Caponato's Notebook

Do not use a Domain Controller as a file server. Do not set / modify permissions on “SysVol” share of a Domain Controller using this article. See this for more info on SysVol share.

I'm sure you know the difference but:

• Shares are created at a server level and defined in smb.conf. Permissions and security are defined using 'Computer Management' in Windows. If you plan to use a share for one purpose only (for one set of groups / users), you can assign all security at share level using 'Computer Management'.

• A folder is a directory created inside a share, usually from the file explorer in Windows. If you require different folders within a share to serve different purposes (different folders for different users / groups) you can allow 'Domain Users' “modify” permission in the security tab of the share (using 'Computer Management'), and fine tune all other permissions in the different folders (Using Windows Explorer).

1.- You have your AD infrastructure, and a member server (joined to the AD) with shares declared in smb.conf file as per this article.

2.- You have a Windows workstation joined to the domain.

3.-You have RSAT tools installed in this Windows workstation.

1.- Login using an administrator account (any member of Domain Admins group), and open Computer Management.

2.- Right click in 'Computer Management (local)' and connect to another computer. User your server's name (in our example FS1), click OK.

3.- Click Systems Tools. Because the Samba server is not a purebred Windows machine, you will get an error, just click OK:

4.- Open System Tools, Shared folders, Shares. Right click your share (in our example, /data/users and /data/shares), right click, properties and select “Share Permissions”. Make sure “Everyone” has full control (seDiskOperatorPrivilege privilege granted is needed to interact with this tab if you are not using an admin account).

5.- Select now Security. Have “Domain Admins” (“Unix Admins” if you are using the 'ad' idmap backend) have “Full Control” and “Domain Users” (or the group you require) have “Modify” or anything more restrictive you see fit.

If you plan to set permissions at a folder level in this share, you can configure “Domain Users” to have only “List Folder Content” permission, this will allow users enter the share, see available folders and then access them based on each folder's security setting.

1.-Configure security on a per folder basis: Close all windows. Open a explorer window, and go to your server using your server's name, in our example: \\server

2.-Double click on your Share's name you want to create folders in and create your folder, in this example I will create the “Software” folder.

3.-Right click properties, and select “Security” tab. Add your groups and / or users you want to have access to. I recommend using groups, and adding or removing users to that group in order to gain access. The “software-share” group has “Modify” access to the folder. (Remember to assign a gidNumber to this group if you are using the 'ad' idmap backend in this server)

4.-We have configure samba (in smb.conf) to inherit permissions (folders inherit permissions from parents), so sometimes you may need to disable inheritance. If you do, click on Advance, and then “Disable Inheritance”

5.- In the next window, click in “Convert inherited permissions into explicit permissions” and save. If you don't you may loose access to the share.

6.- Fine tune permissions after you have disabled inheritance. Save all and close.

Caponato's Samba notebook. Start here or else Main menu