Hi! I have Samba AD DC and Samba fileserver (hereafter-FS) as domain member. I need to organize access to the specific shares on FS for a groups of specific domain users. Where should I make the domain user groups - on DC, on FS or on both? Does the FS need any local Samba users at all? What if domain users' homes are located on FS? Janis
On 30/03/15 18:00, jd at ionica.lv wrote:> Hi! > > I have Samba AD DC and Samba fileserver (hereafter-FS) as domain > member. I need to organize access to the specific shares on FS for a > groups of specific domain users. Where should I make the domain user > groups - on DC, on FS or on both? > > Does the FS need any local Samba users at all? What if domain users' > homes are located on FS? > > Janis >All your users & groups should be stored in AD, except for users like 'root' (yes korashi I am looking at you) or www-data, ntp etc i.e. any user or group that has an ID less than 1000. You use ACLs for users homes stored on the fileserver, the fileserver needs to be joined to the domain. Rowland
Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:> On 30/03/15 18:00, jd at ionica.lv wrote: >> Hi! >> >> I have Samba AD DC and Samba fileserver (hereafter-FS) as domain >> member. I need to organize access to the specific shares on FS for >> a groups of specific domain users. Where should I make the domain >> user groups - on DC, on FS or on both? >> >> Does the FS need any local Samba users at all? What if domain >> users' homes are located on FS?> All your users & groups should be stored in AD, except for users > like 'root' (yes korashi I am looking at you) or www-data, ntp etc > i.e. any user or group that has an ID less than 1000. > > You use ACLs for users homes stored on the fileserver, the > fileserver needs to be joined to the domain.can you elaborate a bit on this? fileserver is joined to the domain, but seems not getting something (or the cfg I made is wrong - it does not allow me to open my home \\fs\user while being logged on to the domain (ok, I am logged into the domain over VPN and it seems to be enough for domain administration using windows tools) wbinfo -u (executed on FS) lists all domain users, as well as wbinfo -g - groups. But if I try to get info on myself using wdinfo -i user at DOMAIN, i get "Failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND" Another thing I do not understand is: how can I set permissions for shares on FS in the form of DOMAIN\user or DOMAIN\group? Janis
Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:>> Does the FS need any local Samba users at all? What if domain >> users' homes are located on FS? >> >> Janis >> > > All your users & groups should be stored in AD, except for users > like 'root' (yes korashi I am looking at you) or www-data, ntp etc > i.e. any user or group that has an ID less than 1000. > > You use ACLs for users homes stored on the fileserver, the > fileserver needs to be joined to the domain.one another problem I noticed: the log is full of such msg [2015/04/04 21:14:23.510893, 0] ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_name_query_fail) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name DOMAIN<1b> for the workgroup DOMAIN. Unable to sync browse lists in this workgroup. may be the reference to workgroup DOMAIN in smb.conf of FS has to be removed?