I'm running Samba 4 on RHEL 7, and we've come to a point where end users are going to need more control over folder permissions.
My question is twofold:
Is converting my Samba setup to Active Directory the only (or even the best) solution for giving my end users finer control over folder permissions?
If yes, is it possible to take an existing Samba installation and set it up as an Active Directory domain controller, or am I looking at a reinstall? If reinstall is the only option, what happens to my existing database of Samba users, which is quite large?
решение1
If you are thinking of using a Samba 4 file server in an AD DC role, that is probably not a good solution.
Due to limitations present when provisioning the AD DC role, Samba recommends that you not use a Samba domain controller as a file server. In other words, you need a separate AD DC (and, in fact, should ideally have redundant separate AD DCs).
решение2
You could migrate your Domain to an Univention UCS Domain. It offers an automated wizard to migrate SAMBA/AD Domains, so you wouldn't have to reinstall everything - http://docs.software-univention.de/manual-4.3.html#windows:adtakeover
You would have more and easier Sharing controls through a web interface and your users could simply use their clients to control the permissions. The Folders can automatically be shared and synced through NFS (Linux) and CIFS (Windows). The web interface has a tick box 'Users with write access may modify permissions', with which you can allow all write-access users - beside the owner user and group - to change permissions. - http://docs.software-univention.de/manual-4.3.html#shares::general
The limitations mentioned by Colt don't apply, but it would be recommendable to separate your Domain Controller and File Sharing Server in a bigger Domain.