Hi! I created a Samba4 Demo Server to test AD functionality. Basically it's a Debian Wheezy machine with a manually compiled Samba4 (smbstatus -V: Version 4.1.0pre1-GIT-051a1a9) according to https://wiki.samba.org/index.php/Samba4/HOWTO but adjusted the paths to a more debian way. I can Manage the Server with the Windows Domain Utilities, add users, add groups, add Machines and so on. I created some printers and managed to set up Point and Print Drivers using print$. So I think the Server basically works as expected. Now I'm trying to set up a share which can be read by everyone and written by Domain Admins only. I can see the share on my server as well as a file created in there on the linux command line, but I'm not able to enable write Permission for Domain Admins. I created a directory on the server /space/testshare and did a "chmod 777 /space/testshare" to be shure there's no problem on the linux file system. When I set "read only = no" on the share I can create a file there without any problem. But setting "read only = yes" and "write list = @"TEST\Domain Admins"" doesn't work - I get "access denied" on the windows host, despite I'm logged on as TEST\Administrator Some additional information: root at samba:~# smbstatus -V =========================Version 4.1.0pre1-GIT-051a1a9 root at samba:~# wbinfo -u ======================Administrator Guest krbtgt dns-samba testuser root at samba:~# wbinfo -g ======================Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy Testgroup root at samba:~# cat /etc/samba/smb.conf ====================================# Global parameters [global] workgroup = TEST server string realm = TEST.LOCAL netbios name = SAMBA server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate log level = 3 [netlogon] path = /var/lib/samba/sysvol/test.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = Printer path = /var/spool/samba/spool browseable = Yes read only = No printable = Yes [print$] path = /var/spool/samba/driver read only = No [testshare] Comment = Test share path = /space/testshare read only = Yes write list = @"TEST\Domain Admins" Any help what to do next? regards Lukas
Hi Lukas, On Monday 14 January 2013 07:48 PM, Lukas Gradl wrote:> there without any problem. But setting "read only = yes" and "write list > = @"TEST\Domain Admins"" doesn't work - I get "access denied" on the > windows host, despite I'm logged on as TEST\Administrator > [testshare] > Comment = Test share > path = /space/testshare > read only = Yes > write list = @"TEST\Domain Admins"Change it to: write list = "@Domain Admins","TEST\Administrators",administrator and try again. regards, Nishant
OK, after some other hours of surfing through the net I stubled accross the needed information: It looks like to try setting ACLs in smb.conf like it was done on Samba3 is obsolete in Samba4. You do everything by setting the ACLs on the share by Windows-GUI. [testshare] Comment = Test share path = /space/testshare read only = No is all you need to specify in smb.conf... regards Lukas Zitat von Lukas Gradl <samba.org at ssn.at>:> Hi! > > I created a Samba4 Demo Server to test AD functionality. Basically > it's a Debian Wheezy machine with a manually compiled Samba4 > (smbstatus -V: Version 4.1.0pre1-GIT-051a1a9) according to > https://wiki.samba.org/index.php/Samba4/HOWTO but adjusted the paths > to a more debian way. > > I can Manage the Server with the Windows Domain Utilities, add > users, add groups, add Machines and so on. > I created some printers and managed to set up Point and Print > Drivers using print$. > > So I think the Server basically works as expected. > > Now I'm trying to set up a share which can be read by everyone and > written by Domain Admins only. I can see the share on my server as > well as a file created in there on the linux command line, but I'm > not able to enable write Permission for Domain Admins. > > I created a directory on the server /space/testshare and did a > "chmod 777 /space/testshare" to be shure there's no problem on the > linux file system. When I set "read only = no" on the share I can > create a file there without any problem. But setting "read only = > yes" and "write list = @"TEST\Domain Admins"" doesn't work - I get > "access denied" on the windows host, despite I'm logged on as > TEST\Administrator > > Some additional information: > > root at samba:~# smbstatus -V > =========================> Version 4.1.0pre1-GIT-051a1a9 > > > root at samba:~# wbinfo -u > ======================> Administrator > Guest > krbtgt > dns-samba > testuser > > root at samba:~# wbinfo -g > ======================> Enterprise Read-Only Domain Controllers > Domain Admins > Domain Users > Domain Guests > Domain Computers > Domain Controllers > Schema Admins > Enterprise Admins > Group Policy Creator Owners > Read-Only Domain Controllers > DnsUpdateProxy > Testgroup > > root at samba:~# cat /etc/samba/smb.conf > ====================================> # Global parameters > [global] > workgroup = TEST > server string > realm = TEST.LOCAL > netbios name = SAMBA > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > log level = 3 > > [netlogon] > path = /var/lib/samba/sysvol/test.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [printers] > comment = Printer > path = /var/spool/samba/spool > browseable = Yes > read only = No > printable = Yes > > [print$] > path = /var/spool/samba/driver > read only = No > > [testshare] > Comment = Test share > path = /space/testshare > read only = Yes > write list = @"TEST\Domain Admins" > > > Any help what to do next? > > regards > Lukas > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Samba Permissions
- Using group membership to access a symlink directory
- Symbolic links do NOT work if the source file is present BOTH on client & server !!!
- getent group returns only few groups on solaris
- Remove Win2008R2 from Domain, remove missing DC from domain