• [Samba] Allow user without uidNumber to access to a Samba member file s

    From Arnaud Cruzel via samba@21:1/5 to All on Wed Mar 15 14:00:01 2017
    Hi everybody,

    I have a samba server member for file sharing configured like below. 
    Domains controllers are on samba too. 
    Every servers are on samba 4.5.3.
    When I created the domain I activated rfc2307.

    Now I think rfc2307 was a bad idea...

    My problem is that I'd like to allow users and computers to access to
    the file server even if uidNumber is not set.
    If I create an user without uidNumber, he is able to access to sysvol
    (by exemple) on all DC without problems. But if he try to access to the
    file server (from a Windows 10 client), he get an "Access refused".
    I understand that the problem come from uidNumber not set. And I think
    that the solution is in relation with idmap, winbind and rfc2307.

    So I'm completely lost with those features : How can I disable
    idmapping for get the same behavior on the file server than the Domain controller ?
    And if I do that, is the MacOS users will have problems to access to
    the shares with afp protocol (netatalk).

    I'd like this behavior to permit computers to access to shares for
    installing application with GPO set on DC and applied to computers
    instead of users section in the GPO.

    Thanks

    Below my smb.conf on the file server :

    =========================================================
    [global]
           netbios name = FS1
           security = ADS
           workgroup = IFPOAD
           realm = IFPOAD.IFPORIENT.ORG

           log file = /var/log/samba/%m.log
           log level = 1
           
           interfaces=lo eth0
           bind interfaces only=yes

           server string = %h samba server
           wins support = yes

           # Default idmap config used for BUILTIN and local
    accounts/groups
           idmap config *:backend = tdb
           idmap config *:range = 2000-9999

           idmap config IFPOAD:backend = ad
           idmap config IFPOAD:schema_mode = rfc2307
           idmap config IFPOAD:range = 10000-99999

           winbind nss info = rfc2307
           winbind enum users = yes
           winbind enum groups = yes
           winbind trusted domains only = no
           winbind use default domain = yes

           # Activation des attributs Etendus Windows
           vfs objects = acl_xattr
           map acl inherit = yes
           store dos attributes = yes

           # For Mac OS compatibility ?
            unix extensions = no

    # Spool d'impression
    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    spoolss: architecture = Windows x64

    veto files = /._*/.DS_Store/~*/
    delete veto files = yes

    [Shares]
           path = /srv/samba/shares
           read only = no

    [home]
           path = /home/samba
           read only = no

    [profile$]
           path = /srv/samba/Profiles
           read only = no

    [deploy$]
           path = /srv/samba/deploy
           read only = no

    [BkShares]
           path = /srv/Backups/bkIFPO/shares
           read only = no

    [printers]
           path = /var/spool/samba/
           printable = yes
           printing = CUPS ==========================================================


    -- 

    Arnaud Cruzel
    Administrateur Système et Réseau
    Institut français du Proche-Orient (Ifpo)


    المعهد الفرنسي للشرق الأدنى


    UMIFRE 6 - MAEDI - CNRS - USR 3135
    Tél. Liban : +961 76 596 131
    Tél. France : +33 6 67 51 68 50
    a.cruzel@ifporient.org 
    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)