====== Active Directory File Server ======
===== Grundlagen =====
[[https://wiki.samba.org/index.php/Samba_File_Serving|Samba File Serving]]
[[https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs|Setting up a Share Using Windows ACLs]]
**Voraussetzung:**
* Installation eines [[server:ad-dm|Active Directory Domain Members]], die Konfiguration geschieht auf diesem Server.
===== Vorbereitungen =====
**Extended ACL Support und Access based enumeration einschalten:**
nano /etc/samba/smb.conf
[global]
# Enable Extended ACL Support
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Access based enumeration
hide unreadable = yes
testparm
systemctl restart smbd
**Granting the SeDiskOperatorPrivilege Privilege**
Der Gruppe der Domänen-Admins das Recht zur Konfiguration von Freigabe-Berechtigungen erteilen:
net rpc rights grant "\Domain Admins" SeDiskOperatorPrivilege -U "\administrator"
Prüfung dieser Rechte:
net rpc rights list privileges SeDiskOperatorPrivilege -U "\administrator"
===== Shares =====
**Share erstellen**
Ordner anlegen:
mkdir -p /srv/samba/data/
Domänen-Admins das Recht zur Verwaltung geben:
chown root:"\Domain Admins" /srv/samba/data/
chmod 0770 /srv/samba/data/
Shares in die smb.conf eintragen (ganz ans Ende):
nano /etc/samba/smb.conf
[data]
path = /srv/samba/data/
read only = no
* Den Abschnitt [homes] komplett auskommentieren
Samba Config neu laden
smbcontrol all reload-config
===== Administration =====
**Auf dem Admin-PC:**
* Computer Management / Action / Connect to another computer...: dm1
* System Tools / Shared Folders / Shares
* data
* Share Permissions:
* Everyone: Full Control: Allow
* Security:
* Administrators (DM1\Administrators): Full control / This folder, subfolders and files
* root: Full control / This folder only
* SYSTEM: Full control / This folder, subfolders and files
* Users (DM1\Users): Read & execute / This folder only
* Alle anderen entfernen!
**Berechtigung der Unterordner:**
* data\IT
* Security:
* Administrators (DM1\Administrators): Full control / Inherited / This folder, subfolders and files
* IT: Read, write & execute / This folder only
* IT: Modify / Subfolders and files only
* SYSTEM: Full control / Inherited / This folder, subfolders and files
**Active Directory Users and Computers**
* View: Advanced Features
* Gruppen in groups.campus anlegen:
* Hauptgruppen:
* Main-Misc
* Main-Staff
* Main-Students
* Org-Gruppen:
* FC--Misc
* FC--Staff
* FC--Students
* Rollen:
* Role-President
**Ordner auf dem Share data anlegen und berechtigen:**
* X:\FC-
* X:\FC-\Administration
* X:\FC-\General
* X:\FC-\Misc
* X:\FC-\Students
* X:\FC-\Sub-FC ...
**Group Policy Management**
* Eine Policy DriveMapping erstellen und an die OU users.campus und misc.campus hängen
* User Configuration / Preferences / Windows Settings / Drive Maps
* General
* Action: Replace
* Location: \\dm1\data
* Label as: - Daten
* Drive: X
* Common
* Run in logged-on user's security context (user policy option)