Hi, i have a small server with centos 7 samba 4.8.3 done domain provision, joined some windows 10 PCs and i'm happy i prefer manage it from RSAT and i created a lot of policy, and all seem fine! main problem is how to set ACL on User folders, i'm unable to set share permissions from Windows on samba users share, when appy changes i receive an error like permission denied. edited pam allowing domain user logon locally but i not know how i can give root privileges on Domain Admins user, i try a lot of configurations bu visudo and no reply, i think i'm unable to set permission because the user logged on windows have Domain Admins group but it not have root privileges on linux so cant' change samba config, i think sorry for my bad english, any help will be apprecciated
On Thu, 7 Mar 2019 10:50:49 +0100 Marco Gemignani via samba <samba at lists.samba.org> wrote:> Hi, > > i have a small server with centos 7 samba 4.8.3 > > done domain provision, joined some windows 10 PCs and i'm happyWhat Samba packages are you using ? you cannot provision a Samba DC with the standard Centos packages.> > i prefer manage it from RSAT and i created a lot of policy, and all > seem fine! > > > main problem is how to set ACL on User folders, i'm unable to set > share permissions from Windows on samba users share, when appy > changes i receive an error like permission denied. > > edited pam allowing domain user logon locally but i not know how i > can give root privileges on Domain Admins user, i try a lot of > configurations bu visudo and no reply, i think i'm unable to set > permission because the user logged on windows have Domain Admins > group but it not have root privileges on linux so cant' change samba > config, i think > >Have you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
On Thu, 7 Mar 2019 11:54:04 +0100 Marco Gemignani <marko.gem at inwind.it> wrote:> > Il 07/03/2019 11:34, Rowland Penny via samba ha scritto: > > On Thu, 7 Mar 2019 10:50:49 +0100 > > Marco Gemignani via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> i have a small server with centos 7 samba 4.8.3 > >> > >> done domain provision, joined some windows 10 PCs and i'm happy > > What Samba packages are you using ? you cannot provision a Samba DC > > with the standard Centos packages. > > https://download.samba.org/pub/samba/stable/samba-4.8.3.tar.gz > > compiled and installed > > ./configure \ > --prefix=/usr \ > --localstatedir=/var \ > --with-configdir=/etc/samba \ > --libdir=/usr/lib64 \ > --with-modulesdir=/usr/lib64/samba \ > --with-pammodulesdir=/lib64/security \ > --with-lockdir=/var/lib/samba \ > --with-logfilebase=/var/log/samba \ > --with-piddir=/run/samba \ > --with-privatedir=/etc/samba \ > --enable-cups \ > --with-acl-support \ > --with-ads \ > --with-automount \ > --enable-fhs \ > --with-pam \ > --with-quotas \ > --with-shared-modules=idmap_rid,idmap_ad,idmap_hash,idmap_adex \ > --with-syslog \ > --with-utmp \ > --with-dnsupdate >Okay, that should work.> > Have you read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > >But have you read the above wikipage ? Rowland
On Thu, 7 Mar 2019 12:48:03 +0100 Marco Gemignani <marko.gem at inwind.it> wrote:> Yes all seem working > > but i'm unable to set Share permissions from Windows, i have to set > share ACLs, but i'm unable to do it (Error: unable to write changes) >Can you please post your smb.conf Rowland
Please see inline comments: On Thu, 7 Mar 2019 15:04:18 +0100 Marco Gemignani <marko.gem at inwind.it> wrote:> as default > > # Global parameters > [global] > dns forwarder = 192.168.0.1 > netbios name = ZEUS2 > realm = TECNOGMREALM > server role = active directory domain controller > workgroup = TECNOGM > template shell = /bin/bash > template homedir = /home/%D/%U > > [users] > path = /home/%D/ > read only = no > create mask = 0600 > directory mask = 0700Remove the two lines above, they should not be used on a DC> > [netlogon] > path = /var/lib/samba/sysvol/tecnogmrealm/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > than edited /etc/pam.d/password-auth and added; > > auth sufficient pam_winbind.so use_first_pass > > account [default=bad success=ok user_unknown=ignore] > pam_winbind.so > > password sufficient pam_winbind.so use_authtok > > edited vi /etc/nsswitch.conf and added winbind to passw and group >Have you read these wiki pages: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server https://wiki.samba.org/index.php/Libnss_winbind_Links https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Particularly the middle one. Rowland
On 3/7/19 5:50 AM, Marco Gemignani via samba wrote:> Hi, > > i have a small server with centos 7 samba 4.8.3 > > done domain provision, joined some windows 10 PCs and i'm happy > > i prefer manage it from RSAT and i created a lot of policy, and all seem > fine! > > > main problem is how to set ACL on User folders, i'm unable to set share > permissions from Windows on samba users share, when appy changes i > receive an error like permission denied. > > edited pam allowing domain user logon locally but i not know how i can > give root privileges on Domain Admins user, i try a lot of > configurations bu visudo and no reply, i think i'm unable to set > permission because the user logged on windows have Domain Admins group > but it not have root privileges on linux so cant' change samba config, i > thinkI think you need to grant SeDiskOperatorPrivilege. The Wiki has an explanation of that when setting up shares with Windows ACLs https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege> > > sorry for my bad english, any help will be apprecciated > >