[Samba] clients not connecting to samba shares

Rowland Penny rpenny at samba.org
Tue Apr 11 19:09:10 UTC 2023 


On 11/04/2023 19:05, Gary Dale via samba wrote:

>> I will say it again, you are using a Samba AD DC as a fileserver, this 
>> means that you must set the permissions from a Windows machine and 
>> those permissions are stored in an EA, what you see from 'ls' is 
>> irrelevant
>> I will say this again, you will be better off running a separate 
>> fileserver (Unix domain member).
> That's what I am doing. However the permissions set from Linux are what 
> the wiki on setting up file shares says to use.

Are you following this :

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

or this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

> What is this telling me?

It is telling me that you are mixing local Linux users and Domain groups.


>>
> I'm maintaining Linux access by owning the folders with my Linux account 

First mistake.

> but using the Windows group to allow Windows users to access them. I've 
> tried propagating the ownership of the folder I'm most interested in to 
> both :HOME\Domain Admins and also :HOME\Domain Users but neither is 
> allowing me to see the folders in Windows. Nor can I grab access rights 
> through the Windows Properties Security tab on the share.
> 
> I get the same results when I follow the letter of the file server wiki 
> and set the share ownership to root.

You do not have to believe me or follow what I advise, but if you don't, 
I am finished with this thread.

You do not use local Unix users with AD, you create the required users 
in AD and use those, to prove it, look at this:

rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$

As you can see, my username isn't in /etc/passwd

So, how does this work ?

rowland at devstation:~$ getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Yes, my username etc comes from AD.

I am fairly sure that I have said this, forget most of what you know 
about NT4-style domains, you need to put EVERYTHING into AD.
You only need a few local Unix users (perhaps only one) just in case 
something locally goes wrong and you need to log in and fix it.

You can have multiple DC's for failover, if one DC goes faulty, you can 
easily replace it, without losing the domain.

Rowland

More information about the samba mailing list