[Samba] File server questions

Rowland Penny rpenny at samba.org
Mon Sep 18 12:19:07 UTC 2017 

On Mon, 18 Sep 2017 08:24:56 -0300
Flávio Silveira via samba <samba at lists.samba.org> wrote:

> Yes, sorry for that. What I meant was: Currently I am setting up a
> file server together with AD DC, which is not recommended, but given
> my simple scenario it is ok to do it that way, at least is what I 
> understand. My question was: Once I have proper hardware resources to 
> have a file server separated from the AD DC, how easy will be to
> migrate the configs/shares from the AD DC to the separated file
> server (Domain Member)? Makes sense now?

Yes ;-)
I would suggest you use uidNumber & gidNumber attributes instead of the
xidNumbers that the DC uses, then, when you create the Unix domain
member, use the winbind 'ad' backend. It will just be a matter of
creating the required shares/directories and copying the data across.

> 
> >> I am reading this
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>
> >> For the "Granting the SeDiskOperatorPrivilege Privilege" section,
> >> it mentions "Domain Admins" group, do I need to create all groups
> >> with below?
> >>
> >> groupadd <group name>
> >>
> >> So, a small step-by-step would be:
> >>
> >> 1- Create all groups with: groupadd <group name>, example: groupadd
> >> "Domain Admins"
> > No, you do not need to create this group, it should already exist
> > in AD
> 
> Ok, how can I verify? How about the other groups? By other groups I
> mean the ones I am creating as my company departments, like
> Commercial, Marketing etc, so I can create shares per department.

If you go here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

You will find a list of the 'well know sids', most of these will be in
AD, if it is on that list, don't try and create them.

You can get a list of groups in AD by running 'samba-tool group list'
on the domain
BIG NOTE: you will not get all the 'well know sids' shown.

The groups you refer to, do not exist in AD as standard.

> 
> >> 2- Create local user accounts with: useradd -M -s /sbin/nologin
> >> <user name
> > No, you do not need any local Unix users, you either create your
> > windows users (with samba-tool) as Unix users as well, or you extend
> > your windows users to be Unix users as well.
> 
> Is there any wiki I could follow to do one of the above? Thank you

To create a new user that is also a Unix user, run something like this:

samba-tool user create User5 passw5rd --nis-domain=samdom
--unix-home=/home/User5 --uid-number=10005 --login-shell=/bin/false
--gid-number=10000

This needs to be run on the Samba AD DC and you will need to set some
of the options to match your requirements:

User5: change to your new users name
--nis-domain=samdom: change 'samdom' to your workgroup name
--unix-home=/home/User5: set this to the path to where you want to
store the users homedirectory
--login-shell=/bin/false: With this, the user will not be able to login
to the computer directly (doesn't affect windows), you can use
'/bin/sh' or '/bin/bash'
--uid-number=10005: the UID to use for the new user
--gid-number=10000: the GID for the new user (this will have no affect
on a DC, all users will be members of Domain Users, just like windows)

The last two require numbers, the only problem is that a Samba DC does
not keep a record of the next number to use, you need to do this or you
could end up with users with the same uidNumber, not a good idea.

You can do something similar with ADUC on windows (but not win10) by
adding IDMU, which will give you the Unix Attributes tab and this will
track the next available ID.

> 
> 
> >> 6- Add user account to a group with: usermod -G <group name> <user
> >> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
> >> name> section from [1]
> > No, use samba-tool or the windows tools.
> 
> Could you give an example please?

samba-tool group addmembers groupname username

> Thanks for the explanations, how do I create this new group? With
> groupadd?

samba-tool group add "Unix Admins" --nis-domain=samdom
--gid-number=12345

samba-tool group addmembers "Domain Admins" "Unix Admins"

Rowland

More information about the samba mailing list