Setting Share Permissions & ACL's remotely to ubuntu 16.04 Samba file server via Windows Server 2012 r2

[OpSupport]

Hi all, 

 

I've been looking around the forums and trying to find an answer via search but I have been unable to thus far. I'm hoping someone can give me a hand. I'm very new to Linux and Samba but my bosses wanted me to set up a new file server on Ubuntu that can integrate with AD and have users be able to authenticate with their AD credentials. So far I have managed to get Ubuntu 16.04 installed, Kerberos configured and the system added to my AD domain. Everything is working fine. I am able to see my new file server in AD users and computers and DNS is working correctly, things are pingable and resolving right. 

 

My issue is that I am trying to use the instructions in the Samba wiki to set the share permissions and ACL on a share which I have created on my Samba server as it indicates that I shouldn't use the smb.conf to add the parameters, but instead use the Windows utilities ( https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs ) Unfortunately, despite everything else working correctly when I try to connect via my 2012 r2 server to the remote Samba I get an error " Computer <new server> cannot be managed. Verify hat the network path is correct, the computer is available on the network, and that the appropriate Windows Firewall rules are enabled on the target computer" Sadly, there are NO "Windows Firewall rules" since its a Ubuntu box and considering that the computer IS perfectly visible in the AD, the snap-in can find it when I 'browse', it can be ping'd and the UFW is off, I am at a loss as to what could possibly be the issue.

 

Anyone out there who has integrated a Ubuntu file server using Samba onto AD can point me in the right direction?

 

Thanks!

 

[Mindovermaster Global Moderator]

I think  that only applies to Windows systems. You are on Linux, use the smb.conf.

 

I am very shady on this, but I THINK that is what you're trying to get accross... If I'm wrong, shoot me in the foot...

[OpSupport]

@Mindovermaster I have tried both ways. Unfortunately I can't seem to get a windows user to be able to map to the samba share using only the AD credentials - which is what should be happening.  I can set up a share without the system being on the domain or using kerberos to authenticate but this is not what I am wanting. I need a ubuntu server to join my windows domain, to have users be able to map their shares using only their windows AD credentials. According to the article that I linked and the Samba wiki, this setup is completely possible - but I can't manage it. I was hoping someone had done it - and documented all the steps.

 

Thanks for trying. I think I am just going to have to set it up as a stand alone server , assign everyone their own samba passwords and have them map locally without it being a domain member.

[Mindovermaster Global Moderator]

@BudManmight be able to help...

[+BudMan MVC]

did you validate your samba has extended ACLs enabled

 

smbd -b | grep HAVE_LIBACL

 

Does that come back that you HAVE_LIBACL?

 

If so and you joined it to the domain correctly, then yes you should be able to access via the windows tools..

 

What schema are you running you mention 2012r2 but are you actually running the 2012r2 schema -- you can check with dsquery or powershell.  Also what version of samba are you running?

 

What I can tell you off the top of my head, is yes this is very possible.. Problem is I have not done this in quite some time.. I would have to fire up some vms and run through it.