[Samba] File server questions
rpenny at samba.org
Fri Sep 15 12:29:26 UTC 2017
On Fri, 15 Sep 2017 08:47:45 -0300
Flávio Silveira via samba <samba at lists.samba.org> wrote:
> Ok, just curious, are there any disvantages between using Windows
> ACLs instead of POSIX ACLs?
None that I am aware of, in fact there are several advantages.
> Also, once I create a file server as Domain Member, how easy will be
> to migrate from DC?
Not sure what you mean here, it sounds like you want to turn your Samba
AD DC into a Unix domain member, I am sure you don't want to do this,
so can you explain your question better ?
> I am reading this
> For the "Granting the SeDiskOperatorPrivilege Privilege" section, it
> mentions "Domain Admins" group, do I need to create all groups with
> groupadd <group name>
> So, a small step-by-step would be:
> 1- Create all groups with: groupadd <group name>, example: groupadd
> "Domain Admins"
No, you do not need to create this group, it should already exist in AD
> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user
No, you do not need any local Unix users, you either create your
windows users (with samba-tool) as Unix users as well, or you extend
your windows users to be Unix users as well.
> 3- Add password to local user accounts with: passwd <user name>
Seeing as you will not create local Unix users, then no.
> 4- Add local user accounts to Samba database with: smbpasswd -a <user
> name> 5- Enable Samba account with: smbpasswd -e <user name>
There is a theme here ;-) no
> 6- Add user account to a group with: usermod -G <group name> <user
> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
> name> section from 
No, use samba-tool or the windows tools.
> 8- Follow "Adding a Share" section from 
Well, yes, but no ;-)
Yes, you should follow the wikipage.
No, you shouldn't use 'Domain Admins' (I must update that wikipage)
If you use 'Domain Admins', you will need to give the windows group a
gidNumber attribute. This is not a good idea, 'Domain Admins' needs to
own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in
idmap.ldb on the DC. If you give the group a gidNumber, it becomes just
a group as far as Unix is concerned and groups cannot own anything on
My suggestion is to create a new group in AD (I suggest 'Unix Admins',
but you can call it anything you like), give this new group a gidNumber
and make it a member of 'Domain Admins'. Now wherever it says 'Domain
Admins' on the wikipage, use your new group instead.
More information about the samba