On Wed, 15 Mar 2017 14:23:23 +0200
Arnaud Cruzel via samba <samba@lists.samba.org> wrote:

Hi everybody,

I have a samba server member for file sharing configured like below.  Domains controllers are on samba too. 
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.

Now I think rfc2307 was a bad idea...

You could use the winbind 'rid' backend instead, this will mean that
your users will get different 'IDs', so you will have to change the
ownership of any files and directories stored on the fileserver.

You will also have to use 'template' lines in smb.conf for Unix home
dirs and shell.

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

But if he try to access to the file server (from a Windows 10 client),
he get an "Access refused".

How did he access the share.
\\servername\share or \\servername.dnsdom.tld\share
(or by \\ip )

Can he access \\servername without the share.

And the Win10 eventid + discription of the "Access refused" would be nice.
The "Share Security" settings are?

It should work with rfc2307, i works fine for me
ADDC 4.5.3 + members 4.5.3/4.6.0
All servers in rfc2307 mode.

But i did set extra things, so before i advice something i need the above info first.


Greetz,

Louis





--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba < samba@lists.samba.org> wrote:

I'd like this behavior to permit computers to access to shares for
installing application with GPO set on DC and applied to computers
instead of users section in the GPO.

when a client connects to a share, smbd spawns a new process owned by that user, which is why it needs a uid. if you want your share to be readable
by anyone, look into the "map to guest" option to give users that can't be validated an alternate uid.
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le mercredi 15 mars 2017 à 13:17 +0000, Rowland Penny via samba a
écrit :

On Wed, 15 Mar 2017 14:23:23 +0200
Arnaud Cruzel via samba <samba@lists.samba.org> wrote:

Hi everybody,

I have a samba server member for file sharing configured like
below. 
Domains controllers are on samba too. 
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.

Now I think rfc2307 was a bad idea...

You could use the winbind 'rid' backend instead, this will mean that
your users will get different 'IDs', so you will have to change the
ownership of any files and directories stored on the fileserver.

You will also have to use 'template' lines in smb.conf for Unix home
dirs and shell.

Rowland 

Thanks for your answer.

OK, I tried that. After what there is no long problems for access to file server by an user without uidNumber.
But now it's impossible for unix client to access to samba shares on this server. I think because of uid are differents.
For information I didn't have to change shares owner, the server kept the same uids for users (I think because of caching ?)

What I did :

# diff smb.conf.ad smb.conf.rid
37,39c37,39
< idmap config IFPOAD:backend = ad
< idmap config IFPOAD:schema_mode = rfc2307
< idmap config IFPOAD:range = 10000-99999
---

# idmap config IFPOAD:backend = ad
# idmap config IFPOAD:schema_mode = rfc2307
# idmap config IFPOAD:range = 10000-99999

41,42c41,42
< # idmap config IFPOAD : backend = rid
< # idmap config IFPOAD : range = 10000-999999
---

idmap config IFPOAD : backend = rid
idmap config IFPOAD : range = 10000-999999

45,46c45,46
< # winbind nss info = template
< # template shell = /bin/bash
---

winbind nss info = template
template shell = /bin/bash

47a48,50

template homedir = /Users/%U

# winbind nss info = rfc2307

49d51
< winbind nss info = rfc2307
61c63
< unix extensions = no
---

# unix extensions = no

75c77
< #username map = /usr/local/samba/etc/user.map
---

username map = /usr/local/samba/etc/user.map

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupG

Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a
écrit :

But if he try to access to the file server (from a Windows 10
client), 
he get an "Access refused".

How did he access the share.  \\servername\share  or  \\servername.dnsdom.tld\share 
(or by \\ip ) 

by \\servername\share

Can he access \\servername  without the share.

no it can't

And the Win10 eventid + discription of the "Access refused" would be
nice.

There is no event ID neither descriptions. I don't find any entry on
Windows event viewer.

 
The "Share Security" settings are? 

by exemple for the share 'Shares' :
For Administrator / Domain Admins / System / Creator Owner = Full
Control on folder, subfolders and files
For Authenticated Users / Domain Users = Read and Execute on this
folder only

It should work with rfc2307, i works fine for me
ADDC 4.5.3 + members 4.5.3/4.6.0 
All servers in rfc2307 mode.

Yes I don't say it's not working. The problem is for set a GPO to
deploy applications, I have to deploy it by user GPO.
If I want to do that by computer GPO I have to set uidNumber to all
computers. I'm lazy to do that :)
And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
it become very complicate to set uidNumber manually for each user.

But i did set extra things, so before i advice something i need the
above info first. 

Greetz, 

Louis

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ok, these :

For Administrator / Domain Admins / System / Creator Owner = Full
Control on folder, subfolders and files

Are not available on the "Share security" but are on the "Security"

So the "Share security settings" need only.
Everyone FULL CONTROLL ( or Verified users )

And i think your done.

For Administrator / Domain Admins / System / Creator Owner = Full Control on folder, subfolders and files

For Authenticated Users / Domain Users = Read and Execute on this folder only

In your case i suggest,

Domain Admins
SYSTEM
CREATOR OWNER ( or better GROUP )
CREATOR GROUP
All full controll.

Authenticated users OR Domain Users. Setting both isnt needed. With at least read.
I suggest you set ( in case of GPO things ) Authenticated users.
Since that include also the computers.

In other cases, use "domain users" and/or the other groups you need.


Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: Arnaud Cruzel [mailto:a.cruzel@ifporient.org]
Verzonden: woensdag 15 maart 2017 16:40
Aan: L.P.H. van Belle; samba@lists.samba.org
Onderwerp: Re: [Samba] Allow user without uidNumber to access to a Samba member file server

Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a écrit :

But if he try to access to the file server (from a Windows 10
client),
he get an "Access refused".

How did he access the share. \\servername\share  or  \\servername.dnsdom.tld\share
(or by \\ip )

by \\servername\share

Can he access \\servername  without the share.

no it can't

And the Win10 eventid + discription of the "Access refused" would be
nice.

There is no event ID neither descriptions. I don't find any entry on
Windows event viewer.

The "Share Security" settings are?

by exemple for the share 'Shares' :
For Administrator / Domain Admins / System / Creator Owner = Full
Control on folder, subfolders and files
For Authenticated Users / Domain Users = Read and Execute on this
folder only

It should work with rfc2307, i works fine for me
ADDC 4.5.3 + members 4.5.3/4.6.0
All servers in rfc2307 mode.

Yes I don't say it's not working. The problem is for set a GPO to
deploy applications, I have to deploy it by user GPO.
If I want to do that by computer GPO I have to set uidNumber to all computers. I'm lazy to do that :)
And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
it become very complicate to set uidNumber manually for each user.

But i did set extra things, so before i advice something i need the
above info first.

Greetz,

Louis

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

And now with Windows 10 who don't allow to set rfc2307 easily with
ADUC it become very complicate to set uidNumber manually for each
user.

Are you reading this Andrew ??

I told you this with my patches to allow adding RFC2307 attributes with samba-tool.

Rowland


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 15 Mar 2017 17:13:43 +0200
Arnaud Cruzel <a.cruzel@ifporient.org> wrote:

OK, I tried that. After what there is no long problems for access to
file server by an user without uidNumber. But now it's impossible for
unix client to access to samba shares on this server.

You never mentioned Unix users

The 'rid' backend works by calculating the users ID from its Windows
RID, Unix users do not have a RID, so they don't get an ID.

If you have Unix users, you will have to create the users in AD,
set the Unix machines up as a domain member (info available on the Samba wiki) and remove the users from the Unix machine (they cannot be
in /etc/passwd and AD). You could also return to using the 'ad'
backend, but you would still have to make the Unix machines domain
members.

I think because of uid are differents. For information I didn't have
to change shares
owner, the server kept the same uids for users (I think because of
caching ?)

Wait until the cache expires and wait for the screams :-)

Rowland


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le mercredi 15 mars 2017 à 16:08 +0000, Rowland Penny via samba a
écrit :

On Wed, 15 Mar 2017 17:13:43 +0200
Arnaud Cruzel <a.cruzel@ifporient.org> wrote:

OK, I tried that. After what there is no long problems for access
to
file server by an user without uidNumber. But now it's impossible
for
unix client to access to samba shares on this server. 

You never mentioned Unix users

The 'rid' backend works by calculating the users ID from its Windows
RID, Unix users do not have a RID, so they don't get an ID.

If you have Unix users, you will have to create the users in AD,
set the Unix machines up as a domain member (info available on the
Samba wiki)
and remove the users from the Unix machine (they cannot be
in /etc/passwd and AD). You could also return to using the 'ad'
backend, but you would still have to make the Unix machines domain
members. 

Sorry I said Unix client, but I'd like to say unix machine. 
An active directory user connected on an unix machine member of domain
seem to be unable to access to shares when the share server have idmap
set with rid.

 

I think because of uid are differents. For information I didn't
have
to change shares
owner, the server kept the same uids for users (I think because of
caching ?)

Wait until the cache expires and wait for the screams :-)

Yes I heard them... from unix and Mac OSx domains users :D.
I locked my office door !
Windows users kept cool.

So I think I have no choice in a mixed environment Mac OSx, Windows and
Linux, I have to set uidNumber...
Arghhh

But You told about a patch in your other mail for setting automatically
uidNumbers ?? Where is it ? I want it.

Thanks

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 15 Mar 2017 18:49:30 +0200
Arnaud Cruzel <a.cruzel@ifporient.org> wrote:

Le mercredi 15 mars 2017 à 16:08 +0000, Rowland Penny via samba a
écrit :

On Wed, 15 Mar 2017 17:13:43 +0200
Arnaud Cruzel <a.cruzel@ifporient.org> wrote:

Sorry I said Unix client, but I'd like to say unix machine. 
An active directory user connected on an unix machine member of domain
seem to be unable to access to shares when the share server have idmap
set with rid.

As long as a user is in AD it will have a RID, so the 'rid' backend
should work, as long as smb.conf etc is set up correctly.

Can you post the smb.conf from a Unix machine that this happens on.

Wait until the cache expires and wait for the screams :-)

Yes I heard them... from unix and Mac OSx domains users :D.
I locked my office door !
Windows users kept cool.

I would barricade the door ;-)

So I think I have no choice in a mixed environment Mac OSx, Windows
and Linux, I have to set uidNumber...
Arghhh

Not sure about Mac, never used it, but you should be able to use 'rid'
with Unix

But You told about a patch in your other mail for setting
automatically uidNumbers ?? Where is it ? I want it.

It basically does what the Unix attribute tab did/does, but I don't
really want to upset Andrew by releasing it outside Samba.

Rowland



--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)