hi list, environment: Windows 2008 Domain Centos 7 server running samba 4.4.4 Problem: I am creating a number of samba shares on the Centos server to be used on the Domain. Right now I have two major directories setup as shares with minor directories being created. How do I specify read/write permissions on the minor directories without having to create a share for each directory? When I specify a domain group the centos server does not see the group. The configuration now shows multiple shares but it does not preserve the read only access in the minor shares. Here is the config: [global] workgroup = Accounting security = ADS realm = Accounting.edt.local log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. # - Adding just this is not enough # - You must set a DOMAIN backend configuration, see below idmap config * : backend = tdb idmap config * : range = 1000000-2000000 # username map = /usr/local/etc/samba/user.map winbind use default domain = yes passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw [custinfo] path = /cui/admin/Customer Info comment = Mfg and Purchasing valid users = tiana bob carol jessica janet lynne read list = lynne janet jessica write list = tiana bob carol writable = yes browsable = yes [custorders] path = /cui/admin/Customer Orders comment = Mfg and Purchasing valid users = tiana bob carol jessica janet lynne read list = lynne janet jessica write list = tiana bob carol writable = yes browsable = yes [custdandb] path = /cui/admin/Customer credit reports (D&B) comment = Mfg and Purchasing valid users = tiana bob carol jessica janet lynne write list = lynne janet jessica read list = tiana bob carol writable = yes browsable = yes [acctcui] path = /cui/acct comment = Accounting CUI Directories valid users = jlowry, lynne, janet, jessica browsable = yes read only = No [admincui] path = /cui/admin comment = Accounting CUI Directories valid users = jlowry lynne janet jessica bob tiana cynthia jill thuylinh carol wendy tom browsable = yes read only = No -- --------------------------------------------------------------------------- Jerold Lowry Principal Network/Systems Engineer Engineering Design Team (EDT), Inc. a HEICO company 3423 NW John Olsen Pl Hillsboro, Oregon 97124 (U.S.A.) Phone: 503-690-1234 / 800-435-4320 Fax: 503-690-1243 Web: _www.edt.com <http://www.edt.com/>_
On Mon, 27 Nov 2017 12:14:44 -0800 Jerry Lowry via samba <samba at lists.samba.org> wrote:> hi list, > > environment: > > Windows 2008 Domain > > Centos 7 server running samba 4.4.4 > > Problem: > > I am creating a number of samba shares on the Centos server to be > used on the Domain. Right now I have two major directories setup as > shares with minor directories being created. > > How do I specify read/write permissions on the minor directories > without having to create a share for each directory? When I specify > a domain group the centos server does not see the group. > > The configuration now shows multiple shares but it does not preserve > the read only access in the minor shares. > > Here is the config: > > [global] > workgroup = Accounting > security = ADS > realm = Accounting.edt.local > log file = /var/log/samba/%m.log > log level = 1 > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > # - Adding just this is not enough > # - You must set a DOMAIN backend configuration, see below > idmap config * : backend = tdb > idmap config * : range = 1000000-2000000Either: A) you are using sssd, in which case you should ask on the sssd-users mailing list, because sssd is doing the authentication. Or B) You totally missed this: '# - Adding just this is not enough' when you cut and pasted it from the Samba wiki, you need to use the winbind 'rid' or 'ad' backend. Rowland
On Mon, 27 Nov 2017 14:05:36 -0800 Jerry Lowry <jlowry at edt.com> wrote:> Okay, I missed the "ad". Got that fixed, but how do you reference > subdirectories with groups when referencing the major shares. So, to > explain better hopefully. I would like to shares "acct" and "admin" > with sub directories that have different group permissions than the > major share. The major share should allow read/write to everyone, > the directories under these shares have finer granularity. Is that > possible on the major shares? > >In a way, you gave feedback on the wiki, so for that, thanks ;-) I have made the lines on the wikipage bold, hopefully this will help in future. I don't think you can do what you are trying to do with POSIX ACLs, but you may be able to do this with Windows ACLs, read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Set the ACLs on the share first, then on the directories beneath them. Rowland
On Mon, 27 Nov 2017 14:57:30 -0800 Jerry Lowry <jlowry at edt.com> wrote:> Thanks for the reply, > > I forgot a bit of info, oops. the users/groups are in the AD but the > shares are held on the centos samba server. So setting windows ACL's > is not going to work in this case.And the centos samba server is a domain member, so the Windows ACLs will work.> > After working through this problem and looking at what needs to be > put in a share, I think it will be best suited to create the shares > and drop the major share at the top. This way the granularity will > be consistent across the shares. > > > thanks for the help! > > p.s !! kudos on the response time, much better that what I get from > other forums!! >