Thank you for your reply. If you happen to read the post of 11/22, you will notice that it was not me who spoke ill of Samba. I put my bets on other people being able to figure it out; I hope that one of them will help me. Sincerely jimc
On 24/11/15 00:07, jimc wrote:> Thank you for your reply. > > If you happen to read the post of 11/22, you will notice that it was > not me who spoke ill of Samba. > > I put my bets on other people being able to figure it out; I hope that > one of them will help me. > > Sincerely > > jimc >I have figured out how to set up the winbind 'ad' backend and I am prepared to talk you through the set up, all I need to know is , what OS, what version of Samba, from packages or self compiled and finally where do you want the uidNumber range to start from? Rowland
Greetings, jimc!> Thank you for your reply.> If you happen to read the post of 11/22, you will notice that it was not > me who spoke ill of Samba.> I put my bets on other people being able to figure it out; I hope that > one of them will help me.Try this: 1. Make sure your domain groups and users are recognized on the member server. At the very least, $ getent passwd $USER $ getent group "domain admins" $ getent group "domain users" should yield sensible results. 2. Create a new directory on the host. # mkdir directory # chown root:root directory # chmod u=rwx,g=rwx,o= directory 3. Set initial ACL's. # setfacl -m g:'domain admins':rwx directory 4. Make sure the ACL is effective. # getfacl directory # file: directory/ # owner: root # group: root user::rwx group::rwx group:domain\040admins:rwx mask::rwx other::--- 5. Add your share to the Samba. In the smb.conf, add section: [sharename] path = directory browseable = Yes read only = No 6. Save file and reload Samba configuration. # smbcontrol all reload-config 7. From Windows station, open compmgmt.msc and tell it to connect to your member server. 8. Navigate to the list of shared objects, open your newly created share properties and change share(!) permisisons. Delete "Everyone", add "Authenticated users" and set permission to "read". 9. Fire up the Windows command prompt and incite the desired permissions on the share. > "%SystemRoot%\System32\icacls.exe" "\\server\sharename" /remove Everyone /inheritance:r /grant:r "<domain>\Domain Admins":(OI)(CI)(F) /grant:r "<domain>\Domain Users":(OI)(CI)(M) /grant:r "Authenticated users":(OI)(CI)(RX) /grant:r "CREATOR-OWNER":(OI)(CI)(IO)(M) /grant:r "CREATOR-GROUP":(OI)(CI)(IO)(M) Please report back if this worked for you or not. -- With best regards, Andrey Repin Tuesday, November 24, 2015 18:04:11 Sorry for my terrible english...
Greetings, jimc!> Thank you for your reply.> If you happen to read the post of 11/22, you will notice that it was not > me who spoke ill of Samba.> I put my bets on other people being able to figure it out; I hope that > one of them will help me.Err, sorry, please disregard my previous reply. Your mailer does not correctly thread replies and I confused your issue for another thread. Please consider replacing your mail client to avoid such confusion in future. -- With best regards, Andrey Repin Tuesday, November 24, 2015 19:11:27 Sorry for my terrible english...
Many dozens of thanks! Alas, the original problem prevents me from connecting to the Domain Controller from Windows. This is the only dc in the system. Creating and testing the directory and permissions work fine from the server console. Thanks! -jimc
Here's a new clue; When I attempt to add a computer with Samba-tool, it seems to work fine, but listusers still shows no members in the Computers group. On 11/24/2015 8:12 AM, Andrey Repin wrote:> Greetings, jimc! > >> Thank you for your reply. >> If you happen to read the post of 11/22, you will notice that it was not >> me who spoke ill of Samba. >> I put my bets on other people being able to figure it out; I hope that >> one of them will help me. > Err, sorry, please disregard my previous reply. > Your mailer does not correctly thread replies and I confused your issue for > another thread. > > Please consider replacing your mail client to avoid such confusion in future. > >