On Wed, 10 Aug 2016 14:18:16 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:
> Greetings,
>
> Previously I had set up a file server with DC on the same machine. As
> recommendations, created another machine to be the file server. I
> made the settings as far as I could do, but I can not give
> permissions on shared folders. Must give permissions on shared
> folders for groups and users of the domain. I'm using Samba 4.4.5 in
> DC's and also the file server. I joined the file server as a domain
> member. About file server member of a domain, I have not found a
> satisfactory documentation. When the second DC was playing the role
> of file server, permissions worked perfectly. What do I need to
> configure the file server recognizes the permissions of users and AD
> groups?
>
>
> Follow my configuration file:
>
>
> smb.conf
>
> # Global parameters
> [global]
> netbios name = SRV16
> server string = Samba4 Server
> security = ADS
> encrypt passwords = Yes
> realm = OOMAIN.LOCAL
> workgroup = DOMAIN
> log file = /var/log/samba/%m.log
> log level = 1
> #
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> [dados]
> comment = Pasta dados
> path = /mnt/data
> read only = No
> browseable = Yes
> inherit acls = Yes
> inherit permissions = Yes
>
>
> /etc/nsswitch.conf:
>
>
> passwd: files sss winbind
> shadow: files sss winbind
> group: files sss winbind
>
> hosts: files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
> netgroup: files sss
> publickey: nisplus
> automount: files sss
> aliases: files nisplus
>
>
> With these commands, I can view the AD users and groups.
> wbinfo -u
> wbinfo -g
> getent group
>
> I realized the Winbind settings as reported in Samba page.
> When I run the following command I get error:
>
> # setfacl -R -m default:group:"Domain Admins":rwx /mnt/data/p1
> setfacl: /mnt/data/p1: Malformed default ACL
> `user::rwx,group::rwx,group:4294967295:rwx,mask::rwx,other::r-x':
> Duplicate entries at entry 3 setfacl: /mnt/data/p1/teste.txt:
> Malformed default ACL
> `user::rw-,group::r--,group:4294967295:rwx,mask::rwx,other::r--':
> Duplicate entries at entry 3
>
>
> The missing setting?
>
I think you may be confusing Samba by having 'sss' and 'winbind'
in /etc/nsswitch, if your version of sssd is new enough, you will have
two versions of a winbind lib installed.
Can I suggest that you choose to use one or the other, I don't think it
is a good idea to use both.
If you decide to use sssd, stop winbindd and stop it from starting,
remove 'winbind' from /etc/nsswitch. If you still have problems, then
can I also suggest asking the sssd mailing list for help, sssd is not
part of Samba
If you decide to use winbind, can I suggest you read this wiki page:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
If you have any questions after reading that page (and any sub pages it
points to), come back here and ask.
Rowland