On 14/09/2017 13:28, Rowland Penny via samba wrote:> On Thu, 14 Sep 2017 13:15:31 -0300 > Flávio Silveira via samba <samba at lists.samba.org> wrote: > >> >> On 14/09/2017 12:46, Rowland Penny via samba wrote: >>>>> well possibly, but I will rephrase my question, are: >>>>> >>>>> libpam-winbind libpam-krb5 libnss-winbind >>>>> >>>>> installed ? >>>> Yes sir, all three are installed, should I proceed to editing >>>> nsswitch.conf as described on the tutorial? >>>> >>>>> Rowland >>>>> >>> Yes, you should now get a result from 'getent passwd ausername' >>> >>> Rowland >>> >> Thanks Rowland, below is the edited /etc/nsswitch.conf: >> >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages >> installed, try: # `info libc "Name Service Switch"' for information >> about this file. >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> gshadow: files >> >> hosts: files dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> And here is the output of "getent passwd fsilveira": >> >> root at dc1:~# getent passwd fsilveira >> fsilveira:x:1001:1001::/home/fsilveira:/sbin/nologin >> root at dc1:~# > Looking good so far, I take it you don't want the users logging into > the DC.Correct.>> About the file serving here: >> https://wiki.samba.org/index.php/Samba_File_Serving >> >> Should I use the "Setting up a share using Windows ACLs" tutorial? >> > You must use Windows ACLs on a DC, so yes, you will need to follow that > wikipage.Ok, just curious, are there any disvantages between using Windows ACLs instead of POSIX ACLs? Also, once I create a file server as Domain Member, how easy will be to migrate from DC? I am reading this https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs For the "Granting the SeDiskOperatorPrivilege Privilege" section, it mentions "Domain Admins" group, do I need to create all groups with below? groupadd <group name> So, a small step-by-step would be: 1- Create all groups with: groupadd <group name>, example: groupadd "Domain Admins" 2- Create local user accounts with: useradd -M -s /sbin/nologin <user name> 3- Add password to local user accounts with: passwd <user name> 4- Add local user accounts to Samba database with: smbpasswd -a <user name> 5- Enable Samba account with: smbpasswd -e <user name> 6- Add user account to a group with: usermod -G <group name> <user name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege" section from [1] 8- Follow "Adding a Share" section from [1] [1]: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Does this look correct?> Rowland >Thank you!
On Fri, 15 Sep 2017 08:47:45 -0300 Flávio Silveira via samba <samba at lists.samba.org> wrote:> Ok, just curious, are there any disvantages between using Windows > ACLs instead of POSIX ACLs?None that I am aware of, in fact there are several advantages.> > Also, once I create a file server as Domain Member, how easy will be > to migrate from DC?Not sure what you mean here, it sounds like you want to turn your Samba AD DC into a Unix domain member, I am sure you don't want to do this, so can you explain your question better ?> > I am reading this > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > For the "Granting the SeDiskOperatorPrivilege Privilege" section, it > mentions "Domain Admins" group, do I need to create all groups with > below? > > groupadd <group name> > > So, a small step-by-step would be: > > 1- Create all groups with: groupadd <group name>, example: groupadd > "Domain Admins"No, you do not need to create this group, it should already exist in AD> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user > nameNo, you do not need any local Unix users, you either create your windows users (with samba-tool) as Unix users as well, or you extend your windows users to be Unix users as well.> 3- Add password to local user accounts with: passwd <user name>Seeing as you will not create local Unix users, then no.> 4- Add local user accounts to Samba database with: smbpasswd -a <user > name> 5- Enable Samba account with: smbpasswd -e <user name>There is a theme here ;-) no> 6- Add user account to a group with: usermod -G <group name> <user > name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege" > name> section from [1]No, use samba-tool or the windows tools.> 8- Follow "Adding a Share" section from [1] > > [1]: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >Well, yes, but no ;-) Yes, you should follow the wikipage. No, you shouldn't use 'Domain Admins' (I must update that wikipage) If you use 'Domain Admins', you will need to give the windows group a gidNumber attribute. This is not a good idea, 'Domain Admins' needs to own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in idmap.ldb on the DC. If you give the group a gidNumber, it becomes just a group as far as Unix is concerned and groups cannot own anything on Unix. My suggestion is to create a new group in AD (I suggest 'Unix Admins', but you can call it anything you like), give this new group a gidNumber and make it a member of 'Domain Admins'. Now wherever it says 'Domain Admins' on the wikipage, use your new group instead. Rowland
On 15/09/2017 09:29, Rowland Penny via samba wrote:> On Fri, 15 Sep 2017 08:47:45 -0300 > Flávio Silveira via samba <samba at lists.samba.org> wrote: > >> Ok, just curious, are there any disvantages between using Windows >> ACLs instead of POSIX ACLs? > None that I am aware of, in fact there are several advantages.Great!>> Also, once I create a file server as Domain Member, how easy will be >> to migrate from DC? > Not sure what you mean here, it sounds like you want to turn your Samba > AD DC into a Unix domain member, I am sure you don't want to do this, > so can you explain your question better ?Yes, sorry for that. What I meant was: Currently I am setting up a file server together with AD DC, which is not recommended, but given my simple scenario it is ok to do it that way, at least is what I understand. My question was: Once I have proper hardware resources to have a file server separated from the AD DC, how easy will be to migrate the configs/shares from the AD DC to the separated file server (Domain Member)? Makes sense now?>> I am reading this >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> For the "Granting the SeDiskOperatorPrivilege Privilege" section, it >> mentions "Domain Admins" group, do I need to create all groups with >> below? >> >> groupadd <group name> >> >> So, a small step-by-step would be: >> >> 1- Create all groups with: groupadd <group name>, example: groupadd >> "Domain Admins" > No, you do not need to create this group, it should already exist in ADOk, how can I verify? How about the other groups? By other groups I mean the ones I am creating as my company departments, like Commercial, Marketing etc, so I can create shares per department.>> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user >> name > No, you do not need any local Unix users, you either create your > windows users (with samba-tool) as Unix users as well, or you extend > your windows users to be Unix users as well.Is there any wiki I could follow to do one of the above? Thank you>> 3- Add password to local user accounts with: passwd <user name> > Seeing as you will not create local Unix users, then no.Ok>> 4- Add local user accounts to Samba database with: smbpasswd -a <user >> name> 5- Enable Samba account with: smbpasswd -e <user name> > There is a theme here ;-) noOk>> 6- Add user account to a group with: usermod -G <group name> <user >> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege" >> name> section from [1] > No, use samba-tool or the windows tools.Could you give an example please?>> 8- Follow "Adding a Share" section from [1] >> >> [1]: >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> > Well, yes, but no ;-) > > Yes, you should follow the wikipage. > No, you shouldn't use 'Domain Admins' (I must update that wikipage) > If you use 'Domain Admins', you will need to give the windows group a > gidNumber attribute. This is not a good idea, 'Domain Admins' needs to > own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in > idmap.ldb on the DC. If you give the group a gidNumber, it becomes just > a group as far as Unix is concerned and groups cannot own anything on > Unix. > > My suggestion is to create a new group in AD (I suggest 'Unix Admins', > but you can call it anything you like), give this new group a gidNumber > and make it a member of 'Domain Admins'. Now wherever it says 'Domain > Admins' on the wikipage, use your new group instead.Thanks for the explanations, how do I create this new group? With groupadd? If you can give a full example, I will be very glad! But please don't think I am lazy, if there is a wiki that mentions how to do it, just point me to it :-)> > Rowland > >Regards, Flavio Silveira