Rowland penny
2016-Jul-28 13:28 UTC
[Samba] Why is Samba4 not recommended as a file server?
On 28/07/16 13:59, Jim Seymour wrote:> On Thu, 28 Jul 2016 13:15:43 +0100 > Rowland penny <rpenny at samba.org> wrote: > > [snip] >> Yes it does sound strange, but, on windows, groups can and do own >> directories & files. An xidNumber is just that, a number, it is the >> context in how that number is used that is important. If you give >> Domain Admins a gidNumber attribute, then Domain Admins becomes just >> a group, ... > [snip] > > Hmmm... > > ---------------------------------------------------------------------- > $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins' > # extended LDIF > # > # LDAPv3 > # base <ou=Groups,dc=example,dc=com> with scope subtree > # filter: cn=Domain Admins > # requesting: ALL > # > > # Domain Admins, Groups, example.com > dn: cn=Domain Admins,ou=Groups,dc=example,dc=com > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: Domain Admins > gidNumber: 512 > memberUid: root > description: Netbios Domain Administrators > sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512 > sambaGroupType: 2 > displayName: Domain Admins > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com' > Enter LDAP Password: > dn: cn=Domain Users,ou=Groups,dc=example,dc=com > changetype: modify > delete: gidNumber > modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com" > ^D > ldap_modify: Object class violation (65) > additional info: object class 'posixGroup' requires attribute > 'gidNumber' > > ---------------------------------------------------------------------- > > To me this implies that "posixGroup"s and an AD are incompatible? > > (N.B.: I'm only posting this to satisfy my curiousity, not for any > practical reason.) > > Regards, > JimTwo things here, I was talking AD and your ldif is from an NT4-style ldap domain and in AD you don't need to explicitly set the posixGroup objectClass. Rowland
Data Control Systems - Mike Elkevizth
2016-Jul-28 15:14 UTC
[Samba] Why is Samba4 not recommended as a file server?
Just to throw in my two cents, I too would love to see winbind on a DC "act" the same as it does on a non-DC. I use my DCs as file servers, but have had to use a number of workarounds because of how winbind acts differently on a DC. I've not only had trouble with the idmappings, but the fact that it doesn't honor all of the rfc2307 attributes. For instance, I have a couple of users that use a file synchronization script to keep files between the server and their laptops in sync. This script requires them to logon to the file server (which is also a DC). Because winbind on the DC doesn't honor my rfc2307 shell settings, I have to revert to using the "template shell =" setting in smb.conf which means now that all of my users can logon to the DC even if I don't want them to all have access to that. I really don't understand why they don't act the same.? Mike E. On Thu, Jul 28, 2016 at 9:30 AM Rowland penny <rpenny at samba.org> wrote:> On 28/07/16 13:59, Jim Seymour wrote: > > On Thu, 28 Jul 2016 13:15:43 +0100 > > Rowland penny <rpenny at samba.org> wrote: > > > > [snip] > >> Yes it does sound strange, but, on windows, groups can and do own > >> directories & files. An xidNumber is just that, a number, it is the > >> context in how that number is used that is important. If you give > >> Domain Admins a gidNumber attribute, then Domain Admins becomes just > >> a group, ... > > [snip] > > > > Hmmm... > > > > ---------------------------------------------------------------------- > > $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins' > > # extended LDIF > > # > > # LDAPv3 > > # base <ou=Groups,dc=example,dc=com> with scope subtree > > # filter: cn=Domain Admins > > # requesting: ALL > > # > > > > # Domain Admins, Groups, example.com > > dn: cn=Domain Admins,ou=Groups,dc=example,dc=com > > objectClass: top > > objectClass: posixGroup > > objectClass: sambaGroupMapping > > cn: Domain Admins > > gidNumber: 512 > > memberUid: root > > description: Netbios Domain Administrators > > sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512 > > sambaGroupType: 2 > > displayName: Domain Admins > > > > # search result > > search: 3 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com' > > Enter LDAP Password: > > dn: cn=Domain Users,ou=Groups,dc=example,dc=com > > changetype: modify > > delete: gidNumber > > modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com" > > ^D > > ldap_modify: Object class violation (65) > > additional info: object class 'posixGroup' requires attribute > > 'gidNumber' > > > > ---------------------------------------------------------------------- > > > > To me this implies that "posixGroup"s and an AD are incompatible? > > > > (N.B.: I'm only posting this to satisfy my curiousity, not for any > > practical reason.) > > > > Regards, > > Jim > > Two things here, I was talking AD and your ldif is from an NT4-style > ldap domain and in AD you don't need to explicitly set the posixGroup > objectClass. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Jul-28 15:27 UTC
[Samba] Why is Samba4 not recommended as a file server?
On 28/07/16 16:14, Data Control Systems - Mike Elkevizth wrote:> Just to throw in my two cents, I too would love to see winbind on a DC > "act" the same as it does on a non-DC. I use my DCs as file servers, > but have had to use a number of workarounds because of how winbind > acts differently on a DC. I've not only had trouble with the > idmappings, but the fact that it doesn't honor all of the rfc2307 > attributes. For instance, I have a couple of users that use a file > synchronization script to keep files between the server and their > laptops in sync. This script requires them to logon to the file > server (which is also a DC). Because winbind on the DC doesn't honor > my rfc2307 shell settings, I have to revert to using the "template > shell =" setting in smb.conf which means now that all of my users can > logon to the DC even if I don't want them to all have access to that. > I really don't understand why they don't act the same.? > >There is a bug report about this: https://bugzilla.samba.org/show_bug.cgi?id=10886 Rowland