Hi,
I am testing 2 samba AD DCs running self compiled 4.7.0rc5 and 2 member servers
that are running samba-4.6.2-8.el7.x86_64 that I am trying to get setup as file
servers.
The file server smb.conf looks like the following:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.MYDOMAIN.COM
winbind use default domain = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Logging
log file = /var/log/samba/%m.log
log level = 1
## Samba Shared directories
[users]
path = /home/samba/users/
readonly = no
When I try to access the users share from a windows 7 box that is a domain
member logged in as administrator, I can access it as expected. If I login
to the same windows box as a normal user who is a member of the Domain
Users group, I am denied.
I have setup a group called "Unix Admins" which is a member of the
Domain
Admins group. The Unix Admins and Domain users groups have unix gids
assigned to them.
Getent group shows the following:
(vfs1 pts9) # getent group "SAMDOM\Domain Users"
domain users:x:10000:
(vfs1 pts9) # getent group "SAMDOM\Unix Admins"
unix admins:x:10001:
(vfs1 pts9) #
Getent passwd shows the following:
(vfs1 pts9) # getent passwd "SAMDOM\tuser"
tuser:*:10001:10000:Test User:/home/samba/tuser:/bin/false
(vfs1 pts9) #
Permissions on the users directory are as follows:
(vfs1 pts9) # ll -d users/
drwxrwx---+ 3 root unix admins 23 Aug 31 22:27 users/
(vfs1 pts9) # getfacl users
# file: users
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::r-x
(vfs1 pts9) #
As you can see above my test user is a member of the Domain Users group and if
I am reading the above permissions correctly, domain users has rwx permissions.
Does anyone have any idea what I am doing wrong?
Regards,
--
Tom me at tdiehl.org
