[Samba] Standalone Samba in a Win2008 DC environment, transition to samba

Discussion:

(too old to reply)

Lin Pro via samba

2017-03-08 22:20:02 UTC

There is a network with windows 2008 AD DC and about 9 workstations
plus some printers.
The plan is to decomission the Win 2008 DC and reuse the hardware for
other purposes at a later time (may be a samba AD DC, not important
now).
Samba Standalone is to take the role of a File and Print Server in
this existing network.

Questions:
1. Can Samba 4.5 "standalone" be started temporarily in parallel with
Win DC so that workstations can "see" it and copy files to the samba
server? (there are no plans to join the Win DC domain with samba
standalone).

2. The workstations are a mix of windows 7, 8, 8.1 and 10. Wil they
"see" the standalone server while still being under the Win DC
control?

3. Do the workstations have to somehow "leave" the Windows AD DC first
in order to start using the standalone samba server? If yes then how
one does do that?

Thanks for any hints
best regards
linforpros

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Marc Muehlfeld via samba

2017-03-09 19:50:02 UTC

Permalink

Hello,

Post by Lin Pro via samba
1. Can Samba 4.5 "standalone" be started temporarily in parallel with
Win DC so that workstations can "see" it and copy files to the samba
server? (there are no plans to join the Win DC domain with samba
standalone).

Not just temporarily. You can have multiple standalone servers, AD DCs,
NT domains, and clients in the same network, as long as all host and
domain names are unique.

Of course you can access hosts outside your domain, too. As long as the
user an account on the host or in the foreign domain. Guest access
without authentication is of course also possible, if configured.

Of course, the user in your domain is in the background different to the
user on the standalone host. This means, if you change your password in
the domain, the one on the standalone host is still the same. And users
are only able to change the password from Windows in the domain they are
part of.

Post by Lin Pro via samba
2. The workstations are a mix of windows 7, 8, 8.1 and 10. Wil they
"see" the standalone server while still being under the Win DC
control?

Sure. See question 1.

Post by Lin Pro via samba
3. Do the workstations have to somehow "leave" the Windows AD DC first
in order to start using the standalone samba server? If yes then how
one does do that?

No. Just access/map the share using an Samba account that exists on the
standalone host (if you don't allow anonymous access).

You can access/map the share the usual way: \\server\share

Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Lin Pro via samba

2017-03-10 17:50:01 UTC

Permalink

Hi All,
It is unclear to me what group membership should \\server\users (or
/srv/samba/users) get if it is planned to be ina standalone role...
and using only POSIX ACLs. The relevant wiki instructions are stating:

"Create the directory and set the correct permissions:

# mkdir -p /srv/samba/users/
# chgrp -R "Domain Users" /srv/samba/users/

# chmod 2750 /srv/samba/users/"

But there is a hidden assuption in the above that it is AD DC -
"Domain Users". Or may be I should just create a linux group by that
name or any other name and add all the future users to that group? In
the back of my head I may consider converting this standalone srv into
a Domain Member. Do you have an advice what to do in this case?

Besides:
groupadd "Domain Users" produces a warning - not a valid group name

Lin

best regards
linforpros

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-10 18:10:02 UTC

Permalink

On Fri, 10 Mar 2017 11:41:23 -0600

Post by Lin Pro via samba
Hi All,
It is unclear to me what group membership should \\server\users (or
/srv/samba/users) get if it is planned to be ina standalone role...
# mkdir -p /srv/samba/users/
# chgrp -R "Domain Users" /srv/samba/users/
# chmod 2750 /srv/samba/users/"
But there is a hidden assuption in the above that it is AD DC -
"Domain Users". Or may be I should just create a linux group by that
name or any other name and add all the future users to that group? In
the back of my head I may consider converting this standalone srv into
a Domain Member. Do you have an advice what to do in this case?
groupadd "Domain Users" produces a warning - not a valid group name

It would, the hint is in the group name, a standalone computer is not
part of a Domain.

What you seem to be setting up is a 'WORKGROUP' and, if you have more
than about a dozen computers, you really do not want to do this. Your
users and groups will need to exist on EVERY computer, your users will
need to have the same password on every computer and if a user changes
a password, it will need to be changed on every computer.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Marc Muehlfeld via samba

2017-03-10 19:00:02 UTC

Permalink

Post by Lin Pro via samba
It is unclear to me what group membership should \\server\users (or
/srv/samba/users) get if it is planned to be ina standalone role...
# mkdir -p /srv/samba/users/
# chgrp -R "Domain Users" /srv/samba/users/
# chmod 2750 /srv/samba/users/"

I added some sentences to be clear about this:
https://wiki.samba.org/index.php/User_Home_Folders#Using_POSIX_ACLs

Post by Lin Pro via samba
groupadd "Domain Users" produces a warning - not a valid group name

The groupadd does not support spaces in the group name. Use underscores.

Anyway, in a non-domain environment, naming a group "Domain Users" seems
to guarantee confusion some day. :-)

Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Lin Pro via samba

2017-03-10 21:00:01 UTC

Permalink

Post by Marc Muehlfeld via samba
https://wiki.samba.org/index.php/User_Home_Folders#Using_POSIX_ACLs
Anyway, in a non-domain environment, naming a group "Domain Users" seems to
guarantee confusion some day. :-)

Thanks for the clarification.
The system now has "domain_users" group and users are added to that
group. Additionally /srv/samba/users is owned by that group with chmod
2750.
What is the logic however that when a user "justin" creates a
directory within its home dir /users/justin/testdir that dir receives
drwxr-xr-x instead of what is stated in the smb.conf, and that is
0700, then it should become drwx------, correct?

Thank for any directions to understand it

Below is what I see:

[***@fedora samba]# getfacl users
# file: users
# owner: root
# group: domain_users
# flags: -s-
user::rwx
group::r-x
other::---

[***@fedora samba]# getfacl users/justin/
# file: users/justin/
# owner: justin
# group: domain_users
# flags: -s-
user::rwx
group::---
other::---

[***@fedora samba]# getfacl users/justin/justinFolder/
# file: users/justin/justinFolder/
# owner: justin
# group: domain_users
# flags: -s-
user::rwx
group::r-x
other::r-x

[***@fedora samba]# ls -ld users/
drwxr-s---. 4 root domain_users 4096 Mar 10 19:45 users/
[***@fedora samba]# ls -ld users/justin/
drwx--S---. 3 justin domain_users 4096 Mar 10 19:12 users/justin/
[***@fedora samba]# ls -ld users/justin/justinFolder/
drwxr-sr-x. 2 justin domain_users 4096 Mar 10 19:12 users/justin/justinFolder/

best regards
linforpros

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba