samba - Jun 2014 - Setup and configure file shares with Windows ACLs

When reading the wiki page about setting up new shares there is some 
information missing.

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

The information I am missing most here is which posix.1 ACLs to set 
after creating the shares directory.

There is only
# mkdir -p /srv/samba/Demo/

but on my system that will create a directory that is owned by root:root 
and have 0755 permissions.
Not very helpful as trying to configure the Windows ACLs later gets a 
"permission denied" error.

Also the "root" group shows up as unknown account (S-1-22-2-0) in the 
Security tab.

We'd probably want to set it to something useful like "Domain
Users", right?
But which posix user should we set?
Is root OK or should that also be changed to a genuine Windows user?


And how do you get the appropriate uid / gid numbers for chown if you
don't have winbind, sssd, nslcd, or something like it installed to do a
mapping on that machine?

I know how to get to the appropriate numbers if winbind is installed on 
the server.

# wbinfo -n "Domain Users"
S-1-5-21-1358803832-2400073699-459451966-513 SID_DOM_GROUP (2)
# wbinfo -Y S-1-5-21-1358803832-2400073699-459451966-513
10001
# chown :10001


I also know how to get those numbers from ADUC *IF* the groups/users 
involved have
their posix attributes set up by ADUC (or at least have their NIS domain 
set).

But what is the canonical way to get that information? ldbsearch? 
ldapsearch?
I'd like to put that information on the wiki, so the more generic the 
better.

cheers
-henrik

On Wed, 2014-06-25 at 13:57 +0200, Henrik Langos wrote:
> When reading the wiki page about setting up new shares there is some 
> information missing.
> 
>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
> 
> The information I am missing most here is which posix.1 ACLs to set 
> after creating the shares directory.
> 
> There is only
> # mkdir -p /srv/samba/Demo/
> 
> but on my system that will create a directory that is owned by root:root 
> and have 0755 permissions.
> Not very helpful as trying to configure the Windows ACLs later gets a 
> "permission denied" error.
If you want to use this method, you must map the user who us
manipulating the security tab to root on the file server.

The easiest way to create the acls is to have winbind running on the
file server and use the names of the domain objects themselves to
prepare the initial permissions on the share. Once you're in _then_
change anything fancy you may need in windows.
HTH
Steve

this is a nice starter.

https://wiki.samba.org/index.php/WIP/Beginner_HowTo_-_SOHO_business_server 

but on my system that will create a directory that is owned by
>root:root 
>and have 0755 permissions.
>Not very helpful as trying to configure the Windows ACLs later gets a 
>"permission denied" error.
is this on the member server then, 
   add in smb.conf 

  # user Administrator workaround, without it you are unable to set privileges
   username map = /etc/samba/samba_usermapping

and in the file samba_usermapping
!root = DOMAIN\Administrator DOMAIN\administrator

Dont forget to add the needed privileges on the member server.


Louis


>-----Oorspronkelijk bericht-----
>Van: hlangos-samba at innominate.com 
>[mailto:samba-bounces at lists.samba.org] Namens Henrik Langos
>Verzonden: woensdag 25 juni 2014 13:57
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Setup and configure file shares with Windows ACLs
>
>When reading the wiki page about setting up new shares there is some 
>information missing.
>
>https://wiki.samba.org/index.php/Setup_and_configure_file_share
>s_with_Windows_ACLs
>
>The information I am missing most here is which posix.1 ACLs to set 
>after creating the shares directory.
>
>There is only
># mkdir -p /srv/samba/Demo/
>
>but on my system that will create a directory that is owned by 
>root:root 
>and have 0755 permissions.
>Not very helpful as trying to configure the Windows ACLs later gets a 
>"permission denied" error.
>
>Also the "root" group shows up as unknown account (S-1-22-2-0) in
the
>Security tab.

>
>We'd probably want to set it to something useful like "Domain 
>Users", right?
>But which posix user should we set?
>Is root OK or should that also be changed to a genuine Windows user?
>
>
>And how do you get the appropriate uid / gid numbers for chown if you
>don't have winbind, sssd, nslcd, or something like it installed to do a
>mapping on that machine?
>
>I know how to get to the appropriate numbers if winbind is 
>installed on 
>the server.
>
># wbinfo -n "Domain Users"
>S-1-5-21-1358803832-2400073699-459451966-513 SID_DOM_GROUP (2)
># wbinfo -Y S-1-5-21-1358803832-2400073699-459451966-513
>10001
># chown :10001
>
>
>I also know how to get those numbers from ADUC *IF* the groups/users 
>involved have
>their posix attributes set up by ADUC (or at least have their 
>NIS domain 
>set).
>
>But what is the canonical way to get that information? ldbsearch? 
>ldapsearch?
>I'd like to put that information on the wiki, so the more generic the 
>better.

>
>cheers
>-henrik
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>