[Samba] Guides to AD integration using Win ACL and nested groups
Deas, Jim
James.Deas at warnerbros.com
Mon Jun 28 14:23:34 UTC 2021
I am having issues understanding the options required to make Samba use native Windows ACLs. If I remove WinACL 'everybody' from a share's folder, it becomes unavailable even though AD group membership should allow it.
Currently I can use wbinfo to obtain all users and groups from Win AD which I believe confirms winbind is working correctly (using ad backend , should I be using rid?)
Currently running 'net rpc group list' I only see Guest, Administrators and Users. (Do I need to create local AD groups?)
Share is stored on an ext4fs with xattr and I see the security information being written to the folder and file xattr when changed from Windows's AD manager.
I'm sure I am crossing the streams here a bit, is there a good guide showing the use of Windows ACLs exclusively outside of sssd (including nested groups so I believe sssd is out)
I have downloaded 'Setting up a Share Using Windows ACLs" from the SambaWiki but I must be misinterpreting the contents.
Here is the config:
[global]
workgroup = MYGROUP
security = ADS
realm = MYREALM.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server signing = no
strict sync = no
min protocol = SMB2
ea support = yes
log level = 1 auth:5 winbind:5
log file = /var/log/samba.log
idmap config * : backend = tdb
idmap config * : range = 500 - 9999
idmap config MYGROUP: backend = ad
idmap config MYGROUP: range = 10000 - 999999
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
fruit:aapl = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
[Test]
comment = test raid
path= /raid/Media/Test
writeable = yes
fruit:resource = stream
fruit:metadata = stream
fruit:zero_file_id = yes
vfs fruit streams_xattr acl_xattr
acl_xattr:ignore system acl = yes
veto files = /lost+found
hide files = /lost+found
Regards,
JD
More information about the samba
mailing list