Web lists-archives.com

Re: [Samba] sys_setgroups failed on Solaris 11




On Thu, 7 Jun 2018 15:21:22 -0400 (EDT)
Teddy Brown <tbrown@xxxxxxxxxxxxxx> wrote:

> Thanks for the feedback. This is not a testing environment. We
> deployed the Samba AD environment for our office PCs about one year
> ago. I am now trying to get the Samba file sharing into AD. 
> 
> We use our mixed Linux/Unix environment heavily. All permissions and
> ACLs are set in Solaris using NFS4 ACLs on a ZFS filesystem.

Samba uses POSIX ACLs not NFS4 ACLs, but this shouldn't really be a
problem, as long as you do not run the DC on the ZFS filesystem.
 
> Our users are in active directory but the groups are not.

You need to get the groups into AD.
 
> 
> My understanding is that Winbind lets Linux see the users & group
> membership in AD, is this correct? 

Yes, but depending on where you look from, you may or may not see users
and groups, it all depends on how you set up Samba and libnss_winbind

> The groups we have in AD are defined for use with GPOs. All file
> permissions are set on the filesystem directly. 

If you moved fully to AD, you could set them from windows.

>Our current Samba 3.6 file server seems to map my user "Samba teddy"
>== "Unix teddy" which is what I'd like for AD.

Doesn't work like that in AD, the AD user 'teddy' is 'teddy' on windows
and is either 'DOMAIN\teddy' or 'teddy' on Unix (this depends on
whether or not you have 'winbind use default domain = yes' in smb.conf)
You also must not have 'teddy' in /etc/passwd or /etc/group (i.e. you
cannot have local Unix users or private user groups).

> Somehow just use "AD Teddy" = "Unix teddy" and give my Samba account
> the same access to the files that Unix teddy has. 

Correctly set up, you will use the same username everywhere.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba