Hi!
I created a Samba4 Demo Server to test AD functionality. Basically
it's a Debian Wheezy machine with a manually compiled Samba4
(smbstatus -V: Version 4.1.0pre1-GIT-051a1a9) according to
https://wiki.samba.org/index.php/Samba4/HOWTO but adjusted the paths
to a more debian way.
I can Manage the Server with the Windows Domain Utilities, add users,
add groups, add Machines and so on.
I created some printers and managed to set up Point and Print Drivers
using print$.
So I think the Server basically works as expected.
Now I'm trying to set up a share which can be read by everyone and
written by Domain Admins only. I can see the share on my server as
well as a file created in there on the linux command line, but I'm not
able to enable write Permission for Domain Admins.
I created a directory on the server /space/testshare and did a "chmod
777 /space/testshare" to be shure there's no problem on the linux file
system. When I set "read only = no" on the share I can create a file
there without any problem. But setting "read only = yes" and
"write
list = @"TEST\Domain Admins"" doesn't work - I get
"access denied" on
the windows host, despite I'm logged on as TEST\Administrator
Some additional information:
root at samba:~# smbstatus -V
=========================Version 4.1.0pre1-GIT-051a1a9
root at samba:~# wbinfo -u
======================Administrator
Guest
krbtgt
dns-samba
testuser
root at samba:~# wbinfo -g
======================Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
Testgroup
root at samba:~# cat /etc/samba/smb.conf
====================================# Global parameters
[global]
workgroup = TEST
server string realm = TEST.LOCAL
netbios name = SAMBA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
log level = 3
[netlogon]
path = /var/lib/samba/sysvol/test.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[printers]
comment = Printer
path = /var/spool/samba/spool
browseable = Yes
read only = No
printable = Yes
[print$]
path = /var/spool/samba/driver
read only = No
[testshare]
Comment = Test share
path = /space/testshare
read only = Yes
write list = @"TEST\Domain Admins"
Any help what to do next?
regards
Lukas
Hi Lukas, On Monday 14 January 2013 07:48 PM, Lukas Gradl wrote:> there without any problem. But setting "read only = yes" and "write list > = @"TEST\Domain Admins"" doesn't work - I get "access denied" on the > windows host, despite I'm logged on as TEST\Administrator > [testshare] > Comment = Test share > path = /space/testshare > read only = Yes > write list = @"TEST\Domain Admins"Change it to: write list = "@Domain Admins","TEST\Administrators",administrator and try again. regards, Nishant
OK, after some other hours of surfing through the net I stubled
accross the needed information:
It looks like to try setting ACLs in smb.conf like it was done on
Samba3 is obsolete in Samba4. You do everything by setting the ACLs on
the share by Windows-GUI.
[testshare]
Comment = Test share
path = /space/testshare
read only = No
is all you need to specify in smb.conf...
regards
Lukas
Zitat von Lukas Gradl <samba.org at ssn.at>:
> Hi!
>
> I created a Samba4 Demo Server to test AD functionality. Basically
> it's a Debian Wheezy machine with a manually compiled Samba4
> (smbstatus -V: Version 4.1.0pre1-GIT-051a1a9) according to
> https://wiki.samba.org/index.php/Samba4/HOWTO but adjusted the paths
> to a more debian way.
>
> I can Manage the Server with the Windows Domain Utilities, add
> users, add groups, add Machines and so on.
> I created some printers and managed to set up Point and Print
> Drivers using print$.
>
> So I think the Server basically works as expected.
>
> Now I'm trying to set up a share which can be read by everyone and
> written by Domain Admins only. I can see the share on my server as
> well as a file created in there on the linux command line, but I'm
> not able to enable write Permission for Domain Admins.
>
> I created a directory on the server /space/testshare and did a
> "chmod 777 /space/testshare" to be shure there's no problem
on the
> linux file system. When I set "read only = no" on the share I can
> create a file there without any problem. But setting "read only =
> yes" and "write list = @"TEST\Domain Admins""
doesn't work - I get
> "access denied" on the windows host, despite I'm logged on as
> TEST\Administrator
>
> Some additional information:
>
> root at samba:~# smbstatus -V
> =========================> Version 4.1.0pre1-GIT-051a1a9
>
>
> root at samba:~# wbinfo -u
> ======================> Administrator
> Guest
> krbtgt
> dns-samba
> testuser
>
> root at samba:~# wbinfo -g
> ======================> Enterprise Read-Only Domain Controllers
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> Domain Controllers
> Schema Admins
> Enterprise Admins
> Group Policy Creator Owners
> Read-Only Domain Controllers
> DnsUpdateProxy
> Testgroup
>
> root at samba:~# cat /etc/samba/smb.conf
> ====================================> # Global parameters
> [global]
> workgroup = TEST
> server string > realm = TEST.LOCAL
> netbios name = SAMBA
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> log level = 3
>
> [netlogon]
> path = /var/lib/samba/sysvol/test.local/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [printers]
> comment = Printer
> path = /var/spool/samba/spool
> browseable = Yes
> read only = No
> printable = Yes
>
> [print$]
> path = /var/spool/samba/driver
> read only = No
>
> [testshare]
> Comment = Test share
> path = /space/testshare
> read only = Yes
> write list = @"TEST\Domain Admins"
>
>
> Any help what to do next?
>
> regards
> Lukas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Samba Permissions
- Using group membership to access a symlink directory
- Symbolic links do NOT work if the source file is present BOTH on client & server !!!
- getent group returns only few groups on solaris
- Remove Win2008R2 from Domain, remove missing DC from domain