Web lists-archives.com

Re: [Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command




On Wed, 28 Nov 2018 08:36:47 +0000 (UTC)
barani tharan via samba <samba@xxxxxxxxxxxxxxx> wrote:

>  
> Dear Team I show below my problem when try to apply setfacl to share
> directory in domain controller
> 
> 
> My Problem is:
> I have one Samba AD [4.1] it work fine. I create common share folder

Samba 4.1.x is EOL, you really should upgrade.

> in domain controller when try to apply ACL permission it show the
> following message [root@sambadc ~]# setfacl -m
> "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m:
> Invalid argument near character 3 After that i try to find usres id 
> 
> [root@sambadc ~]# id RISHI\\administrator
> id: RISHI\administrator: no such user
> But when i try the below command it shows the users
> [root@sambadc ~]# samba-tool user list
> 
> AvijitGhosh
> RanjitRaman
> TeernaChatterjee
> AnkitJaiswal
> Priyaranjan
> DeepJoy
> NirajKishorSingh
> RajKumarMaurya
> Test
> HimanshuSinghi
> SoumyaKanjilal
> AshishJaiswal
> PoushaliSengupta
> BanditaRoy
> RohitAgarwal
> TuhinSaha
> Subramaniam

'samba-tool user list' works in the same way as 'wbinfo -u', it goes
direct to AD.
If getent doesn't work, it is usually because the libnss-winbind links
are not set up, see here:

https://wiki.samba.org/index.php/Libnss_winbind_Links

> 
> My Samba file smb.conf
> 
> [root@sambadc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>         workgroup = RISHI
>         realm = RISHI.COM
>         netbios name = SAMBADC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [Rishinox]
>         path = /ADD_Drive/Rishinox_Share
>         read only = no

Make the share look like the above and then read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You must use Windows ACLs on a share on a DC.

 
> At Same time try ACL permission in Domain member server it can be
> apply and show the user Id
> 
> [root@backupserver ~]# id RISHI\\administrator
> uid=16777216(administrator) gid=16777220(domain users)
> groups=16777220(domain users),16777221(group policy creator
> owners),16777222(denied rodc password replication
> group),16777223(enterprise admins),16777224(schema
> admins),16777225(domain
> admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)
> 

It looks like you are using sssd, if so, can I suggest you use winbind
instead, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba