Hello, There recommended range in Samba4 share for BUILTIN users is usually (from Samba wiki) # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 but if we check for BUIlTIN\administrators in idmap.tdb on PDC we have # record 59 dn: CN=S-1-5-32-544 cn: S-1-5-32-544 objectClass: sidMap objectSid: S-1-5-32-544 type: ID_TYPE_BOTH xidNumber: 3000000 distinguishedName: CN=S-1-5-32-544 So xidNumber is our of idmap range. Does this mean that the domain is minconfigured? Alexander
On 29/02/2020 14:15, Alexander Kushnirenko via samba wrote:> Hello, > > There recommended range in Samba share for BUILTIN users is usually (from > Samba wiki) > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999That is for a Unix domain member and is NOT used on a DC> > but if we check for BUIlTIN\administrators in idmap.tdb on PDC we haveNo, it isn't a PDC, it is a DC with the PDC-Emulator FSMO role> # record 59 > dn: CN=S-1-5-32-544 > cn: S-1-5-32-544 > objectClass: sidMap > objectSid: S-1-5-32-544 > type: ID_TYPE_BOTH > xidNumber: 3000000 > distinguishedName: CN=S-1-5-32-544 > > So xidNumber is our of idmap range.xidNumber attributes are only used on a DC and, unless you sync idmap.ldb between DCs, they can and will be different on each DC.> Does this mean that the domain is minconfigured?Possibly, but not for the reason you think, so please post your smb.conf files. Rowland
On 29/02/2020 16:30, Alexander Kushnirenko wrote:> > You are right, this is used on Unix domain memberI know I am right, I put that in the wiki ;-)> > Well on DC I see files owned by unix user with UID=3000000 in > /var/lib/samba/sysvol/, and when I look on the same SYSVOL share from > windows world I see that the file is owned by BUILTIN\Administrator > user corresponding to SID=S-1-5-32-544No you don't, look closer, I am sure you will find that there is an 's' on the end of 'Administrator', the RID for 'Administrator is '500'> > (For some reason I can not set flie owner to BUILTIN\Administrator on > Unix Domain member share from windows, though it does not worry me too > much)I would be worried if you could use Administrator on any Samba domain machine.> > The question perhaps what Unix users correspond to those BUILTIN users > on unix domain member which correspond to range: > > idmap config * : range = 3000-7999 > I could not find any.Ah, read this: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab> > As on unix domain member I get: > UDM# wbinfo -S S-1-5-32-544 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-32-544 to uid > I shoud mention that for "oridinary" domain users this commands work > in both directions UID <--> SIDGood.> > UDM# wbinfo -U 3000 > failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert uid 3000 to sidThat doesn't work for me either and I don't worry about it ;-)> > UDM# wbinfo -U 3000000 > failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert uid 3000000 to sidI would be worried if that did work. Please post your smb.conf files, I have this feeling you have mistakes in them :-( Rowland
On 29/02/2020 18:15, Alexander Kushnirenko wrote:> > OK, thanks! Does any of them need to be reflected in unix world?Mostly just Domain Users> > ------------- DC -------------------- > [global] > kerberos method = system keytabPlease don't set the above on a DC> client ldap sasl wrapping = signThat is the default, so doesn't need to be there> # name resoultion support > local master = yes > os level = 255 > preferred master = yesThis is an AD DC, so you shouldn't have the three lines above.> username map = /etc/samba/username.mapNo, not on a Samba AD DC, idmap.ldb does this on a DC.> # winbind enum are needed for getent passwd/group to workNo they aren't, all they do is make 'getent passwd' and 'getent group' display all users & groups. running 'getent passwd username' without the lines will display individual users, same goes for groups. They other thing they do, they slow things down.> ? winbind enum users = yes > ? winbind enum groups = yesI would remove the two lines above.> ? winbind expand groups = 1You probably do not need the line above.> winbind use default domain = YesThat doesn't work on a DC> ----------- UNIX DOMAIN MEMBER ---------- > [global] > ? client use spnego = yesDefault setting> ? os level = 2That is old-school ;-)> ? idmap config BHLAB : backend = ad > ? idmap config BHLAB : schema_mode = rfc2307 > ? idmap config BHLAB : range = 10000-19999 > ? idmap config BHLAB : unix_nss_info = yesI take it that you have added uidNumber & gidNumber attributes to AD and that they are inside the '10000-19999' range> ? idmap config BHLAB : unix_primary_group = noThat is the default> > # Use Winwows ACL - not there yet, we use POSIX ACLWhy not ?> # ?vfs objects = acl_xattr > # ?map acl inherit = yes > # ?store dos attributes = yesI would still use them and read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It works better :-)> > # winbind enum are needed for getent passwd/group to work > ? winbind enum users = yes > ? winbind enum groups = yes > ? winbind expand groups = 1See the DC comments re the above> > #======================= Share Definitions ======================> [Common] > ? ?browseable = yesDefault setting> ?? directory mask = 0775 > ? ?guest ok = noDefault settings> > [users] > ? ?browseable = yesDefault setting> ? ?path = /home/Not going to work, you need '%U' on the end> ? ?read only = no > ? ?writable = yesThese are the same, you only need one> ?? force directory mode = 0755 > ? ?guest ok = noDefault settings I hope the above helps, any more questions, feel free to ask ;-) Rowland
On 15/04/2020 22:33, Alexander Kushnirenko wrote:> Hi, Rowland! > > Could you please help me with [users] share.? In Samba 4 they > recommend following setup:Who are 'they' ? and where is this recommended ?> [users] > ? ? ? ? ?path = /srv/samba/users/ > ? ? ? ? ?read only = no > ? ? ? ? ?force create mode = 0600 > ? ? ? ? ?force directory mode = 0700 > > But if I understood correctly you recommended something like this: > [users] > ? comment = Home > ? path = /home/%U > ? writable = yes > ? create mask = 0644 > > Which way is better and how does it intersect with usershare path > definitions?To be honest, I would recommend this: [users] path = /path/to/wherever/%U read only = no and then set the ACLs from windows. Rowland