[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 4 13:31:50 UTC 2018
If i may say..
In managing your servers/network. Dont use users but user groups. Just a tip.
Your attempt is ok with : setfacl -m group:"EIPL\administrator":rwx /Share
But the use its not correct, you try to set a user for group in linux.. Thats not working.
Or setfacl -m group:"EIPL\Domain Admins":rwx /Share ( but this is on the DC )
Or setfacl -m group:"BUILTIN\Administrators":rwx /Share ( domain admins is member of BUILTIN\Administrators )
Preffered, use BUILTIN\Administrators works always on the DC's.
Or setfacl -m user:"BUILTIN\Administrator":rwx /Share
And really try to work with groups the more the better, i never set a user on things always groups.
About the mail below.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> barani tharan via samba
> Verzonden: dinsdag 4 december 2018 13:37
> Aan: samba at lists.samba.org; Rowland Penny
> Onderwerp: Re: [Samba] Fw: AD usres are not show in Domain
> Controller when apply setfacl command
>
> Dear Team
> 1. I get same error in domain controller when try to set acl
> in share the file
>
> [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
> setfacl: Option -m: Invalid argument near character 7
>
> [root at samba4dc ~]# id EIPL\administrator
> id: EIPLadministrator: no such user
Yes, correct, user Administrator does not have a UID because Adminsitrator is mapped to root.
If its correct. ( most probely solution at the end of the mail. )
id Administrator
uid=0(root) gid=0(root) groups=0(root)
> 2. My smb.conf file
I've compared this one with mine, its the same, at least yours is ok/sufficient for what you want.
> [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> netbios name = SAMBA4DC
> realm = EIPL.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = EIPL
> idmap_ldb:use rfc2307 = yes
>
>
> # idmap config EIPL:backend = ad
> # idmap config EIPL:schema_mode = rfc2307
> # idmap config EIPL:range = 10000-999999
> # tls enabled = yes
> # tls keyfile = tls/Domainkey.pem
> # tls certfile = tls/Mydomain.pem
>
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [Comon]
> path = /Share
> read Only = No
> ~
>
>
> 3. When view the ACL in that share folder. I view the user id
> only not user name
> [root at samba4dc ~]# getfacl /Share
> getfacl: Removing leading '/' from absolute path names
> # file: Share
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::r-x
> group:root:r-x
> group:3000000:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:3000000:rwx
> default:mask::rwx
> default:other::r-x
Whats shown, that is correct.
What you see is the id off user/groups for the AD DC.
wbinfo --gid-to-sid 3000000
wbinfo --uid-to-sid 3000000
Results both in : S-1-5-32-544
wbinfo --sid-to-name S-1-5-32-544
BUILTIN\Administrators 4
>
>
> 4. when use the samba-tool to view users it show the users name
>
> [root at samba4dc ~]# samba-tool user list
> Administrator
> Ramkumar
> dns-samba4dc
> rhevadmin
> krbtgt
> Guest
Its still correct, all good here..
> 5. [root at samba4dc ~]# samba -V
> Version 4.7.11
>
>
> I don't know how to solve this problem. One more
> thing i view the link Identity Mapping Back Ends - SambaWiki
> and Setting up RFC2307 in AD - SambaWiki
> 6. In this links it says that like
> 1. ID mapping back ends are not supported in the smb.conf
> file on a Samba AD DC 2. On a AD DC there should not be more
> than the sysvol and netlogon share, so the usage of unified
> RFC2307 idmappings is not really important. If you want to
> enable RFC2307 ID mappings on the DC for whatever reason, the
> you would have to verify on the Samba DC, that the
> idmap_ldb:use rfc2307
>
I dont see a problem in your setup, only missing one thing.. ( thats the link below. )
> 7. In other link Updating Samba - SambaWiki
> In that link i view like this option so please guide
> me solve this issue i am really in confusion
> Failure To Access Shares on Domain Controllers If idmap
> config Parameters Set in the smb.conf File
>
Did you configure winbind
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
Greetz,
Louis
More information about the samba
mailing list