Sorry... I replied prematurely in my earlier post. Please ignore earlier one. Here is the completed response.
On Wed, Mar 14, 2012 at 2:02 AM, Raja Subramanian <[email protected]> wrote: > On Tue, Mar 13, 2012 at 5:26 PM, rapghere rap <[email protected]> wrote: >> Anyone, could you please explain in detail. > > Here are some high level steps. You'll need to consult relevant > documentation along the way. > > >>> I have an ubuntu 10.04.2 desktop joined into my windows domain running on >>> Windows 2008 R2 AD server using pbisopen6.5 (formerly likewise open). Run Samba on your desktop. Configure it to join W2k8 R2 domain. Consult Samba docs for how you can add your samba server to an existing AD domain. You'll need to use "security = ADS" in your [global] smb.conf section and also need domain administrator credentials for one time addition. Once the Samba server is added in AD, new AD Computer object will be created. This is exactly like adding any Windows desktop/server to AD. You then need to ensure extended ACLs are enabled for the file system which contains /ubshare. Use the "acl" option in fstab. Eg. /dev/sda2 /ubshare ext3 defaults,rw,acl 1 1 Recommended you install e2fsprogs so you get lsattr/chattr and other utils which you can use to view/set extended ACLs on ext2/3/4 file systems. In smb.conf [global] section, you'll need map acl inherit = yes nt acl support = yes to enable extended ACLs globally. You can now set administrator users for /ubshare so they can change ACL permissions for other users. [ubshare] admin users = @"DOMAIN\DomainAdministrator" Once all this is done, need to connect to the share from any AD registered Windows desktop and as the admin user above. From the Windows Explorer file permissions dialog, you can set permissions in the same manner you set permissions on native Windows shares. If in doubt Google for "samba extended acl" and follow the examples. Official documentation is sparse. It's preferred to use native Samba utilities (winbind) to connect with AD. There is an alternate LDAP and NSS which is outlined here: http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP LDAP approach is better suited only if you want all AD users to be visible to Unbutu natively - ie, users can login to the shell over ssh using their AD credentials. The setup is more complex and involves a lot of moving parts which are not needed for simple Samba ACL setup. Best of luck! - Raja _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
