Rowland Penny
2023-Jan-14 17:50 UTC
[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
On 14/01/2023 17:22, Peter Milesson via samba wrote:> Hi Rowland, > > Thanks for the input. > > The DC with Louis' packages will be next in line for replacement. I have > noticed there have not been any updates for quite a while. > > I wasn't aware that the rid backend makes all AD users Linux users. It > is definitely not clear from the Wiki. Will it pose a problem with > compatibility on Windows workstations when accessing the shares?It would be a bigger problem if your users (and groups) didn't have Linux ID's The 'rid' idmap backend calculates the Linux ID from the AD objects RID, so if you use the same basic smb.conf on all Samba machines, the user or group will always get the same Linux ID. To get this all to work, you need to set up nsswitch. One other thing you need to be aware of, unlike earlier versions of Samba, you do not create local Unix users, you just create users and groups in AD and Samba will map them to Unix ones.> Will > there be any limitations, or otherwise crippled behavior? Anyway, there > will be no access allowed to the server outside Samba, except for Linux > administration tasks. Is there a simple way to migrate to ad backend > from rid?You would still have the same non problem, for your users to store data on the Unix domain member, they need to be known to the Linux machine, so you would have to give every user a uidNumber attribute and Domain Users would have to have a gidNumber attribute.> Otherwise I see a daunting task before me setting new > permissions on everything according to each user's permission mix.Which is why you set them via Windows and use groups.> > So the two lines > > ?? vfs objects = acl_xattr > ?? map acl inherit = yes > > are actually sufficient for getting the best Windows server > compatibility, without the other options?Yes, one of the lines is actually set for you because of the vfs_objects line and you do not need the others if you set the permissions from Windows.> > I have never used anything else than the RSAT tools (AD, DNS, GPO) to > manage the share permissions on the existing server. I have no intention > to use anything else on the new server, unless absolutely required. > > About setting up the profile share, I would very much try to avoid using > roaming user profiles. I have been using folder redirection for quite > some years, and it is definitely much more efficient than roaming > profiles. There are quite a few users that insist in cluttering their > desktops with 10's of GB of files, even if I tell them 500 times, that > they shouldn't be surprised that it takes several minutes before they > are logged in. With folder redirection that problem is gone.We have a page for that as well: https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections Rowland
Peter Milesson
2023-Jan-14 19:00 UTC
[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
On 14.01.2023 18:50, Rowland Penny via samba wrote:> > > On 14/01/2023 17:22, Peter Milesson via samba wrote: > >> Hi Rowland, >> >> Thanks for the input. >> >> The DC with Louis' packages will be next in line for replacement. I >> have noticed there have not been any updates for quite a while. >> >> I wasn't aware that the rid backend makes all AD users Linux users. >> It is definitely not clear from the Wiki. Will it pose a problem with >> compatibility on Windows workstations when accessing the shares? > > It would be a bigger problem if your users (and groups) didn't have > Linux ID's > > The 'rid' idmap backend calculates the Linux ID from the AD objects > RID, so if you use the same basic smb.conf on all Samba machines, the > user or group will always get the same Linux ID. To get this all to > work, you need to set up nsswitch. > > One other thing you need to be aware of, unlike earlier versions of > Samba, you do not create local Unix users, you just create users and > groups in AD and Samba will map them to Unix ones. > >> Will there be any limitations, or otherwise crippled behavior? >> Anyway, there will be no access allowed to the server outside Samba, >> except for Linux administration tasks. Is there a simple way to >> migrate to ad backend from rid? > > You would still have the same non problem, for your users to store > data on the Unix domain member, they need to be known to the Linux > machine, so you would have to give every user a uidNumber attribute > and Domain Users would have to have a gidNumber attribute. > >> Otherwise I see a daunting task before me setting new permissions on >> everything according to each user's permission mix. > > Which is why you set them via Windows and use groups. > >> >> So the two lines >> >> ??? vfs objects = acl_xattr >> ??? map acl inherit = yes >> >> are actually sufficient for getting the best Windows server >> compatibility, without the other options? > > Yes, one of the lines is actually set for you because of the > vfs_objects line and you do not need the others if you set the > permissions from Windows. > >> >> I have never used anything else than the RSAT tools (AD, DNS, GPO) to >> manage the share permissions on the existing server. I have no >> intention to use anything else on the new server, unless absolutely >> required. >> >> About setting up the profile share, I would very much try to avoid >> using roaming user profiles. I have been using folder redirection for >> quite some years, and it is definitely much more efficient than >> roaming profiles. There are quite a few users that insist in >> cluttering their desktops with 10's of GB of files, even if I tell >> them 500 times, that they shouldn't be surprised that it takes >> several minutes before they are logged in. With folder redirection >> that problem is gone. > > We have a page for that as well: > > https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections > > > Rowland > >Hi Rowland, Thanks for the information. It clears up things a bit. I just took the smb.conf from the old server, peeled off some lines, and it was that one I presented in my original post. I assume I could just use the smb.conf with your suggested changes and continue setting up the shares. Joining the new server to the domain was successful, although when using samba-tool, there were quite a few error messages (mostly missing files and directories). Using net join was however successful. I still have one question. In the old smb.conf I had set the parameter "winbind expand groups = 4". When I introduced it into the smb.conf on the new server, I get exactly the same result from getent group on both servers. But if I leave it out, there are no group members displayed. Is it just "cosmetics" for applications like getent, or are there implications if I leave it out, that is, different client behavior? When I previously set up folder redirection, I used the Wiki page you are referring to, plus the Microsoft documentation. Many thanks Rowland, Peter