Am 24.02.20 um 10:34 schrieb Rowland penny via samba:> Change the owner to 'root' and never use Administrator on a Unix domain > member.wiki says: # chown root:"Unix Admins" /srv/samba/Demo/ # chmod 0770 /srv/samba/Demo/ I dont't have "Unix Admins" ... and the chown to root makes my Windows-connections fail with Administrator ... the users seem to stay connected, though
On 25/02/2020 13:04, Stefan G. Weichinger via samba wrote:> Am 24.02.20 um 10:34 schrieb Rowland penny via samba: > >> Change the owner to 'root' and never use Administrator on a Unix domain >> member. > wiki says: > > # chown root:"Unix Admins" /srv/samba/Demo/ > # chmod 0770 /srv/samba/Demo/ > > I dont't have "Unix Admins" ...And it says immediately above that: .... For example: And further up the page, in a blue 'NOTE' box, it says this: If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the |Domain Admins| group in AD, you will break the mapping in |idmap.ldb|. |Domain Admins| is mapped as |ID_TYPE_BOTH| in |idmap.ldb|, this is to allow the group to own files in |Sysvol| on a Samba AD DC. It is suggested you create a new group (|Unix Admins| for instance), give this group a |gidNumber| attribute and add it to the |Administrators| group and then, on Unix, use the group wherever you would normally use |Domain Admins|. You do not need to use another group, but if give Domain Admins a gidNumber, you will have problems in sysvol.> and the chown to root makes my Windows-connections fail with > Administrator ...Do you have a user.map line in smb.conf ? Something like this: username map = /etc/samba/smb.conf Which contains something like this: !root = DOMAIN\Administrator Rowland
Am 25.02.20 um 14:16 schrieb Rowland penny via samba:> On 25/02/2020 13:04, Stefan G. Weichinger via samba wrote: >> Am 24.02.20 um 10:34 schrieb Rowland penny via samba: >> >>> Change the owner to 'root' and never use Administrator on a Unix domain >>> member. >> wiki says: >> >> # chown root:"Unix Admins" /srv/samba/Demo/ >> # chmod 0770 /srv/samba/Demo/ >> >> I dont't have "Unix Admins" ... > > And it says immediately above that: .... For example: > > And further up the page, in a blue 'NOTE' box, it says this: > > If you use the winbind 'ad' backend on Unix domain members and you add a > gidNumber attribute to the |Domain Admins| group in AD, you will break > the mapping in |idmap.ldb|. |Domain Admins| is mapped as |ID_TYPE_BOTH| > in |idmap.ldb|, this is to allow the group to own files in |Sysvol| on a > Samba AD DC. It is suggested you create a new group (|Unix Admins| for > instance), give this group a |gidNumber| attribute and add it to the > |Administrators| group and then, on Unix, use the group wherever you > would normally use |Domain Admins|.I use the "rid" backend ...> You do not need to use another group, but if give Domain Admins a > gidNumber, you will have problems in sysvol.Can't remember having done that ...>> and the chown to root makes my Windows-connections fail with >> Administrator ... > > Do you have a user.map line in smb.conf ? > > Something like this: > > username map = /etc/samba/smb.conf > > Which contains something like this: > > !root = DOMAIN\AdministratorYes.
Am 25.02.20 um 14:16 schrieb Rowland penny via samba:> Do you have a user.map line in smb.conf ? > > Something like this: > > username map = /etc/samba/smb.confIt should be more like: username map = /etc/samba/samba_usermapping and not point to smb.conf, right? ;-)> Which contains something like this: > > !root = DOMAIN\Administrator# cat /etc/samba/samba_usermapping !root = CST\Administrator CST\administrator