Ricardo Pardim Claus
2016-08-04 19:26:23 UTC
Dear,
I'm having trouble Samba recognizes the permissions assigned to groups and users created in AD.
Scenario:
DC1 = Primary DC
DC2 = secondary DC + file server
Both running the 4.4.5 version of Samba (Centos 7).
When I add permissions to a folder using a Windows desktop, I get to set permission for AD users and groups.
What do I need to set up the groups and AD users are recognized on the permissions of the Samba?
In the end, I'm trying to see the permissions using the following commands:
getfacl /mnt/data/share
The result is this:
getfacl: Removing leading '/' from absolute path names
# file: mnt/data/share
# owner: 3000000
# group: users
user::rwx
user:3000016:rwx
group::r-x
group:users:r-x
group:3000000:rwx
group:3000016:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:3000000:rwx
default:user:3000016:rwx
default:group::r-x
default:group:users:r-x
default:group:3000016:rwx
default:mask::rwx
default:other::r-x
Follows the smb.conf my DC2 (secondary DC + file server):
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo eth0
netbios name = SRV15
realm = DOMAIN.LOCAL
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
comment =
log file = /var/log/samba/%m.log
log level = 1
#
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dados]
comment = Share
path = /mnt/data/share
read only = No
browseable = Yes
inherit acls = Yes
inherit permissions = Yes
When I try to set a permission:
setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share
setfacl: Option -m: Argument invalid character near 15
I'm having trouble Samba recognizes the permissions assigned to groups and users created in AD.
Scenario:
DC1 = Primary DC
DC2 = secondary DC + file server
Both running the 4.4.5 version of Samba (Centos 7).
When I add permissions to a folder using a Windows desktop, I get to set permission for AD users and groups.
What do I need to set up the groups and AD users are recognized on the permissions of the Samba?
In the end, I'm trying to see the permissions using the following commands:
getfacl /mnt/data/share
The result is this:
getfacl: Removing leading '/' from absolute path names
# file: mnt/data/share
# owner: 3000000
# group: users
user::rwx
user:3000016:rwx
group::r-x
group:users:r-x
group:3000000:rwx
group:3000016:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:3000000:rwx
default:user:3000016:rwx
default:group::r-x
default:group:users:r-x
default:group:3000016:rwx
default:mask::rwx
default:other::r-x
Follows the smb.conf my DC2 (secondary DC + file server):
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo eth0
netbios name = SRV15
realm = DOMAIN.LOCAL
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
comment =
log file = /var/log/samba/%m.log
log level = 1
#
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dados]
comment = Share
path = /mnt/data/share
read only = No
browseable = Yes
inherit acls = Yes
inherit permissions = Yes
When I try to set a permission:
setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share
setfacl: Option -m: Argument invalid character near 15
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba