Samba file sharing permission with Samba AD - problem

sankar's picture

Hi,

I am first time here. My question wouldn't be bug. here is my objective and scope. I have used your two different role ISO file and installed.

Samba AD - domain controller.

Samba FileServer - File sharing (member server of Samba AD)

I have connected the Fileserver as member of AD successfully. But unable to use the Samba AD users object in the fileserver to set permission(ACL) for folder sharing. I have tried to set permission through windows to fileserver shares, but it failed. there are some enumerate specific error.

root@fileserver ~# chown "LINUXAD\Domain Users" /srv/storage/
chown: invalid user: 'LINUXAD\\Domain Users'

root@fileserver ~# net rpc rights list privileges SeDiskOperatorPrivilege
Enter root's password:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators
root@fileserver ~# net rpc rights grant 'LINUXAD\Domain Admins' SeDiskOperatorPrivilege -U 'LINUXAD\administrator'
Enter LINUXAD\administrator's password:
Could not connect to server 127.0.0.1 (this is still verify the local fileserver)
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I have mapped the root user to domain adminstrator in the user.map file. but didnt work.

root@fileserver ~# net rpc rights grant 'LINUXAD\Domain Admins' SeDiskOperatorPrivilege
Enter root's password:
Failed to grant privileges for LINUXAD\Domain Admins (NT_STATUS_NO_SUCH_USER)

I have added the domain name "dc1.linuxad.org" in the hosts file, but didnt work.

Added the winbind to nsswitch.conf as per samba guide, but didnt work.

Just try some tool like wbinfo(winbind tool), kinit to trace the problem, but this tool didnot inistalled. how do I install this? I didnt have much help doc for this turnkeylinux.

my further analysis are:-

root@fileserver ~# getent group "LINUXAD\\Domain Users"
root@fileserver ~# getent group "LINUXAD\\administrator"

but I didnt get any output in above two commands. I have followup these two link to make sure all the settings.

There is no smb log generated to log trace back for specific reason.

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I have enclosed two server's smb configurations. TurnKey GNU/Linux 14.2 / Debian 8.8 Jessie version.

I specifically chose this turnkey distro, it is come with specific role and could be installed as easy. but I don't know whether this fileserver distro can be setup and used from domain credential or not.

if work, will try to use, otherwise I have to use normal linux package to install samba file server.

if anyone have idea, how to achieve this..

Regrds

Sankar

 

 

 

Jeremy Davis's picture

As you probably noticed, despite the fact that both of our Samba appliances (Fileserver and Domain Controller) use the same version of Samba, they have very different config. That is because they are indeed quite different products. We do hope to streamline that for the next release, but no promises for now.

Currently the Fileserver, is more aimed at a SOHO type scenario. Even though it runs Samba4, it actually still uses more of a Samba3 (i.e. Windows NT) style domain configuration. That works really well with adhoc type networks (i.e. without a Windows domain). Whereas the Domain Controller uses the new Samba4 type config. That allows it to host an Active Directory domain. So really neither of these configs are going to suit you OOTB.

Unfortunately, I'm not super familiar with Samba, nor AD itself. But TurnKey is based on Debian, so any Debian instructions should work. Including the official Samba docs. I recall that another user had a similar issue and started with the DC appliance and reconfigured it completely to provide a domain member with fileserver capabilities. So I suggest that you start with the DC app and follow the instructions on the Samba docs.

Please note that use of ACLs requires that the ACL kernel module is loaded and that you are running your server using a filesystem that is compatible with ACLs. The default ext4 filesystem which we use should work fine and the DC appliance should already have it configured to work. However, in some environments, it may not work properly. E.g. as a LXC or Docker container.

Sorry that I can't be more specific, but hopefully that helps head you in the right direction.

Post new comment