Hi all, I've used samba for years, but only really for simple scenarios where a few files needed to be shared to PCs. I now need to configure a server where, as far as is possible, it should behave like a Windows server. As not all the PCs on the network have Windows Pro I won't be joining any PCs to a domain. So my main question is, is there any reason to install as an AD DC or should I install it as a standalone server? Where I say it should behave like a Windows server I'm mostly thinking about the ability to set/modify file and folder permissions from PC clients, is it ever possible to do this without using a PC domain member? My experience of this is that it is not, ie if you try and add a group that exists on the server from the PC it just gives an error so permissions must be modified on the *NIX side. Would be good to know if this is the expected behviour or if I've just not got things configured correctly (I have this situation currently on a test install with a Samba AD DC), thanks in advance, Andy.
On 15/02/16 12:56, Andy Smith wrote:> > > Hi all, > > I've used samba for years, but only really for simple scenarios where > a few files needed to be shared to PCs. I now need to configure a server > where, as far as is possible, it should behave like a Windows server. As > not all the PCs on the network have Windows Pro I won't be joining any > PCs to a domain. So my main question is, is there any reason to install > as an AD DC or should I install it as a standalone server? > > Where I say it should behave like a Windows server I'm mostly thinking > about the ability to set/modify file and folder permissions from PC > clients, is it ever possible to do this without using a PC domain > member? My experience of this is that it is not, ie if you try and add a > group that exists on the server from the PC it just gives an error so > permissions must be modified on the *NIX side. Would be good to know if > this is the expected behviour or if I've just not got things configured > correctly (I have this situation currently on a test install with a > Samba AD DC), > > thanks in advance, Andy. >OK, if you have machines that are using a windows 'home' version, then they cannot be a member of a windows domain, so you are left with a 'workgroup'. You can either let anybody read and write to the samba servers or you run a workgroup, this means that *all* your users and groups will have to exist on *all* your samba machines. they will have to exist as Unix and Samba users/groups. You will need to keep the passwords in sync between the windows users, Samba users and Unix users on all machines. This is only really practicable with a small number of machines and users, it gets more complex with a lot of users, I used to run a workgroup with about 12 users and it was a pain when I had to change passwords or add a new user. If you still want to go down this route, then you need to set Samba up a standalone server, this is basically how a windows PC works. Rowland
Thanks for your reply Rowland. I don't think I managed to get my question across very well on the first attempt. I still really need to know 2 things: 1) Can I see and modify permissions on a Samba share from a PC (either a domain member or not, please provide detail). I have tested this with a non domain member and it seems to be not possible, is it just me or is this expected behaviour. With a domain member will this work as smoothly as a real windows server (assuming Linux install with ACL ext4 file system)? Ie open folder permissions from client and add/modify user/group permissions. 2) Is there a reason to install Samba as standalone rather than AD? I ask as obviously AD systems allow access to non domain members, and it seems AD is now the mainstream where Samba is concerned, its no skin off my nose to install as AD. thanks again, Andy.
On 18/02/16 15:29, Andy Smith wrote:> > > Thanks for your reply Rowland. I don't think I managed to get my > question across very well on the first attempt. I still really need to > know 2 things: > > 1) Can I see and modify permissions on a Samba share from a PC (either a > domain member or not, please provide detail). I have tested this with a > non domain member and it seems to be not possible, is it just me or is > this expected behaviour.To change permissions on a Samba share on a standalone server, the user must be known to the underlying OS and have Unix permissions on the share. what this means is that the user must exist on the windows machine, on the Unix machine and in Samba, they must also all have the same password. Whatever the user is trying to change the permissions on must either belong to them or the user must be a member of the Unix group.> With a domain member will this work as smoothly > as a real windows server (assuming Linux install with ACL ext4 file > system)? Ie open folder permissions from client and add/modify > user/group permissions.Yes> > 2) Is there a reason to install Samba as standalone rather than AD?If you install Samba as a standalone alone server, it will operate just as a windows PC that isn't joined to a domain does.> I > ask as obviously AD systems allow access to non domain members, and it > seems AD is now the mainstream where Samba is concerned,No, Samba nowadays can be set up just like it was before, it can be a standalone server, an NT-4 style PDC or BDC, but it can now also be set up as an AD DC. This is where most of the development seems to be focussed, probably because this is what windows expects now.> its no skin off > my nose to install as AD. >You need to identify what you need and set up Samba accordingly. Rowland
I would set up your server as a Samba AD and use the directory. Give each user a username and password on the server that they will authenticate to the server with and when they connect the permissions will act as you are expecting. Joining the machines to the domain is not necessary; it simply integrates the workstation with the server so that the user doesn’t have to enter the credentials manually to connect to resources. We use hundreds of non-domain joined Macs to connect to a Samba4 DC-based file server. I hope this helps. Thomas Maerz Network/Systems Engineer> On Feb 18, 2016, at 9:29 AM, Andy Smith <a.smith at ldex.co.uk> wrote: > > > > Thanks for your reply Rowland. I don't think I managed to get my > question across very well on the first attempt. I still really need to > know 2 things: > > 1) Can I see and modify permissions on a Samba share from a PC (either a > domain member or not, please provide detail). I have tested this with a > non domain member and it seems to be not possible, is it just me or is > this expected behaviour. With a domain member will this work as smoothly > as a real windows server (assuming Linux install with ACL ext4 file > system)? Ie open folder permissions from client and add/modify > user/group permissions. > > 2) Is there a reason to install Samba as standalone rather than AD? I > ask as obviously AD systems allow access to non domain members, and it > seems AD is now the mainstream where Samba is concerned, its no skin off > my nose to install as AD. > > thanks again, Andy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba