Samba Permisions /Active Directory Authentication Problem

Discussion in 'Server Operation' started by buggz, May 3, 2012.

  1. buggz

    buggz New Member

    I have CentOS 6.2 FileServer and a Windows 2008 Server PDC, i have configured samba on CentOS to authenticate all users who need access to files against the WIndows 2008 Server.

    I have Groups :
    Finance
    HR
    Legal
    Audit on the windows Server, and i have folders on my FileServer corsponding to those groups.
    I created users on Windows and joined them to the various groups, so i want to restrict access to files on file server using group membership.

    i used http://wiki.samba.org/index.php/Samb...tive_Directory to do the installation.

    wbinfo -u and
    wbinfo -g are giving me the results that i want e.g


    Code:
    [[email protected] ~]# wbinfo -g
    domain computers
    domain controllers
    schema admins
    enterprise admins
    cert publishers
    domain admins
    domain users
    domain guests
    group policy creator owners
    ras and ias servers
    allowed rodc password replication group
    denied rodc password replication group
    read-only domain controllers
    enterprise read-only domain controllers
    dnsadmins
    finance
    hr
    legal
    audit

    im able to browse and view files that are already on the server, but i cannot create a new file or folder, my /etc/samba/smb.conf is as follows

    [global]

    workgroup = LAN
    server string = FILE-SERVER


    security = ads

    realm = LAN.LOCAL

    encrypt passwords = yes
    preferred master = no

    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind separator = +
    winbind uid = 600-20000
    winbind gid = 600-20222
    winbind use default domain = true
    winbind nested groups = Yes
    winbind enum users = yes
    winbind enum groups = yes
    enhanced browsing = yes
    winbind offline logon = false

    password server = dc.lan.local



    [LEGAL]
    comment = Shared Folder
    path = /home/legal
    writeable = yes
    valid users = @NETWORK+legal @NETWORK+directors
    writelist = @NETWORK+legal
    create mask = 0777
    force create mode = 0777
    browseable = yes
    guest ok = no

    [HR_ADMIN]
    comment = Shared Folder
    path = /home/hr_admin
    writeable = yes
    valid users = @NETWORK+directors @NETWORK+hr_admin
    writelist = @NETWORK+hr_admin
    create mask = 0777
    force create mode = 0777
    browseable = yes
    guest ok = no

    [FINANCE]
    comment = Shared Folder
    path = /home/finance
    writeable = yes
    valid users = @NETWORK+directors @NETWORK+finance
    writelist = @NETWORK+finance
    create mask = 0777
    force create mode = 0777
    browseable = yes
    guest ok = no


    has anyone used this kind of setup to work? i also want someone who will be a member of group 'Domain Admins' to have read and write access to all the folders and files on the server.


    thanks in advance.
     

Share This Page