Dear friends,
I did adding and my Centos 6.2 to windows 2008 domain and shared a
directory with samba.
Here are the steps I did,
1. Joined my Centos 6.2 with *ext4* file system into our windows 2008
domain using winbind.
2. modified fstab to set acl to the directory which has to be shared
3. Shared that directory via samba with domain with acl options in smb.conf
file
4. Set domain administrator as the owner and domain users are the group.
5. From windows I can able to set permissions.
But the problem I am facing is when I set *write* permission for a user. It
automatically applies the *delete* and *modify* permission for the sub
folders and files.But in our environment, we have to give some users *only
write permission but not delete, modify or rename* including any of the sub
folders and files. For some users* only read* permission, For some users *full
permission but they are not administrators*. Like wise only delete. Please
share your points.
On Wed, Mar 14, 2012 at 2:24 AM, Raja Subramanian <rajasuperman at
gmail.com>wrote:
Sorry... I replied prematurely in my earlier post. Please ignore earlier
one.
Here is the completed response.
On Wed, Mar 14, 2012 at 2:02 AM, Raja Subramanian
<rajasuperman at gmail.com> wrote:
On Tue, Mar 13, 2012 at 5:26 PM, rapghere rap <rapghere at gmail.com>wrote:
onAnyone, could you please explain in detail.
Here are some high level steps. You'll need to consult relevant
documentation along the way.
I have an ubuntu 10.04.2 desktop joined into my windows domain running
Windows 2008 R2 AD server using pbisopen6.5 (formerly likewise open).
Run Samba on your desktop. Configure it to join W2k8 R2 domain. Consult
Samba docs for how you can add your samba server to an existing AD domain.
You'll need to use "security = ADS" in your [global] smb.conf section and
also need domain administrator credentials for one time addition.
Once the Samba server is added in AD, new AD Computer object will be
created. This is exactly like adding any Windows desktop/server to AD.
You then need to ensure extended ACLs are enabled for the file system
which contains /ubshare. Use the "acl" option in fstab. Eg.
/dev/sda2 /ubshare ext3 defaults,rw,acl 1 1
Recommended you install e2fsprogs so you get lsattr/chattr and other
utils which you can use to view/set extended ACLs on ext2/3/4 file systems.
In smb.conf [global] section, you'll need
map acl inherit = yes
nt acl support = yes
to enable extended ACLs globally. You can now set administrator users
for /ubshare so they can change ACL permissions for other users.
[ubshare]
admin users = @"DOMAIN\DomainAdministrator"
Once all this is done, need to connect to the share from any AD registered
Windows desktop and as the admin user above. From the Windows Explorer
file permissions dialog, you can set permissions in the same manner
you set permissions on native Windows shares.
If in doubt Google for "samba extended acl" and follow the examples.
Official
documentation is sparse.
It's preferred to use native Samba utilities (winbind) to connect with AD.
There is an alternate LDAP and NSS which is outlined here:
http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP
LDAP approach is better suited only if you want all AD users to be visible
to Unbutu natively - ie, users can login to the shell over ssh using their
AD credentials. The setup is more complex and involves a lot of moving
parts which are not needed for simple Samba ACL setup.
Best of luck!
- Raja
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
