[Samba] Permission issue

Rowland Penny rpenny at samba.org
Mon Feb 11 08:57:16 UTC 2019 

On Mon, 11 Feb 2019 06:31:21 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> Thank you for that. 
> 
> I had that link but got a bit confused about should I leave it or add
> it.  This is because the DC also has file shares I thought I need to
> add the idmap configs to enable the domain users to be able to access
> the shares I'll remove the lines  from the smb.conf

I will try and make it a bit more obvious on the Samba wiki.
It isn't recommended to use a DC as a fileserver, this is for various
reasons, but one of them is you haven't got the control that you have
with a Unix domain member.

> 
> There is another question that I would request your input on. During
> the classicupgrade we selected the SAMBA INTERNAL as our dns. The DC
> box didn’t originally have any DNS roles. That role and DHCP is
> assigned to a different Ubuntu box and is Bind9. I've read somewhere
> in this forums that I can just add the AD zone as a zone in the
> Bind9(named.conf.local) box and the DC box as the master of the zone. 

If you read this wiki page:

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End

Under the heading 'Introduction', there is this:

BIND must be installed on the same machine as the Samba AD domain
controller (DC).

This is for several reasons, but the main one is, bind_dlz needs to
access the Samba database directly.

Normally you would have the DC be Authoritative for the AD domain and
forward anything outside the AD domain to an external dns server (note:
All DC's are authoritative for the dns domain, it is multi-master)
As I don't know your setup, I cannot really suggest further, what I can
say is that you can also run a DHCP server on the DC.


> 
> Would that work? If it does , is there a way we can import all the
> bind9 zones into the Internal DNS automagically or do we need to dump
> the zones out of the Bind9 files and use samba-tool to create them in
> AD?

You should not be using a Samba DC with Bind flatfiles, so you would
probably have to create the zones in AD, except I think you will find
they already exist. Samba also provides a script to upgrade to Bind9,
this is 'samba_upgradedns', see 'samba_upgradedns --help'

Rowland

More information about the samba mailing list