On 14/09/2017 13:28, Rowland Penny via samba wrote:> On Thu, 14 Sep 2017 13:15:31 -0300
> Flávio Silveira via samba <samba at lists.samba.org> wrote:
>
>>
>> On 14/09/2017 12:46, Rowland Penny via samba wrote:
>>>>> well possibly, but I will rephrase my question, are:
>>>>>
>>>>> libpam-winbind libpam-krb5 libnss-winbind
>>>>>
>>>>> installed ?
>>>> Yes sir, all three are installed, should I proceed to editing
>>>> nsswitch.conf as described on the tutorial?
>>>>
>>>>> Rowland
>>>>>
>>> Yes, you should now get a result from 'getent passwd
ausername'
>>>
>>> Rowland
>>>
>> Thanks Rowland, below is the edited /etc/nsswitch.conf:
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try: # `info libc "Name Service Switch"' for
information
>> about this file.
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>> gshadow: files
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>> And here is the output of "getent passwd fsilveira":
>>
>> root at dc1:~# getent passwd fsilveira
>> fsilveira:x:1001:1001::/home/fsilveira:/sbin/nologin
>> root at dc1:~#
> Looking good so far, I take it you don't want the users logging into
> the DC.
Correct.
>> About the file serving here:
>> https://wiki.samba.org/index.php/Samba_File_Serving
>>
>> Should I use the "Setting up a share using Windows ACLs"
tutorial?
>>
> You must use Windows ACLs on a DC, so yes, you will need to follow that
> wikipage.
Ok, just curious, are there any disvantages between using Windows ACLs
instead of POSIX ACLs?
Also, once I create a file server as Domain Member, how easy will be to
migrate from DC?
I am reading this
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
For the "Granting the SeDiskOperatorPrivilege Privilege" section, it
mentions "Domain Admins" group, do I need to create all groups with
below?
groupadd <group name>
So, a small step-by-step would be:
1- Create all groups with: groupadd <group name>, example: groupadd
"Domain Admins"
2- Create local user accounts with: useradd -M -s /sbin/nologin <user
name>
3- Add password to local user accounts with: passwd <user name>
4- Add local user accounts to Samba database with: smbpasswd -a <user
name>
5- Enable Samba account with: smbpasswd -e <user name>
6- Add user account to a group with: usermod -G <group name> <user
name>
7- Follow "Granting the SeDiskOperatorPrivilege Privilege" section
from [1]
8- Follow "Adding a Share" section from [1]
[1]: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Does this look correct?> Rowland
>
Thank you!