Rowland Penny
2019-Jan-21 10:48 UTC
[Samba] I have issue in configuring file servers with AD integration.
On Mon, 21 Jan 2019 15:53:47 +0530 venkat ramu <ramut123 at gmail.com> wrote:> > [inherit] > path = /srv/samba/test/inherit > valid users = +"SBX\Inherit-Group", at +"SBX\Inherit-Group" > invalid users = +"SBX\Test-Group" > writeable = yes > > [inherit1] > writeable = yes > comment = inherit1 > valid users = +"SBX\Inherit-Group", at +"SBX\Inherit-Group" > path = /srv/samba/test/inherit1 > inherit permissions = noYour computer appears to be a Unix domain member and if you read the 'invalid users' part of 'man smb.conf' You will find that '+' means look in the Unix group database (/etc/group) and '@' means look in the NIS database. As your computer is a Unix domain member, neither of these will be used and 'Inherit-Group' should exist in AD. There is another possible problem (it could a typo), you posted this: workgroup = SBX and also this: idmap config TESTAD : backend = rid idmap config TESTAD : range = 10000-999999 'TESTAD' should be 'SBX' Can I also suggest you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs That is a much better way of doing what you require. Rowland
Rowland Penny
2019-Jan-21 12:01 UTC
[Samba] I have issue in configuring file servers with AD integration.
> On Mon, 21 Jan 2019 15:53:47 +0530 > venkat ramu <ramut123 at gmail.com> wrote:I have rewritten your shares. [inherit] path = /srv/samba/test/inherit valid users = "SBX\Inherit-Group" invalid users = "SBX\Test-Group" read only = No [inherit1] comment = inherit1 path = /srv/samba/test/inherit1 valid users = "SBX\Inherit-Group" read only = No The first share 'inherit' only allows the members of the AD group 'Inherit-Group' to connect, but if a user is also a member of 'Test-Group', they will not be allowed access. The second share is similar, except it doesn't have any invalid users. There is however another possible problem, even if Samba allows access, the underlying OS might not. The directory '/srv/samba/test/inherit1' will have to belong to 'root:Inherit-Group' with 'rwx' permissions for the group. Your users will also have to be able access each directory in the shares path All of the above is a lot easier if you set the permissions from Windows. Rowland
Rowland Penny
2019-Jan-21 13:42 UTC
[Samba] I have issue in configuring file servers with AD integration.
On Mon, 21 Jan 2019 19:05:04 +0530 venkat ramu <ramut123 at gmail.com> wrote:> Rowland, > > thanks for the suggestion, but I am not clear on windows part. Could > you please help me to understand on this? > > this want the document says, but how my Ubuntu share works here? >Just follow this wiki page, section by section: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs If you do not understand a section, then ask a question about that section before moving on. Rowland
venkat ramu
2019-Jan-28 10:27 UTC
[Samba] I have issue in configuring file servers with AD integration.
Hi Rowland, As you suggested, I have added below in my config file but still it is not working as expected. I am trying to setup as suggested from " https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs " for windows "*Granting the SeDiskOperatorPrivilege Privilege*" but getting error "Failed to grant privileges for sbx\Domain Admins (NT_STATUS_NO_SUCH_PRIVILEGE)". I could not see "SeDiskOperatorPrivilege " when I run the command "*net rpc -I xxx.xxx.xxx.xxxx rights list accounts -U Administrator*" in *BUILTIN\Administrators*. Could you please let me know where I am doing mistake. [inherit] path = /srv/samba/test/inherit valid users = "SBX\Inherit-Group" invalid users = "SBX\Test-Group" read only = No [inherit1] comment = inherit1 path = /srv/samba/test/inherit1 valid users = "SBX\Inherit-Group" read only = No Thanks, Venkat