2

I'm running Samba 4 on RHEL 7, and we've come to a point where end users are going to need more control over folder permissions.

My question is twofold:

  1. Is converting my Samba setup to Active Directory the only (or even the best) solution for giving my end users finer control over folder permissions?

  2. If yes, is it possible to take an existing Samba installation and set it up as an Active Directory domain controller, or am I looking at a reinstall? If reinstall is the only option, what happens to my existing database of Samba users, which is quite large?

Chris
  • 153
  • 1
  • 4

2 Answers2

1

If you are thinking of using a Samba 4 file server in an AD DC role, that is probably not a good solution.

Due to limitations present when provisioning the AD DC role, Samba recommends that you not use a Samba domain controller as a file server. In other words, you need a separate AD DC (and, in fact, should ideally have redundant separate AD DCs).

Colt
  • 2,029
  • 6
  • 21
  • 27
  • My own homework on this issue revealed the same thing. The shares will only ever be seen by Windows and Mac users. Will the lack of POSIX ACL support affect Mac users, or will they be okay as long as I have those devices configured for AD authentication? – Chris Mar 16 '18 at 11:29
  • I am _not_ up to speed on macOS by any means, but according to this [Apple document](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemDetails/FileSystemDetails.html), "macOS provides three file system security schemes: UNIX (BSD) permissions, POSIX access control lists (ACLs), and sandbox entitlements." Whether this is current, or not, or even if it answers your question, I cannot be certain. – Colt Mar 16 '18 at 11:34
  • 1
    [Here](https://www.byteworks.com/blog/understanding-osx-permissions/) is another article (titled "Understanding OSX Permissions" published at `byteworks.com`) that seams to also address the issue, however, and _appears_ to imply that macOS needs POSIX. – Colt Mar 16 '18 at 11:39
  • 1
    Certainly looks that way. I suppose I could set up an AD DC in a virtual machine and test it that way. Much obliged for the direction. – Chris Mar 16 '18 at 11:40
  • 1
    See this: https://superuser.com/questions/1163422/samba-file-permissions-linux-server-mac-client – Colt Mar 16 '18 at 12:06
1

You could migrate your Domain to an Univention UCS Domain. It offers an automated wizard to migrate SAMBA/AD Domains, so you wouldn't have to reinstall everything - http://docs.software-univention.de/manual-4.3.html#windows:adtakeover

You would have more and easier Sharing controls through a web interface and your users could simply use their clients to control the permissions. The Folders can automatically be shared and synced through NFS (Linux) and CIFS (Windows). The web interface has a tick box 'Users with write access may modify permissions', with which you can allow all write-access users - beside the owner user and group - to change permissions. - http://docs.software-univention.de/manual-4.3.html#shares::general

The limitations mentioned by Colt don't apply, but it would be recommendable to separate your Domain Controller and File Sharing Server in a bigger Domain.

hpeter
  • 11
  • 2