On 9/24/20 12:10 PM, Rowland penny via samba wrote:> On 24/09/2020 16:58, Ken Bass via samba wrote: >> On 9/24/20 11:51 AM, Aur?lien Aptel wrote: >>> The request-keys config looks right. >>> >>> You can check if winbind is properly configured trying to map with the >>> winbind CLI client called wbinfo. For example: >>> >>> # wbinfo -i NUC\\administrator >>> NUC\administrator:*:20501:20514::/home/NUC/administrator:/bin/bash >>> ???????????????????? ^^^^^ ^^^^^ >>> ????????????????????? uid?? gid >>> >>> Cheers, >> >> # wbinfo -i MYDOM\\user >> user:*:1001:1001::/home/user:/bin/bash >> >> Those uid/gid are correct. They match the server and also match the >> uid/gid in the AD for the user. >> It seems everything is working except for the cifsacl id mapping part. > > I am beginning to think you are running Samba as a standalone server > in an AD domain, if so, why ? > > As I said, posting your smb.conf will prove this. > > Rowland > > >I already did that, two posts ago. Did it not make it to the list - I see it. Server role: ROLE_DOMAIN_MEMBER i have 'winbind use default domain = Yes ' enabled if that is what you are getting at.
On 24/09/2020 17:18, Ken Bass via samba wrote:> On 9/24/20 12:10 PM, Rowland penny via samba wrote: >> On 24/09/2020 16:58, Ken Bass via samba wrote: >>> On 9/24/20 11:51 AM, Aur?lien Aptel wrote: >>>> The request-keys config looks right. >>>> >>>> You can check if winbind is properly configured trying to map with the >>>> winbind CLI client called wbinfo. For example: >>>> >>>> # wbinfo -i NUC\\administrator >>>> NUC\administrator:*:20501:20514::/home/NUC/administrator:/bin/bash >>>> ???????????????????? ^^^^^ ^^^^^ >>>> ????????????????????? uid?? gid >>>> >>>> Cheers, >>> >>> # wbinfo -i MYDOM\\user >>> user:*:1001:1001::/home/user:/bin/bash >>> >>> Those uid/gid are correct. They match the server and also match the >>> uid/gid in the AD for the user. >>> It seems everything is working except for the cifsacl id mapping part. >> >> I am beginning to think you are running Samba as a standalone server >> in an AD domain, if so, why ? >> >> As I said, posting your smb.conf will prove this. >> >> Rowland >> >> >> > I already did that, two posts ago. Did it not make it to the list - I > see it. > Server role: ROLE_DOMAIN_MEMBER > > i have 'winbind use default domain = Yes ' enabled if that is what you > are getting at.OOOPs, missed it :-[ OK, you are using users & groups in the 1000-29999 range, why ? could it be that you have the same users in /etc/passwd and AD ? You are using 'cifsacls' and this calculates a 32 bit ID from the SID, so it is unlikely your users are getting the same ID from Samba and cifsacls, I get the feeling that you use one or the other, not both :-\ Rowland
On 9/24/20 1:06 PM, Rowland penny via samba wrote:> OK, you are using users & groups in the 1000-29999 range, why ? could > it be that you have the same users in /etc/passwd and AD ?On my Linux installs, I allow for a 'local' account with user id 1000. That is the only local account and is used for installing the OS (or in case AD is down). All other user/group accounts are >= 1001 and come from the AD. Technically that line should probably be 1001-29999, but not sure if that would impact user 1001. The only user in my /etc/passwd is local:x:1000:1000:local,,,:/home/local:/bin/bash> > You are using 'cifsacls' and this calculates a 32 bit ID from the SID, > so it is unlikely your users are getting the same ID from Samba and > cifsacls, I get the feeling that you use one or the other, not both :-\ >Can you please expand on this, I am confused as to what you are suggesting.? If 'getent pass' works properly and shows no overlap/confusion, this seems to be related to cifsacl.