samba - Jul 2020 - make other domain controller shares available to windows clients.

CentOS 8 Samba Version 4.12.5 compiled from source configured as DC
and joined to domain SAMDOM.EXAMPLE.COM.

smb.conf --
# Global parameters
[global]
        netbios name = B10
        realm = SAMDOM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        interfaces = lo,enp15s0
        bind interfaces only = Yes
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 yes
        dns proxy = yes

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.example.com/scripts
        read only = No

############# Share Definitions ############################

[hello]
        path = /mnt/hello
        read only = no
*********************************************************

Windows clients can browse and access file share on AD DC host "A10"
but when they cannot access host "B10" file share "hello" by
entering
\\b10\hello in windows explorer.

I did the following on B10 in an attempt to set acl's the same way I
do on the primary AD DC host A10 --
setfacl -R -m g:users:rwx /mnt/hello

getfacl /mnt/hello reports --
getfacl: Removing leading '/' from absolute path names
# file: mnt/hello
# owner: root
# group: root
user::rwx
group::r-x
group:users:rwx
mask::rwx
other::r-x

Still no go -- windows clients cannot access \\b10\hello

On 11/07/2020 18:18, Mike via samba wrote:
> CentOS 8 Samba Version 4.12.5 compiled from source configured as DC
> and joined to domain SAMDOM.EXAMPLE.COM.
>
> smb.conf --
> # Global parameters
> [global]
>          netbios name = B10
>          realm = SAMDOM.EXAMPLE.COM
>          server role = active directory domain controller
>          workgroup = SAMDOM
>          interfaces = lo,enp15s0
>          bind interfaces only = Yes
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 > yes
>          dns proxy = yes
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> [netlogon]
>          path =
/usr/local/samba/var/locks/sysvol/samdom.example.com/scripts
>          read only = No
>
> ############# Share Definitions ############################
>
> [hello]
>          path = /mnt/hello
>          read only = no
> *********************************************************
>
> Windows clients can browse and access file share on AD DC host
"A10"
> but when they cannot access host "B10" file share
"hello" by entering
> \\b10\hello in windows explorer.
>
> I did the following on B10 in an attempt to set acl's the same way I
> do on the primary AD DC host A10 --
> setfacl -R -m g:users:rwx /mnt/hello
>
> getfacl /mnt/hello reports --
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/hello
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:users:rwx
> mask::rwx
> other::r-x
>
> Still no go -- windows clients cannot access \\b10\hello
>
Hi, did you miss the bits about it not? be recommended to use a DC as a 
fileserver and that you must set the ACL's from Windows. Also, you are 
using the wrong group, it should be Domain Users.

Rowland

On Sat, Jul 11, 2020 at 1:41 PM Rowland penny via samba
<samba at lists.samba.org> wrote:
> Hi, did you miss the bits about it not  be recommended to use a DC as a
> fileserver
Yes, this I was aware of. Limited budget and resources made it
necessary to configure the Samba AD DC with file shares too.
> and that you must set the ACL's from Windows.
This I was not aware of --- I've been using setfacl for the last 5
years and never installed RSAT.
I use samba-tool on the commandline to create/modify domain user accounts.
I've used the following example command to make sure shares are
readable/writable for users:  setfacl -R -m g:users:rwx /mnt/data
I thought choosing samba-tool or RSAT was down to sysadmin choice.
I'll try to find this in the wiki.
> Also, you are using the wrong group, it should be Domain Users.
Makes sense, I just cannot figure out why ( setfacl -R -m g:users:rwx
/mnt/data) has always worked for setting AD acls readable/writable for
all domain accounts.
At any rate, it would appear I need to move to RSAT.
And, it appears I need to make a choice about the spare box I have
inherited: deploy it as a backup AD DC or deploy it as a domain member
providing file shares.

Thanks for your guidance.