[Samba] File server questions

Flávio Silveira fggs at terra.com.br
Mon Sep 18 11:24:56 UTC 2017

On 15/09/2017 09:29, Rowland Penny via samba wrote:
> On Fri, 15 Sep 2017 08:47:45 -0300
> Flávio Silveira via samba <samba at lists.samba.org> wrote:
>> Ok, just curious, are there any disvantages between using Windows
>> ACLs instead of POSIX ACLs?
> None that I am aware of, in fact there are several advantages.


>> Also, once I create a file server as Domain Member, how easy will be
>> to migrate from DC?
> Not sure what you mean here, it sounds like you want to turn your Samba
> AD DC into a Unix domain member, I am sure you don't want to do this,
> so can you explain your question better ?

Yes, sorry for that. What I meant was: Currently I am setting up a file 
server together with AD DC, which is not recommended, but given my 
simple scenario it is ok to do it that way, at least is what I 
understand. My question was: Once I have proper hardware resources to 
have a file server separated from the AD DC, how easy will be to migrate 
the configs/shares from the AD DC to the separated file server (Domain 
Member)? Makes sense now?

>> I am reading this
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> For the "Granting the SeDiskOperatorPrivilege Privilege" section, it
>> mentions "Domain Admins" group, do I need to create all groups with
>> below?
>> groupadd <group name>
>> So, a small step-by-step would be:
>> 1- Create all groups with: groupadd <group name>, example: groupadd
>> "Domain Admins"
> No, you do not need to create this group, it should already exist in AD

Ok, how can I verify? How about the other groups? By other groups I mean 
the ones I am creating as my company departments, like Commercial, 
Marketing etc, so I can create shares per department.

>> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user
>> name
> No, you do not need any local Unix users, you either create your
> windows users (with samba-tool) as Unix users as well, or you extend
> your windows users to be Unix users as well.

Is there any wiki I could follow to do one of the above? Thank you

>> 3- Add password to local user accounts with: passwd <user name>
> Seeing as you will not create local Unix users, then no.


>> 4- Add local user accounts to Samba database with: smbpasswd -a <user
>> name> 5- Enable Samba account with: smbpasswd -e <user name>
> There is a theme here ;-) no


>> 6- Add user account to a group with: usermod -G <group name> <user
>> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
>> name> section from [1]
> No, use samba-tool or the windows tools.

Could you give an example please?

>> 8- Follow "Adding a Share" section from [1]
>> [1]:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> Well, yes, but no ;-)
> Yes, you should follow the wikipage.
> No, you shouldn't use 'Domain Admins' (I must update that wikipage)
> If you use 'Domain Admins', you will need to give the windows group a
> gidNumber attribute. This is not a good idea, 'Domain Admins' needs to
> own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in
> idmap.ldb on the DC. If you give the group a gidNumber, it becomes just
> a group as far as Unix is concerned and groups cannot own anything on
> Unix.
> My suggestion is to create a new group in AD (I suggest 'Unix Admins',
> but you can call it anything you like), give this new group a gidNumber
> and make it a member of 'Domain Admins'. Now wherever it says 'Domain
> Admins' on the wikipage, use your new group instead.

Thanks for the explanations, how do I create this new group? With groupadd?

If you can give a full example, I will be very glad! But please don't 
think I am lazy, if there is a wiki that mentions how to do it, just 
point me to it :-)

> Rowland

   Flavio Silveira

More information about the samba mailing list