[Samba] File server questions

Flávio Silveira fggs at terra.com.br
Fri Sep 15 11:47:45 UTC 2017

On 14/09/2017 13:28, Rowland Penny via samba wrote:
> On Thu, 14 Sep 2017 13:15:31 -0300
> Flávio Silveira via samba <samba at lists.samba.org> wrote:
>> On 14/09/2017 12:46, Rowland Penny via samba wrote:
>>>>> well possibly, but I will rephrase my question, are:
>>>>> libpam-winbind libpam-krb5 libnss-winbind
>>>>> installed ?
>>>> Yes sir, all three are installed, should I proceed to editing
>>>> nsswitch.conf as described on the tutorial?
>>>>> Rowland
>>> Yes, you should now get a result from 'getent passwd ausername'
>>> Rowland
>> Thanks Rowland, below is the edited /etc/nsswitch.conf:
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try: # `info libc "Name Service Switch"' for information
>> about this file.
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>> gshadow:        files
>> hosts:          files dns
>> networks:       files
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>> netgroup:       nis
>> And here is the output of "getent passwd fsilveira":
>> root at dc1:~# getent passwd fsilveira
>> fsilveira:x:1001:1001::/home/fsilveira:/sbin/nologin
>> root at dc1:~#
> Looking good so far, I take it you don't want the users logging into
> the DC.


>> About the file serving here:
>> https://wiki.samba.org/index.php/Samba_File_Serving
>> Should I use the "Setting up a share using Windows ACLs" tutorial?
> You must use Windows ACLs on a DC, so yes, you will need to follow that
> wikipage.

Ok, just curious, are there any disvantages between using Windows ACLs 
instead of POSIX ACLs?

Also, once I create a file server as Domain Member, how easy will be to 
migrate from DC?

I am reading this 

For the "Granting the SeDiskOperatorPrivilege Privilege" section, it 
mentions "Domain Admins" group, do I need to create all groups with below?

groupadd <group name>

So, a small step-by-step would be:

1- Create all groups with: groupadd <group name>, example: groupadd 
"Domain Admins"
2- Create local user accounts with: useradd -M -s /sbin/nologin <user name>
3- Add password to local user accounts with: passwd <user name>
4- Add local user accounts to Samba database with: smbpasswd -a <user name>
5- Enable Samba account with: smbpasswd -e <user name>
6- Add user account to a group with: usermod -G <group name> <user name>
7- Follow "Granting the SeDiskOperatorPrivilege Privilege" section from [1]
8- Follow "Adding a Share" section from [1]

[1]: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Does this look correct?
> Rowland

Thank you!

More information about the samba mailing list