[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.
rpenny at samba.org
Sun Dec 8 20:01:48 UTC 2019
On 08/12/2019 18:18, Howard Fleming via samba wrote:
> I am building a Samba4 setup to replace a Samba3 server I built for
> small non profit school back in 2012.
> It is running CentOS 6.x, samba version 3.6.23-52.el6_10. Rather than
> attempt to upgrade this system to Samba4, it makes more sense (to me
> at least) to build a new server and move the data.
Good plan, at least you start without any bad ideas from an NT4-style domain
> Currently I have 2 samba servers running as virtual machines under
> kvm. One is the AD server, the other is a member server that is
> running the file shares. The kvm server and the samba servers are all
> running Debian 10, and I am using the default Debian 10 repos for the
> samba packages.
> The current problem I am running into are the rights on the shares for
> the users. When I create a user via aduc, and set the home directory,
> it gets created as it should, but all users can see all the home
> directories, including contents. I am also running into rights issues
> with the shared directories also.
How are the users home directories being created, are you using
If so, this could be your problem.
> I can join Windows 10 and 7 computers into AD with out any issues, so
> I am assuming I set something up wrong, either in AD or when I added
> the 2nd server for file services.
Just a few notes on your files:
I would remove example.com from the search line in the /etc/resolv.conf
You do not need the template lines in the DC smb.conf, you are not
allowing anyone to login in.
I would also install the libpam-krb5 package on both machines
On the Member server, you have commented out 'idmap config BREC :
unix_nss_info = yes' which is correct for your version of Samba, but you
have 'winbind nss info = rfc2307' which is wrong for your Samba version.
You also have:
template shell = /bin/bash
template homedir = /brecdata/user/%U
Which means that you are not using the RFC2307 attributes in AD, so you
don't need 'idmap config BREC : unix_nss_info = yes' anyway
You do not need to set 'browseable = yes' on the shares, it is the default
It might help if you read this:
More information about the samba