Ricardo Pardim Claus
2016-Aug-04 19:26 UTC
[Samba] File Server recognize users and groups AD
Dear, I'm having trouble Samba recognizes the permissions assigned to groups and users created in AD. Scenario: DC1 = Primary DC DC2 = secondary DC + file server Both running the 4.4.5 version of Samba (Centos 7). When I add permissions to a folder using a Windows desktop, I get to set permission for AD users and groups. What do I need to set up the groups and AD users are recognized on the permissions of the Samba? In the end, I'm trying to see the permissions using the following commands: getfacl /mnt/data/share The result is this: getfacl: Removing leading '/' from absolute path names # file: mnt/data/share # owner: 3000000 # group: users user::rwx user:3000016:rwx group::r-x group:users:r-x group:3000000:rwx group:3000016:rwx mask::rwx other::r-x default:user::rwx default:user:3000000:rwx default:user:3000016:rwx default:group::r-x default:group:users:r-x default:group:3000016:rwx default:mask::rwx default:other::r-x Follows the smb.conf my DC2 (secondary DC + file server): # Global parameters [global] bind interfaces only = Yes interfaces = lo eth0 netbios name = SRV15 realm = DOMAIN.LOCAL server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN server role = active directory domain controller comment = log file = /var/log/samba/%m.log log level = 1 # # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-99999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [dados] comment = Share path = /mnt/data/share read only = No browseable = Yes inherit acls = Yes inherit permissions = Yes When I try to set a permission: setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share setfacl: Option -m: Argument invalid character near 15
On Thu, 4 Aug 2016 19:26:23 +0000 (UTC) Ricardo Pardim Claus <ricardo.claus at yahoo.com.br> wrote:> Dear, > I'm having trouble Samba recognizes the permissions assigned to > groups and users created in AD. Scenario: > > DC1 = Primary DC > DC2 = secondary DC + file server > > Both running the 4.4.5 version of Samba (Centos 7). > > When I add permissions to a folder using a Windows desktop, I get to > set permission for AD users and groups. What do I need to set up the > groups and AD users are recognized on the permissions of the Samba? > In the end, I'm trying to see the permissions using the following > commands: > > getfacl /mnt/data/share > > The result is this: > > > getfacl: Removing leading '/' from absolute path names > # file: mnt/data/share > # owner: 3000000 > # group: users > user::rwx > user:3000016:rwx > group::r-x > group:users:r-x > group:3000000:rwx > group:3000016:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:3000000:rwx > default:user:3000016:rwx > default:group::r-x > default:group:users:r-x > default:group:3000016:rwx > default:mask::rwx > default:other::r-x > > > > Follows the smb.conf my DC2 (secondary DC + file server): > > # Global parameters > [global] > bind interfaces only = Yes > interfaces = lo eth0 > netbios name = SRV15 > realm = DOMAIN.LOCAL > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN > server role = active directory domain controller > comment = > log file = /var/log/samba/%m.log > log level = 1 > # > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain DOMAIN > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > # Use settings from AD for login shell and home directory > winbind nss info = rfc2307 > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [dados] > comment = Share > > path = /mnt/data/share > read only = No > > browseable = Yes > inherit acls = Yes > inherit permissions = Yes > > > > When I try to set a permission: > > setfacl -R -m default: group: "Domain Admins": rwx /mnt/data/share > setfacl: Option -m: Argument invalid character near 15 >Sorry, but the lines you have added to the [global] section of your smb.conf will do nothing on an AD DC. Does 'getent group Domain\ Admins' produce any output ? If not you need to set up libnss-winbind. Rowland