[Samba] Member Server Configuration

Rowland Penny rpenny at samba.org
Thu Nov 9 22:13:03 UTC 2017 

On Thu, 9 Nov 2017 21:47:11 -0000
Roy Eastwood via samba <samba at lists.samba.org> wrote:

> Thanks Rowland.
> See inline comments.
> 
> >On Thu, 9 Nov 2017 17:08:52 -0000
> >Rowland Penny via samba<samba at lists.samba.org> wrote:
> > See inline Comments:
> > 
> > On Thu, 9 Nov 2017 16:11:49 -0000
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > 
> > > Hi,
> > > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > > installed.  I have configured it as a member server and joined it
> > > to my test domain.   I tried the idmap rid back end and all
> > > worked ok, but am now trying the idmap ad back end.   I have
> > > users' home folders saved to a users share on the member server,
> > > configured to allow auto-creation of home folders when the
> > > windows user logs in for the first time.    That's working OK
> > > after some adjustments to the ntfs and share permissions which
> > > vary from the samba WiKi page
> > > (https://wiki.samba.org/index.php/User_Home_Folders ) after
> > > reading this https://support.microsoft.com/en-gb/help/555046.
> > > Also if users are allowed to log in locally as a unix user to the
> > > member server, I found that the unix permissions had to include
> > > rwx for the domain users group otherwise they are unable to
> > > access their home folder.        Does the WiKi need updating?
> > 
> > Probably not.
> 
> OK, fine, but I couldn't get auto-creation of home folders to work
> with just the settings in the WiKi.

If you are talking about creating auto-creating users home folders on
Unix machines, this is quite easy, when you know how ;-)

Add this line to /etc/pam.d/common-session

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

Then when a user logs in, if the users homedir doesn't exist, it will
be created.

> > > I either
> > > allocate a UID/GID in AD - in which case I can log in OK.
> > > However, if I use the username map parameter in smb.conf along
> > > with the appropriate file user.map to map administrator to root,
> > > the WiKi says do not allocate a UID and GID in AD.   So I took
> > > these off  but I cannot log in now to the member server as
> > > administrator. Neither does administrator show up in the output
> > > of getent passwd.
> > 
> > Ah, but you are using a user.map, which maps 'Administrator' to
> > 'root', so guess who you should log onto the Unix machine as ?
> 
> Yes, indeed.  Actually I use another user and then sudo, but winds up
> as the same thing.

It also works from windows, you can do things from windows on a Unix
machine, set windows ACLs etc.

> So the section on the WiKi page for "Mapping the Domain Administrator
> Account to the local root user" is never going to work for logging
> onto the member server itself?   I assume therefore this will only
> apply if the administrator on another member client machine saves
> files etc, they will be owned by root rather than the Domain
> Administrator account?   If so I misunderstood the purpose of that
> section!

Yes, that is basically how it works, but it goes further, it allows you
to do the things that Administrator does on Windows, on Unix domain
members.

Rowland

More information about the samba mailing list