[Samba] creating user directories with default group
Rowland penny
rpenny at samba.org
Wed Oct 16 14:35:35 UTC 2019
On 16/10/2019 15:11, Stephen Atkins wrote:
> On 16/10/2019 1:05 a.m., Rowland penny via samba wrote:
>> On 15/10/2019 22:56, Stephen Atkins via samba wrote:
>>> Hello. I've got my AD DC working and I can login with various user
>>> accounts and domain admin accounts. I've got the home directory
>>> being create when I create the user profile. Only problem is that
>>> it creates it with a group of "domain users" withe a permissions of
>>> rwxrwx---. I would like the default group be "domain admins" for
>>> every created home dir. Is this possible? If not I can manually
>>> change this after wards but it would be nice not to.
>>>
>>> Thanks.
>>
>> Probably not, mainly because all AD users get 'Domain Users' as their
>> default group. There are ways around this, but not on a DC (which
>> isn't recommended as a fileserver).
>>
>> Can you post your smb.conf.
>
> This is my smb.conf for my fileserver which is not my DC.
>
> [global]
> workgroup = AD
> realm = AD.MYCOMPANY.COM
> netbios name = fileserver
> security = ADS
> dns forwarder = 192.168.1.3
You do not set a forwarder on a Unix domain member.
>
> idmap config * : backend = tdb
> idmap config *:range = 10000-50000
One of two things here, you either haven't set up 'idmap config'
correctly or you are using sssd, if the latter, stop using it. Either
way read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
and one of these:
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_rid
>
> template homedir = /home/%D/%U
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> [shared]
> path = /mnt/usershares
> read only = no
>
> [users]
> path = /home/AD
> read only = no
>
> This is my smb.conf for my AD DC
>
> # Global parameters
> [global]
> netbios name = DC1
> realm = AD.MYCOMPANY.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbi$
> workgroup = AD
> # idmap config AD: unix_nss_info = yes
> idmap_ldb:use rfc2307 = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
Remove the last three lines above, they have no place on a Samba AD DC
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.mdwainwright.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
Rowland
More information about the samba
mailing list