Web lists-archives.com

# Re: [Samba] File/dir user permissions on Samba fileserver in DC

• Date: Mon, 13 Mar 2017 09:59:39 +0000
• From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
• Subject: Re: [Samba] File/dir user permissions on Samba fileserver in DC

On Mon, 13 Mar 2017 12:01:28 +0300
it@xxxxxxxxx wrote:

> Thank you for pointing me to errors. I've corrected'em (I think), so
> smb.conf now looks like:
>

Can I ask if you are having problems following the Samba wiki ?
You still do not seem to have set up the smb.conf correctly, if you are
having problems following the wiki, please say so and if possible give
examples. Without feedback, we do not know of any problem areas.

Having got that out of the way, I have gone through your smb.conf and
corrected it by removing default lines. I have also added some comments:

[global]
workgroup = WG
realm = WG.LOCAL

#netbios name = FSRV # see [1] below

log level = 0 vfs:1

#idmap config MDS:backend = ad # see [2] below

idmap config * : backend = tdb
idmap config *:range = 2000-9999
idmap config WG : backend = ad
idmap config WG : range = 10000-999999
idmap config WG : schema_mode = rfc2307 # see [3] below

winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes # see [4] below
winbind enum groups = yes # see [4] below
winbind refresh tickets = yes

max log size = 1000
syslog = 1

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
#unix password sync = yes # NO, no a thousand times NO, see [5] below

show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

hide unreadable = yes # see [6]
log writeable files on exit = yes
deadtime = 600 # see [7]
ea support = yes # see [8]
#socket options = TCP_NODELAY IPTOS_LOWDELAY # see [9]

#======================= Share Definitions =======================
[q] # see [10]
comment = File share
path = /somepath
strict sync = yes
sync always = yes

inherit permissions = Yes
inherit owner = Yes

veto files = /.snap/quota*/*.vmx/autorun.inf/

access based share enum = yes

===

[1] this is not strictly required, provided hostname resolution is
set up correctly and if it isn't, you need to fix this, not Samba

[2] you have set workgroup to 'WG'

[3] this could also be 'template'

[4] you should only set these to for testing purposes

[5] You are using AD and with this, all your users must be stored in
AD, you cannot also store them in /etc/passwd i.e, you cannot have
the user 'fred' in AD and /etc/passwd. The same goes for groups.

[6] Do you really want to do this ? See 'man smb.conf'

[7] 10 hours ?

[8] I have never needed this

[9] You shouldn't set these any more, just rely on the kernel

[10] You will probably be better off using POSIX acls and setting access
rights from Windows

You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber
attribute ? If you haven't and want to use the 'ad' backend, you will
need to do so.