Hi, aLL
Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ container (ProxMox VE). Domain is also build on Samba-4.3.5 (another
VM). Fileserver's VM is mounted with acl, user_xattr options, Samba
compiled with ACL support.
What I'm doing wrong?
Rowland Penny via samba писал 2017-03-10 16:58:
Can you say more concrete what's wrong in my smb.conf?
You say your Samba client is an AD-member aka domain member, but you haven't set up your smb.conf correctly, you also seem to be still
thinking in Samba3 workgroup terms. Can I suggest you go and read
the Samba wiki, start here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
Thank you for pointing me to errors. I've corrected'em (I think), so
smb.conf now looks like:
I've corrected your marks, now config looks like:
os level = 1
case sensitive = no
hide unreadable = yes
log [q]
comment = File share
browseable = yes
path = /opt/q
guest ok = no
read only = no
delete readonly = yes
strict sync = yes
sync always = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
map acl inherit = yes
nt acl support = yes
map system = yes
veto files = /.snap/quota*/*.vmx/autorun.inf/
valid users = @WG\all WG\srvadmin
admin users = @WG\it WG\administrator WG\srvadmin
hide unreadable = yes
vfs objects= full_audit, recycle, acl_xattr
writeable files on exit = yes
access based share enum = yes
map acl inherit = yes
map system = yes
===
You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber attribute ? If you haven't and want to use the 'ad' backend, you
will need to do so.
Using MMC from Win PC in domain, in group properties tab "UNIX
attributes" assigned gid to domain group "all" from range
500000-600000, as in domain, for user srvadmin in same tab add
"primary group name/GID"
- group "all". As I understood this from here: https://wiki.samba.org/index.php/Installing_RSAT and here: https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
Result:
wbinfo -u - shows users
wbinfo -p - ping OK
wbinfo -n srvadmin - shows user SID (srvadmin - domain user)
wbinfo -i srvadmin - error:
id srvadmin says 'no such user'.
What additional info is needed? I'll post more and more. Simply I'm
trying not to post too long messages...
Sometimes wiki has too few info about something, or too unclear what
has to be set up or done.
Yes, but have you given Domain Users a gidNumber ???Samba-4.3.5 is used.
Domain group "all" was set up: in UNIX Attributes "NIS domain" set up
as "WG", Group ID set up as 550000. But when I check "Unix
Attributes" tab in group properties it gives me a window "Unvilling
to perform" (in translation from russian), but it saves changes I
make there. Same done for user: NIS Domain set to "WG", UID is set up
to 500010, Primary group name is set to "all". No errors as above,
when selecting tab "Unix Attributes" is shown.
Another big thanks for help!
All done as you wrote on samba filesrver. In tab "UNIX Attributes"
GID was assigned, two users: "usr1", "usr2" gets UID from same tab
and set to "Domain Users" primary group. Also these users in one
group in domain. Tried to do same for other groups like "all" - same
result. Now, on file server, 'id usr1' shows user info. Same for
"usr2". Another users, not "shared" from "UNIX attributes" tab don't "visible" by 'id' command These users can access share, but all is
the same, as was written in first message of this topic: "usr1" can
create files/folders, also as "usr2", but "usr2" can't delete file
objects, created by "usr1", and vice versa.
I'don't uderstand next: all you wrote to did is, in general, mapping
domain credentials to linux host. To work commands like 'id',
gethostbyname() system calls and so on. Earlier (and now) winbind did
"all things" with domain "conversations" and all has to be done on
domain member to work with domain credentials, is correctly set up
NSswitch and libs for it. Then, why so complicate "things" have to be
done (modifying LDAP, adding fileds, incremets, mapping users/groups
"by hand" in RSAT, etc) is needed, If all I need is filesrver for MS
Win clients in domain and domain is running Samba too?
If there may be problems that first filesrver was set up with
idmap_rid, and now - idmap_ad is used? I did 'net cache flush'. Did leave/join domain.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 292 |
Nodes: | 16 (2 / 14) |
Uptime: | 190:03:51 |
Calls: | 6,616 |
Files: | 12,165 |
Messages: | 5,315,078 |