One of the key things that was missed in the HOWTO I linked yesterday was enumeration of users and groups by winbind. If you do not have this set to ‘yes’ than you’ll be gnashing your teeth in frustration trying to set up shares with Active Directory permissions. Check it out:

smb.conf–>
[global]
# Changes
security = ADS
netbios name = linux-foo
realm = bkm.com
password server = ADS.foo.bar
workgroup = FOO
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

Wth that set you should be able to run getent group and see both the local groups as well as the AD groups which will then allow you to set AD permissions in the Samba share:

smb.conf–>
[Foo-Public]
comment = Foo Public Directory
read only = no
browseable = yes
path = /shares/public
users = @”FOO+Domain Users”

At the moment I have it semi-granular rights working in that everyone can browse the shares but only certain groups  possess Read-Write-Execute rights. If I switch browseable = no than people just need to know the location of the share to get to it, i.e. security through obfuscation. So the challenge that remains now is to use the ACLs as determined by AD and to find a way to edit those ACLs through the Windows MMC. A thread over on the Samba newsgroup talked about needing to enable ACL on the mount point in fstab so I’m going to add another disk in VM-Ware and then mount it with ACL turned on rather than futzing with my primary mount. If I can get ACLs working than likely I can tighten security so that it is only viewable to those as indicated rather than to the general public.

Makes my eyes bleed.