francis picabia
2017-Jun-29 18:36 UTC
[Samba] 4.4.14 on solaris, using ads, can't read/write as user
On Thu, Jun 29, 2017 at 2:36 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> > > Your problems lie here: > > idmap config * : range = 16777216-33554431 > idmap config * : backend = rid > > Why use the range '16777216-33554431' ? >On a working Debian system with Samba 4.1, we have things working OK with: idmap config MYDOM : range = 70000-9999999999 I started with something like that yesterday, so what you saw today was leftover guesses on something that might help.> You cannot use 'rid' with the BUILTIN (*) domain, you should use 'tdb' >OK, I've switched it like the tdb example in your link. Auth and connection still working.> > And the main reason why it isn't working, you need a block for the > 'MYDOM' domain, see here for more info: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >"Block" meaning something like: [mydom] in smb.conf? I am not seeing it at the link. I have not spotted anything on that page we are missing other than mapping the root user, which I'm assuming is optional. I'm not getting the meaning of "need a block for the MYDOM domain". Mind blown on the minimal krb5.conf example. I've never seen one like it before, but apparently it is enough. I removed all of the lockdir, statedir and cachedir content and restarted winbind and samba. The "main reason" is really what I need to address, if I understood.
Rowland Penny
2017-Jun-29 18:48 UTC
[Samba] 4.4.14 on solaris, using ads, can't read/write as user
On Thu, 29 Jun 2017 15:36:15 -0300 francis picabia via samba <samba at lists.samba.org> wrote:> On Thu, Jun 29, 2017 at 2:36 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > > > > > Your problems lie here: > > > > idmap config * : range = 16777216-33554431 > > idmap config * : backend = rid > > > > Why use the range '16777216-33554431' ? > > > > On a working Debian system with Samba 4.1, we have things > working OK with: > > idmap config MYDOM : range = 70000-9999999999 > > I started with something like that yesterday, so what you saw today > was leftover guesses on something that might help. > > > > > You cannot use 'rid' with the BUILTIN (*) domain, you should use > > 'tdb' > > > > OK, I've switched it like the tdb example in your link. Auth and > connection still working. > > > > > And the main reason why it isn't working, you need a block for the > > 'MYDOM' domain, see here for more info: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > > "Block" meaning something like: > [mydom] > in smb.conf? > > I am not seeing it at the link. I have not spotted anything on that > page we are missing other > than mapping the root user, which I'm assuming is optional.Well, no it isn't actually on that page, you need to follow an hyperlink to this page: https://wiki.samba.org/index.php/Idmap_config_rid Rowland
francis picabia
2017-Jun-29 19:28 UTC
[Samba] 4.4.14 on solaris, using ads, can't read/write as user
On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> > > Well, no it isn't actually on that page, you need to follow an > hyperlink to this page: > > https://wiki.samba.org/index.php/Idmap_config_rid > >It is really confusing. rid or tdb. I don't know what it wants because the second link has both. Here is the current config. It will allow a connection to homes or tmp, but as usual I can't operate on 700 files or upload new files to the share on Solaris. It can upload new files to the /tmp, as I've seen work before as well. [global] realm = AD.MYDOM.CA workgroup = MYDOM log file = /var/log/samba/%m.log max log size = 50 disable spoolss = Yes load printers = No printcap name = /dev/null unix extensions = No security = ADS template homedir = /export/home/%U template shell = /usr/bin/bash winbind enum groups = Yes winbind enum users = Yes winbind use default domain = Yes dns proxy = No idmap config mydom: backend = rid idmap config mydom: range = 100001-200000 nt acl support = No [homes] comment = Home Directories path = %H browseable = No wide links = Yes create mask = 0750 directory mask = 0750 read only = No valid users = %U [tmp] path = /tmp browseable = No read only = No Also tried this: idmap config * : range = 80001-100000 idmap config mydom: backend = rid idmap config mydom: range = 100001-200000 idmap config * : backend = tdb No difference seen. What is the Abracadabra? Isn't it easier to compose the solution than send me more links with "If no back end for local BUILTIN accounts and groups on the domain member is configured", which means very little to me?