> >
> >
> > *user.map*
> >
> > !root = ADDC\Administrator ADDC\administrator
> >
>
> I use:
>
> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> administrator
>
> Not sure if it makes any difference ;-)
>
> If you are logging in to the windows machine to use ADUC as a member of
> Domain Admins, then you need to set the group on the share on the Unix
> domain member to Domain Admins i.e.
> chown root:Domain\ Admins /mnt/dados
>
> You will also need to give Domain Admins the rights to make changes on
> the Unix domain member (aka fileserver), see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_
> Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> If you are logging in as Administrator, it should just work, this is
> because Administrator is mapped to root.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira

More information about the samba mailing list