My mistake. Sorry for the rude reply. Hopefully we can do a little more knowledge sharing. Mostly, I’m frustrated because all the guides I have found so far are for samba 3, not samba 4. And much of the reading material I come across (such as the official samba guide) provides extensive descriptions about how impressive the features for samba are. And plenty of description on the configuration file options. But the organization and description for the utilities (such as net groupmap) left me confused.
Which leads me to my latest problem. With my user id mapping now successful, I can see my samba shares. But I don’t have write permission to every folder in the share. First, the details of the setup.
Samba configuration file
[global]
# Domain Controller Options
# ============================================================
workgroup = VAHALLA
realm = VAHALLA.ORG
netbios name = ODEON
wins support = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
encrypt passwords = yes
# Security Options
# ============================================================
hosts allow = 127.0.0.1 192.168.1.0/24
hosts deny = 0.0.0.0/0
security = user
# WinBind Options
# ============================================================
#winbind nss info = rfc2307
#winbind trusted domains only = No
#winbind use default domain = Yes
#winbind enum users = Yes
#winbind enum groups = Yes
# Logon path tells samba where to put Windows roaming profiles
logon path = \\%h\profiles\%u
# logon drive = H:
# Logon home is used to specify home directory and
# Windows 95/98/ME roaming profile location
logon home = \\%h\%u\.win_profiles
# Allow Samba to send correct time to windows
time server = Yes
# Set logging options
log file = /var/log/samba/log.odeon
# Other Global Options
# ===========================================================
hide dot files = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/vahalla.org/scripts
# read only = No
writeable = Yes
comment = Logon Scripts
volume = LOGON SCRIPTS
[sysvol]
path = /usr/local/samba/var/locks/sysvol
# read only = No
writeable = Yes
comment = SysAdmin Scripts
volume = SYSADMIN SCRIPTS
[homes]
path = /export/home/%u
# read only = No
writeable = Yes
comment = User Home Directory
volume = USER DIRECTORY
browsable = no
inherit acls = Yes
# valid users = %u
# valid users = VAHALLA\%U
[profiles]
path = /export/win_profiles/
browsable = No
read only = No
profile acls = Yes
create mask = 0600
directory mask = 0700
comment = User Profiles
volume = PROFILES
[Shared]
path = /export/home
read only = No
comment = User Home Directories
volume = HOME DIRECTORIES
browseable = Yes
hide files = /*.ini/
inherit acls = Yes
# valid users = @ntuser
# write list = @ntuser
[Public]
path = /export/home/public
read only = No
comment = Share information
volume = PUBLIC
browseable = Yes
hide files = /*.ini/
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
From the commented out options, you can see I have experimented with a few things. I also setup group mapping. Here are my current group maps.
odeon:/etc/samba # net groupmap list
Domain Guests (S-1-5-21-1480406318-1800422186-3920511979-1004) -> nobody
Domain Users (S-1-5-21-1480406318-1800422186-3920511979-1000) -> ntusers
Domain Admins (S-1-5-21-1480406318-1800422186-3920511979-1003) -> root
The group* ntusers* is an LDAP group that I use on the linux side for network wide permissions of all users. (It’s a home network with 2 users. No need for fine segregation.)
And here is my nsswitch.conf
odeon:/etc # cat nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: compat sss
group: files sss
hosts: files mdns4_minimal [NOTFOUND=return] dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis ldap
aliases: files
Now here is the problem: When I examine the shares on the windows side, I can see that the top level folder has the group “Domain Users” with full control permissions, which is what I wanted. But those permissions do not propagate down to any subfolders. All the subfolders and files do not have any permissions entry for “Domain Users”. I know some will tell me that samba only sets permission for the top level folders. But I set the linux permissions so that all subfolders should be readable, if I understand correctly.
Folder permissions of the share [public]
odeon:/export/home/public # l
total 44
drwxrwxr-x+ 7 root ntusers 4096 Jul 24 16:45 ./
drwxr-xr-x+ 6 root root 4096 Jul 23 22:08 ../
drwxrwx--- 12 root ntusers 4096 Jun 15 12:28 Documents/
drwxrwxr-x 187 root ntusers 12288 May 29 06:34 Music/
drwxrwxr-x 16 root ntusers 4096 Apr 21 17:00 Pictures/
drwxrwxr-x 10 root ntusers 4096 Nov 11 2012 System Software/
drwxrwxr-x 3 root ntusers 4096 Mar 18 2012 Videos/
From what I understand, since all folders are owned by group ntusers*, *and the group *Domain Users *maps to ntusers, then any windows user which is a member of Domain Users should have full control over the files in this share. But it is only the root folder that even registers Domain Users as a group.
The one hint I have to this is that when I examine the share permissions on the windows side, there are some unresolved SID account numbers. My permissions look like this:
|**Group or Username
|
**|**Full Control
**|**Modify
**|**Read &Execute
**|**List Contents
**|**Read
**|**Write
**|Special Permissions|
|Everyone|||X|X|X|||
|S-1-22-1-1001|||||||X|
|S-1-22-2-1000|||||||X|
|CREATOR OWNER|||||||X|
|CREATOR GROUP|||||||X|
The file is owned by S-1-22-1-1001. The odd part is the SID. I don’t recognize those SID numbers. They aren’t even from the samba domain, because they are completely different at the beginning of the string. My best guess has been that these SID’s relate to the local linux system. All my users on windows (through samba) system mapp to LDAP users on the linux system. I have two LDAP servers running. Samba’s internal AD LDAP runs on ports 389 and 636. Linux LDAP runs on ports 390 and 637. So far they haven’t interfered with each other. But I wonder if windows is somehow reading from the linux LDAP. Or if it is somehow related to the problem that my LDAP users are not local user accounts.
I’ll take any ideas. I’d settle just for an explanation of tools that I can use to track down these mystery SID numbers and do something about them.