[Samba] creating user directories with default group

Rowland penny rpenny at samba.org
Wed Oct 16 14:35:35 UTC 2019


On 16/10/2019 15:11, Stephen Atkins wrote:
> On 16/10/2019 1:05 a.m., Rowland penny via samba wrote:
>> On 15/10/2019 22:56, Stephen Atkins via samba wrote:
>>> Hello. I've got my AD DC working and I can login with various user 
>>> accounts and domain admin accounts.  I've got the home directory 
>>> being create when I create the user profile.  Only problem is that 
>>> it creates it with a group of "domain users" withe a permissions of 
>>> rwxrwx---.  I would like the default group be "domain admins" for 
>>> every created home dir.  Is this possible?  If not I can manually 
>>> change this after wards but it would be nice not to.
>>>
>>> Thanks.
>>
>> Probably not, mainly because all AD users get 'Domain Users' as their 
>> default group. There are ways around this, but not on a DC (which 
>> isn't recommended as a fileserver).
>>
>> Can you post your smb.conf.
>
> This is my smb.conf for my fileserver which is not my DC.
>
> [global]
>         workgroup = AD
>         realm = AD.MYCOMPANY.COM
>         netbios name = fileserver
>         security = ADS
>         dns forwarder = 192.168.1.3
You do not set a forwarder on a Unix domain member.
>
>         idmap config * : backend = tdb
>         idmap config *:range = 10000-50000

One of two things here, you either haven't set up 'idmap config' 
correctly or you are using sssd, if the latter, stop using it. Either 
way read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and one of these:

https://wiki.samba.org/index.php/Idmap_config_ad

https://wiki.samba.org/index.php/Idmap_config_rid

>
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         winbind use default domain = true
>         winbind offline logon = false
>         winbind nss info = rfc2307
>         winbind enum users = yes
>         winbind enum groups = yes
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
> [shared]
>         path = /mnt/usershares
>         read only = no
>
> [users]
>         path = /home/AD
>         read only = no
>
> This is my smb.conf for my AD DC
>
> # Global parameters
> [global]
>         netbios name = DC1
>         realm = AD.MYCOMPANY.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbi$
>         workgroup = AD
> #       idmap config AD: unix_nss_info = yes
>         idmap_ldb:use rfc2307 = yes
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
Remove the last three lines above, they have no place on a Samba AD DC
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ad.mdwainwright.ca/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

Rowland





More information about the samba mailing list