[Samba] File server questions

Rowland Penny rpenny at samba.org
Fri Sep 15 12:29:26 UTC 2017 

On Fri, 15 Sep 2017 08:47:45 -0300
Flávio Silveira via samba <samba at lists.samba.org> wrote:

> Ok, just curious, are there any disvantages between using Windows
> ACLs instead of POSIX ACLs?

None that I am aware of, in fact there are several advantages.

> 
> Also, once I create a file server as Domain Member, how easy will be
> to migrate from DC?

Not sure what you mean here, it sounds like you want to turn your Samba
AD DC into a Unix domain member, I am sure you don't want to do this,
so can you explain your question better ?

> 
> I am reading this 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> For the "Granting the SeDiskOperatorPrivilege Privilege" section, it 
> mentions "Domain Admins" group, do I need to create all groups with
> below?
> 
> groupadd <group name>
> 
> So, a small step-by-step would be:
> 
> 1- Create all groups with: groupadd <group name>, example: groupadd 
> "Domain Admins"

No, you do not need to create this group, it should already exist in AD

> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user
> name

No, you do not need any local Unix users, you either create your
windows users (with samba-tool) as Unix users as well, or you extend
your windows users to be Unix users as well.

> 3- Add password to local user accounts with: passwd <user name>

Seeing as you will not create local Unix users, then no.

> 4- Add local user accounts to Samba database with: smbpasswd -a <user
> name> 5- Enable Samba account with: smbpasswd -e <user name>

There is a theme here ;-) no

> 6- Add user account to a group with: usermod -G <group name> <user
> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
> name> section from [1]

No, use samba-tool or the windows tools.

> 8- Follow "Adding a Share" section from [1]
> 
> [1]:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 

Well, yes, but no ;-)

Yes, you should follow the wikipage.
No, you shouldn't use 'Domain Admins' (I must update that wikipage)
If you use 'Domain Admins', you will need to give the windows group a
gidNumber attribute. This is not a good idea, 'Domain Admins' needs to
own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in
idmap.ldb on the DC. If you give the group a gidNumber, it becomes just
a group as far as Unix is concerned and groups cannot own anything on
Unix.

My suggestion is to create a new group in AD (I suggest 'Unix Admins',
but you can call it anything you like), give this new group a gidNumber
and make it a member of 'Domain Admins'. Now wherever it says 'Domain
Admins' on the wikipage, use your new group instead.

Rowland

More information about the samba mailing list