On 16/10/2019 15:11, Stephen Atkins wrote:> On 16/10/2019 1:05 a.m., Rowland penny via samba wrote:
>> On 15/10/2019 22:56, Stephen Atkins via samba wrote:
>>> Hello. I've got my AD DC working and I can login with various
user
>>> accounts and domain admin accounts.? I've got the home
directory
>>> being create when I create the user profile.? Only problem is that
>>> it creates it with a group of "domain users" withe a
permissions of
>>> rwxrwx---.? I would like the default group be "domain
admins" for
>>> every created home dir.? Is this possible?? If not I can manually
>>> change this after wards but it would be nice not to.
>>>
>>> Thanks.
>>
>> Probably not, mainly because all AD users get 'Domain Users' as
their
>> default group. There are ways around this, but not on a DC (which
>> isn't recommended as a fileserver).
>>
>> Can you post your smb.conf.
>
> This is my smb.conf for my fileserver which is not my DC.
>
> [global]
> ??????? workgroup = AD
> ??????? realm = AD.MYCOMPANY.COM
> ??????? netbios name = fileserver
> ??????? security = ADS
> ??????? dns forwarder = 192.168.1.3
You do not set a forwarder on a Unix domain member.>
> ??????? idmap config * : backend = tdb
> ??????? idmap config *:range = 10000-50000
One of two things here, you either haven't set up 'idmap config'
correctly or you are using sssd, if the latter, stop using it. Either
way read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
and one of these:
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_rid
>
> ??????? template homedir = /home/%D/%U
> ??????? template shell = /bin/bash
> ??????? winbind use default domain = true
> ??????? winbind offline logon = false
> ??????? winbind nss info = rfc2307
> ??????? winbind enum users = yes
> ??????? winbind enum groups = yes
>
> ??????? vfs objects = acl_xattr
> ??????? map acl inherit = yes
> ??????? store dos attributes = yes
>
> [shared]
> ??????? path = /mnt/usershares
> ??????? read only = no
>
> [users]
> ??????? path = /home/AD
> ??????? read only = no
>
> This is my smb.conf for my AD DC
>
> # Global parameters
> [global]
> ??????? netbios name = DC1
> ??????? realm = AD.MYCOMPANY.COM
> ??????? server role = active directory domain controller
> ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbi$
> ??????? workgroup = AD
> #?????? idmap config AD: unix_nss_info = yes
> ??????? idmap_ldb:use rfc2307 = yes
> ??????? vfs objects = acl_xattr
> ??????? map acl inherit = yes
> ??????? store dos attributes = yes
Remove the last three lines above, they have no place on a Samba AD
DC>
> [netlogon]
> ??????? path = /var/lib/samba/sysvol/ad.mdwainwright.ca/scripts
> ??????? read only = No
>
> [sysvol]
> ??????? path = /var/lib/samba/sysvol
> ??????? read only = No
Rowland