On Thu, 2021-07-01 at 15:51 -0400, Eric Levy via samba wrote:> On Thu, 2021-07-01 at 09:48 +0100, Rowland Penny via samba wrote: > > > If all the users in all the machines accessing the share in your > > > network > > > share the the same UID namespace without conflicts, then in that > > > case > > > you could use idsfromsid I think. With it, any *new* file created > > > by > > > user bob will show up on the share as owned by a special SID that > > > contains the UID. And only files created with that mount options > > > should > > > be listed back with bob uid. > > > > > > That being said, if you have the same uid namespace on all > > > machines > > > for > > > user bob, that means you already have some sort of centralized > > > identication server similar to AD and are using winbind or sssd. > > > > That's the problem, he isn't, he is running Samba as a standalone > > server, it would be a lot easier if he was running Samba as a Unix > > domain member. > > > > Rowland > > Not using a domain is a preference based on a hope to achieve the > stated behavior as simply as possible. All else being equal, two > nodes > is simpler than two nodes plus a domain server. Both hardware and > administrative resources are scarce. I had hoped that the > coordination > of users and permissions might be accomplished between two nodes > using > only what is already provided by these nodes. Certainly, support for > such a case would be a very helpful feature. A domain by definition > is > most relevant when the number of other nodes exceeds two, so it is > not > optimal to face the requirement to create a domain just to add > capabilities to the way two nodes interact. > > I am not opposed categorically to a domain server, but as the > resources > to provision and to maintain any configuration is minimal, and as > most > information on the topic of domain servers is targeted at > administrators managing full-scale commercial or institutional > deployments, I am wondering what information or references > participants > on this list might offer to help me understand how to achieve this > result as efficiently as possible. > > Available nodes are limited to the Synology device, which has some > support for domain servers through add-on packages, and any virtual > machines I may create on the same device. In fact, the "server" I > earlier mentioned is actually a virtual machine on the Synology > device. > I had omitted this detail because it is doubtful that it would affect > any answer given so far. > > To summarize, I think the following would be most helpful, at this > stage: > > 1. Any concise resources explaining how to create a basic > configuration > of a domain server on the Synology device, for the stated use > case, > assuming minimal knowledge on the subject. > 2. A concrete example of the simplest mount command expected to > satisfy > the case. > >A Samba standalone server is akin to a Windows PC that isn't a member of a domain, a group of such machines is usually described as a workgroup. For a workgroup to work, you need to create the same users and groups on all workgroup members, with preferrably the same passwords. This is okay for a small number of computers, certainly no more than twenty, after that it gets out of hand, this is why domains were created. You say that there are only two computers involved, I find this hard to believe, surely there are going to be other client machines. I have never used a synology device, but they have cropped up on this list from time to time, usually with problems similar to yours. I can only advise what I know works with standard Samba, unfortunately synology does not seem to want you to alter the smb.conf file manually. Louis posted a link to synology's source code on Sourceforge and if that link is the latest available (it is dated 2020-10-01) then it is using a very old version of Samba (4.4.16 to be precise) and I wouldn't use it. What does 'smbd -V' output ? If the sourcecode is to be believed, there are three extra directories, SynoBuildConf, synocache and synosmb, there are probably other changes. What are your clients running ? Rowland
On Thu, 2021-07-01 at 21:53 +0100, Rowland Penny via samba wrote:> > Not using a domain is a preference based on a hope to achieve the > > stated behavior as simply as possible. All else being equal, two > > nodes > > is simpler than two nodes plus a domain server. Both hardware and > > administrative resources are scarce. I had hoped that the > > coordination > > of users and permissions might be accomplished between two nodes > > using > > only what is already provided by these nodes. Certainly, support > > for > > such a case would be a very helpful feature. A domain by definition > > is > > most relevant when the number of other nodes exceeds two, so it is > > not > > optimal to face the requirement to create a domain just to add > > capabilities to the way two nodes interact. > > > > I am not opposed categorically to a domain server, but as the > > resources > > to provision and to maintain any configuration is minimal, and as > > most > > information on the topic of domain servers is targeted at > > administrators managing full-scale commercial or institutional > > deployments, I am wondering what information or references > > participants > > on this list might offer to help me understand how to achieve this > > result as efficiently as possible. > > > > Available nodes are limited to the Synology device, which has some > > support for domain servers through add-on packages, and any virtual > > machines I may create on the same device. In fact, the "server" I > > earlier mentioned is actually a virtual machine on the Synology > > device. > > I had omitted this detail because it is doubtful that it would > > affect > > any answer given so far. > > > > To summarize, I think the following would be most helpful, at this > > stage: > > > > 1. Any concise resources explaining how to create a basic > > configuration > > of a domain server on the Synology device, for the stated use > > case, > > assuming minimal knowledge on the subject. > > 2. A concrete example of the simplest mount command expected to > > satisfy > > the case. > > > > > > A Samba standalone server is akin to a Windows PC that isn't a member > of a domain, a group of such machines is usually described as a > workgroup. > For a workgroup to work, you need to create the same users and groups > on all workgroup members, with preferrably the same passwords. This > is > okay for a small number of computers, certainly no more than twenty, > after that it gets out of hand, this is why domains were created. You > say that there are only two computers involved, I find this hard to > believe, surely there are going to be other client machines. > > I have never used a synology device, but they have cropped up on this > list from time to time, usually with problems similar to yours. I can > only advise what I know works with standard Samba, unfortunately > synology does not seem to want you to alter the smb.conf file > manually. > > Louis posted a link to synology's source code on Sourceforge and if > that link is the latest available (it is dated 2020-10-01) then it is > using a very old version of Samba (4.4.16 to be precise) and I > wouldn't > use it. What does 'smbd -V' output ? > If the sourcecode is to be believed, there are three extra > directories, > SynoBuildConf, synocache and synosmb, there are probably other > changes. > > What are your clients running ? > > RowlandAs you anticipate, other clients would access the shares as well, but would do so according to a more familiar single-user per-session style of mount. The server is a special case because it runs automatic tasks and supports multiple concurrent logins, giving rise to the requirement that files from the mount are available at all times, beginning immediately after boot, and appear locally according to the same permissions as though the same users were running tasks directly on the storage device. Thus, the occurrence of these clients has seemed to me incidental, and unlikely to change any answer that would be given in this discussion. All clients are running Linux, but from time to time Windows client may also access the shares. Currently, I have users on the Linux server and the Synology storage device with the same user names and passwords. However, your comments about the relevance of the workgroup confuse me, because mounting a share through Samba involves providing a host name and share name, but not a workgroup. Perhaps you might clarify how the mount would participate, in any sense, in the workgroup, rather than simply being a connection between two network endpoints. Synology attempts to restrict modifications of smb.conf, but does provide a graphical interface for control over some of the options. Synology also provides an add-on package to allow the device act as a domain server. The smbd version is reported as follows: Version 4.10.18 Synology Build 41858, May 4 2021 12:54:26
All what Aur?lien said.. + Now which DSM are you running 6.x or 7.0? Because when its 7.0>> NT4 domains are no longer supported. Current NT4 domains will be unavailable after the update.And>> DSM 7.0 by default disables NTLMv1 and enables NTMLv2 only, so SMB clients >> (e.g., Windows XP devices, media players, network printers, smart TVs, and IP cameras) won?t be >> able to access your Synology NAS. To restore the connection after the update, >> go to Control Panel > File Services > SMB > Advanced Settings >> > Others and enable NTLMv1 authentication.https://www.synology.com/en-global/dsm/feature/active_directory Set it up join the domain and and your set. Stop fiddeling around and avoid the configs that will break you setup in near future. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Eric > Levy via samba > Verzonden: donderdag 1 juli 2021 23:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] multiuser with simple user mapping > > > > On Thu, 2021-07-01 at 21:53 +0100, Rowland Penny via samba wrote: > > > Not using a domain is a preference based on a hope to achieve the > > > stated behavior as simply as possible. All else being equal, two > > > nodes > > > is simpler than two nodes plus a domain server. Both hardware and > > > administrative resources are scarce. I had hoped that the > > > coordination > > > of users and permissions might be accomplished between two nodes > > > using > > > only what is already provided by these nodes. Certainly, support > > > for > > > such a case would be a very helpful feature. A domain by > definition > > > is > > > most relevant when the number of other nodes exceeds two, so it is > > > not > > > optimal to face the requirement to create a domain just to add > > > capabilities to the way two nodes interact. > > > > > > I am not opposed categorically to a domain server, but as the > > > resources > > > to provision and to maintain any configuration is minimal, and as > > > most > > > information on the topic of domain servers is targeted at > > > administrators managing full-scale commercial or institutional > > > deployments, I am wondering what information or references > > > participants > > > on this list might offer to help me understand how to achieve this > > > result as efficiently as possible. > > > > > > Available nodes are limited to the Synology device, which has some > > > support for domain servers through add-on packages, and > any virtual > > > machines I may create on the same device. In fact, the "server" I > > > earlier mentioned is actually a virtual machine on the Synology > > > device. > > > I had omitted this detail because it is doubtful that it would > > > affect > > > any answer given so far. > > > > > > To summarize, I think the following would be most helpful, at this > > > stage: > > > > > > 1. Any concise resources explaining how to create a basic > > > configuration > > > of a domain server on the Synology device, for the > stated use > > > case, > > > assuming minimal knowledge on the subject. > > > 2. A concrete example of the simplest mount command expected to > > > satisfy > > > the case. > > > > > > > > > > A Samba standalone server is akin to a Windows PC that > isn't a member > > of a domain, a group of such machines is usually described as a > > workgroup. > > For a workgroup to work, you need to create the same users > and groups > > on all workgroup members, with preferrably the same passwords. This > > is > > okay for a small number of computers, certainly no more than twenty, > > after that it gets out of hand, this is why domains were > created. You > > say that there are only two computers involved, I find this hard to > > believe, surely there are going to be other client machines. > > > > I have never used a synology device, but they have cropped > up on this > > list from time to time, usually with problems similar to > yours. I can > > only advise what I know works with standard Samba, unfortunately > > synology does not seem to want you to alter the smb.conf file > > manually. > > > > Louis posted a link to synology's source code on Sourceforge and if > > that link is the latest available (it is dated 2020-10-01) > then it is > > using a very old version of Samba (4.4.16 to be precise) and I > > wouldn't > > use it. What does 'smbd -V' output ? > > If the sourcecode is to be believed, there are three extra > > directories, > > SynoBuildConf, synocache and synosmb, there are probably other > > changes. > > > > What are your clients running ? > > > > Rowland > > > As you anticipate, other clients would access the shares as well, but > would do so according to a more familiar single-user per-session style > of mount. The server is a special case because it runs automatic tasks > and supports multiple concurrent logins, giving rise to the > requirement > that files from the mount are available at all times, beginning > immediately after boot, and appear locally according to the same > permissions as though the same users were running tasks > directly on the > storage device. Thus, the occurrence of these clients has seemed to me > incidental, and unlikely to change any answer that would be given in > this discussion. All clients are running Linux, but from time to time > Windows client may also access the shares. > > Currently, I have users on the Linux server and the Synology storage > device with the same user names and passwords. However, your comments > about the relevance of the workgroup confuse me, because mounting a > share through Samba involves providing a host name and share name, but > not a workgroup. Perhaps you might clarify how the mount would > participate, in any sense, in the workgroup, rather than > simply being a > connection between two network endpoints. > > Synology attempts to restrict modifications of smb.conf, but does > provide a graphical interface for control over some of the options. > Synology also provides an add-on package to allow the device act as a > domain server. > > The smbd version is reported as follows: > > Version 4.10.18 > Synology Build 41858, May 4 2021 12:54:26 > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >