[Samba] Usrname map and Windows ACLs question
Luis Peromarta
lperoma at icloud.com
Sat Jun 8 16:58:48 UTC 2024
Guys,
I have been playing around with this with the ad idmap. These are may findings:
smb.conf:
# Global parameters
[global]
security = ADS
workgroup = MAD
realm = MAD.CAPONATO.ES
netbios name = MEMBER
server role = member server
log file = /var/log/samba/%m.log
# Disable Netbios
disable netbios = yes
# Enforce minimum protolo SMB3
# server min protocol = SMB3
# To enable Group Policy application in winbind,
apply group policies = yes
# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the MAD domain
idmap config MAD : backend = ad
idmap config MAD : schema_mode = rfc2307
idmap config MAD : range = 10000-999999
idmap config MAD : unix_nss_info = yes
# winbind config:
winbind use default domain = yes
# renew the kerberos ticket
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# Map Administrator to root
# username map = /etc/samba/user.map
# min domain uid = 0
# To configure shares using extended access control lists (ACL)
vfs objects = acl_xattr
map acl inherit = yes
# acl_xattr:ignore system acls = yes
[test]
hide unreadable = Yes
path = /test
read only = No
Prerequisites:
Domain Adminst has no gidNumber
Administrator has no uidNumber
No root mapping in smb.conf
"Unix admins" has a gidNumber and is a member of Domain Admins (MAD\luis)
Steps:
Join domain using a user who is member of Unix Admins ->OK
Create share folder and chown root:”unix admins” and chmod 0700
Restart smbd. Or just reboot.
I have *not* granted any privileges on the member server.
Used Windows to set permissions on new share. No issues.
Does this make sense ? No mapping and no permissions granted ?
LP
On May 29, 2024 at 15:22 +0100, samba at lists.samba.org <samba at lists.samba.org>, wrote:
>
> I really must update that wikipage, I carried out some tests last
> November and found that it appears you no longer need the usermap, see
> here:
>
> https://lists.samba.org/archive/samba/2023-November/247267.html
>
> If you are using the 'ad' idmap config backend, then you must not give
> 'Administrator' a uidNumber attribute or give 'Domain Admins' a
> gidNumber attribute, to do either will break SYSVOL.
>
> So yes, whilst I do not understand why RSAT doesn't work with the
> usermap, you no longer require the usermap.
>
> Rowland
More information about the samba
mailing list