Hello
I configured a samba 4.3.1 service on a Centos 6.5 32 bit system and installed
it in the /home/samba/samba-4.3.1 directory (I know this is not a good place but
it was the only partition with enough free space).
The samba is running as an Active Directory Domain Controller with rfc2307
enabled and embedded DNS server.
This is my smb.conf
# Global parameters
[global]
workgroup = TESTDOM
realm = TESTDOM.LOCAL
netbios name = DC-SERVER
server role = active directory domain controller
dns forwarder = X.X.X.X
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /home/samba/samba-4.3.1/var/locks/sysvol/lacdevel.lac/scripts
read only = No
[sysvol]
path = /home/samba/samba-4.3.1/var/locks/sysvol
read only = No
[homes]
comment = %u's Home Directory
read only = no
browseable = no
guest ok = no
directory mask = 755
create mask = 0644
force create mode = 0644
On the Linux host I have the user "userX", with uid 503, belonging to
the group "groupX", with gid 507.
I created the corresponding user and group into the Samba server by using the
samba-tool command:
# Created the user
samba-tool user add userX --unix-home=/home/userX --uid-number=503
--login-shell=/bin/bash --gid-number=507 --given-name=NameX --surname=SurnameX
# Created the group
samba-tool group add groupX --gid-number=507 --nis-domain=testdom
# Added the user into the group
samba-tool group addmembers groupX userX
Then, by using an LDAP administration tool, a chanced the primaryGroupID
attribute of the userX user to the RID of the groupX group (1104).
This configuration works fine. On a remote system I can mount the userX's
home:
mount -t cifs //x.x.x.x/userX /mnt -o user=TESTDOM\\userX
Password:
Now I have this problem: every file created by the remote host has the same
permissions. For example, running
touch /mnt/fileX
on the remote host creates fileX in the userX's home with these permissions:
ls -l /home/userX/fileX
-rwxrwxr-x+ 1 userX groupX 0 Dec 19 10:13 /home/userX/fileX
How can I set the permission of files according to the umask of the userX linux
user?
Is there a way to define this property into the Samba AD database ?
Thanks in advance
Stefano
See inline comments: On Mon, 19 Dec 2016 09:24:07 +0000 Stefano Martini via samba <samba at lists.samba.org> wrote:> Hello > I configured a samba 4.3.1 service on a Centos 6.5 32 bit system and > installed it in the /home/samba/samba-4.3.1 directory (I know this is > not a good place but it was the only partition with enough free > space). The samba is running as an Active Directory Domain Controller > with rfc2307 enabled and embedded DNS server. This is my smb.conf > > # Global parameters > [global] > workgroup = TESTDOM > realm = TESTDOM.LOCAL > netbios name = DC-SERVER > server role = active directory domain controller > dns forwarder = X.X.X.X > idmap_ldb:use rfc2307 = yes > > [netlogon] > path > = /home/samba/samba-4.3.1/var/locks/sysvol/lacdevel.lac/scripts read > only = No > > [sysvol] > path = /home/samba/samba-4.3.1/var/locks/sysvol > read only = No > > [homes] > comment = %u's Home Directory > read only = no > browseable = no > guest ok = no > directory mask = 755 > create mask = 0644 > force create mode = 0644[homes] doesn't work on a DC, see here: https://wiki.samba.org/index.php/User_home_drives#Adding_the_share> > On the Linux host I have the user "userX", with uid 503, belonging to > the group "groupX", with gid 507. I created the corresponding user > and group into the Samba server by using the samba-tool command: > > # Created the user > samba-tool user add userX --unix-home=/home/userX --uid-number=503 > --login-shell=/bin/bash --gid-number=507 --given-name=NameX > --surname=SurnameX > > # Created the group > samba-tool group add groupX --gid-number=507 --nis-domain=testdom > > # Added the user into the group > samba-tool group addmembers groupX userX > > Then, by using an LDAP administration tool, a chanced the > primaryGroupID attribute of the userX user to the RID of the groupX > group (1104). > > This configuration works fine. On a remote system I can mount the > userX's home:No it doesn't, you might think it does, but you have just broken Windows! Can I suggest you put the users primaryGroupID back to 513, which is what Windows expects it to be.> > mount -t cifs //x.x.x.x/userX /mnt -o user=TESTDOM\\userX > Password: > > Now I have this problem: every file created by the remote host has > the same permissions. For example, running > > touch /mnt/fileX > > on the remote host creates fileX in the userX's home with these > permissions: > > ls -l /home/userX/fileX > -rwxrwxr-x+ 1 userX groupX 0 Dec 19 10:13 /home/userX/fileX > > How can I set the permission of files according to the umask of the > userX linux user? Is there a way to define this property into the > Samba AD database ? > > Thanks in advance > Stefano >You need to start using the Windows way of doing things, all users are members of 'Domain Users', no private groups with the same name as a user. Can I also suggest you stop using ID numbers in the 5xx range. I feel I must also point out that you shouldn't have users or groups in /etc/passwd & /etc/group that are also in AD. I think you need to read the Samba wiki: https://wiki.samba.org/index.php/Main_Page Rowland
On Tue, 20 Dec 2016 08:34:44 +0000 Stefano Martini <S.Martini at ifinet.it> wrote:> Thanks Rowland for your reply. > The samba server is not used to handle a real domain.So you set up an AD DC and then claim you are not handling a real domain, would you like to examine your statement for inconsistencies ;-)>It is used by > an application to interact with the CheckPoint Identity Awareness. So > no Windows clients are joined to the domain and no users have to > logon. As the Linux server running Samba is also a standard linux > server with other running services I wanted to export some directory > to other linux and windows systems that are not in the Samba domain. > I wanted to export the linux home directory of each user in a way > that each user could work on his home from remote hosts.From the sound of it, you would probably be better off setting up a standalone server. Rowland