[Samba] make other domain controller shares available to windows clients.

Rowland penny rpenny at samba.org
Sat Jul 11 19:16:57 UTC 2020

On 11/07/2020 20:00, Mike via samba wrote:
> On Sat, Jul 11, 2020 at 1:41 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> Hi, did you miss the bits about it not  be recommended to use a DC as a
>> fileserver
> Yes, this I was aware of. Limited budget and resources made it
> necessary to configure the Samba AD DC with file shares too.
>> and that you must set the ACL's from Windows.
> This I was not aware of --- I've been using setfacl for the last 5
> years and never installed RSAT.
> I use samba-tool on the commandline to create/modify domain user accounts.
> I've used the following example command to make sure shares are
> readable/writable for users:  setfacl -R -m g:users:rwx /mnt/data
> I thought choosing samba-tool or RSAT was down to sysadmin choice.
> I'll try to find this in the wiki.

When you you set permissions on a share, they are stored in three places:

In the standard Unix 'ugo' that 'ls' shows.

In an extended Acl that 'getfacl' shows

in an extended Attr that getfattr shows, the only real way to set this 
is from Windows, and you need to set this correctly on a DC.

>> Also, you are using the wrong group, it should be Domain Users.
> Makes sense, I just cannot figure out why ( setfacl -R -m g:users:rwx
> /mnt/data) has always worked for setting AD acls readable/writable for
> all domain accounts.
> At any rate, it would appear I need to move to RSAT.
> And, it appears I need to make a choice about the spare box I have
> inherited: deploy it as a backup AD DC or deploy it as a domain member
> providing file shares.

If you have a spare box, then using it as a Unix domain member and 
sharing files from this, would be the best idea.


More information about the samba mailing list