[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.

Rowland penny rpenny at samba.org
Sun Dec 8 20:01:48 UTC 2019

On 08/12/2019 18:18, Howard Fleming via samba wrote:
> I am building a Samba4 setup to replace a Samba3 server I built for 
> small non profit school back in 2012.
> It is running CentOS 6.x, samba version 3.6.23-52.el6_10.  Rather than 
> attempt to upgrade this system to Samba4, it makes more sense (to me 
> at least) to build a new server and move the data.
Good plan, at least you start without any bad ideas from an NT4-style domain
> Currently I have 2 samba servers running as virtual machines under 
> kvm.  One is the AD server, the other is a member server that is 
> running the file shares.  The kvm server and the samba servers are all 
> running Debian 10, and I am using the default Debian 10 repos for the 
> samba packages.
> The current problem I am running into are the rights on the shares for 
> the users.  When I create a user via aduc, and set the home directory, 
> it gets created as it should, but all users can see all the home 
> directories, including contents.  I am also running into rights issues 
> with the shared directories also.

How are the users home directories being created, are you using 
pam_mkhomedir ?

If so, this could be your problem.

> I can join Windows 10 and 7 computers into AD with out any issues, so 
> I am assuming I set something up wrong, either in AD or when I added 
> the 2nd server for file services.

Just a few notes on your files:

I would remove example.com from the search line in the /etc/resolv.conf 

You do not need the template lines in the DC smb.conf, you are not 
allowing anyone to login in.

I would also install the libpam-krb5 package on both machines

On the Member server, you have commented out 'idmap config BREC : 
unix_nss_info = yes' which is correct for your version of Samba, but you 
have 'winbind nss info = rfc2307' which is wrong for your Samba version.
You also have:
         template shell = /bin/bash
         template homedir = /brecdata/user/%U

Which means that you are not using the RFC2307 attributes in AD, so you 
don't need 'idmap config BREC : unix_nss_info = yes' anyway

You do not need to set 'browseable = yes' on the shares, it is the default

It might help if you read this:



More information about the samba mailing list