[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
Peter Milesson
miles at atmos.eu
Sat Jan 14 19:00:35 UTC 2023
On 14.01.2023 18:50, Rowland Penny via samba wrote:
>
>
> On 14/01/2023 17:22, Peter Milesson via samba wrote:
>
>> Hi Rowland,
>>
>> Thanks for the input.
>>
>> The DC with Louis' packages will be next in line for replacement. I
>> have noticed there have not been any updates for quite a while.
>>
>> I wasn't aware that the rid backend makes all AD users Linux users.
>> It is definitely not clear from the Wiki. Will it pose a problem with
>> compatibility on Windows workstations when accessing the shares?
>
> It would be a bigger problem if your users (and groups) didn't have
> Linux ID's
>
> The 'rid' idmap backend calculates the Linux ID from the AD objects
> RID, so if you use the same basic smb.conf on all Samba machines, the
> user or group will always get the same Linux ID. To get this all to
> work, you need to set up nsswitch.
>
> One other thing you need to be aware of, unlike earlier versions of
> Samba, you do not create local Unix users, you just create users and
> groups in AD and Samba will map them to Unix ones.
>
>> Will there be any limitations, or otherwise crippled behavior?
>> Anyway, there will be no access allowed to the server outside Samba,
>> except for Linux administration tasks. Is there a simple way to
>> migrate to ad backend from rid?
>
> You would still have the same non problem, for your users to store
> data on the Unix domain member, they need to be known to the Linux
> machine, so you would have to give every user a uidNumber attribute
> and Domain Users would have to have a gidNumber attribute.
>
>> Otherwise I see a daunting task before me setting new permissions on
>> everything according to each user's permission mix.
>
> Which is why you set them via Windows and use groups.
>
>>
>> So the two lines
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>>
>> are actually sufficient for getting the best Windows server
>> compatibility, without the other options?
>
> Yes, one of the lines is actually set for you because of the
> vfs_objects line and you do not need the others if you set the
> permissions from Windows.
>
>>
>> I have never used anything else than the RSAT tools (AD, DNS, GPO) to
>> manage the share permissions on the existing server. I have no
>> intention to use anything else on the new server, unless absolutely
>> required.
>>
>> About setting up the profile share, I would very much try to avoid
>> using roaming user profiles. I have been using folder redirection for
>> quite some years, and it is definitely much more efficient than
>> roaming profiles. There are quite a few users that insist in
>> cluttering their desktops with 10's of GB of files, even if I tell
>> them 500 times, that they shouldn't be surprised that it takes
>> several minutes before they are logged in. With folder redirection
>> that problem is gone.
>
> We have a page for that as well:
>
> https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections
>
>
> Rowland
>
>
Hi Rowland,
Thanks for the information. It clears up things a bit.
I just took the smb.conf from the old server, peeled off some lines, and
it was that one I presented in my original post. I assume I could just
use the smb.conf with your suggested changes and continue setting up the
shares. Joining the new server to the domain was successful, although
when using samba-tool, there were quite a few error messages (mostly
missing files and directories). Using net join was however successful.
I still have one question. In the old smb.conf I had set the parameter
"winbind expand groups = 4". When I introduced it into the smb.conf on
the new server, I get exactly the same result from getent group on both
servers. But if I leave it out, there are no group members displayed. Is
it just "cosmetics" for applications like getent, or are there
implications if I leave it out, that is, different client behavior?
When I previously set up folder redirection, I used the Wiki page you
are referring to, plus the Microsoft documentation.
Many thanks Rowland,
Peter
More information about the samba
mailing list