Rowland penny
2020-Dec-15 17:29 UTC
[Samba] Users can't mount shares on a domain member file server
On 15/12/2020 16:32, MAS Jean-Louis via samba wrote:> hi, > > We have replaced our old Centos 6 samba4 file server by a brand new > Centos 7 file server > > The new Centos 7 server is a domain member joined by : > > net ads join -U administrator > > The Centos 6 samba file server was working fine, but on the new server > nobody can mount windows shares either home or teams shares. > We used the old Centos 6 smb.conf with some modifications suggested by > 'testparm''testparm' doesn't suggest anything, it just checks your smb.conf> > On the Centos 6 server, we didn't use winbind, and now we must use it. > and winbind cause strange mappings on our fileserverWell it will possibly give you different ID's but they should be consistent.> # /etc/nsswitch.conf > > passwd: files ldapReplace 'ldap' with 'winbind> shadow: files ldapRemove 'ldap'> group: files ldapReplace 'ldap' with 'winbind> hosts: files dns myhostname > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files winbindRemove 'winbind'> netgroup: files winbind ldapRemove 'winbind' and 'ldap'> publickey: nisplus > automount: files ldap > aliases: files nisplus > > # smb.conf (with only one teams share for example) > > # Global parameters > [global] > allow trusted domains = No > disable spoolss = Yes > domain master = No > kerberos method = system keytab > load printers = No > local master = No > log file = /var/log/samba/samba.log > ntlm auth = ntlmv1-permitted > preferred master = No > printcap cache time = 0 > printcap name = /dev/null > realm = EXAMPLE.COM > restrict anonymous = 2 > security = ADS > server role = member server > server string = Samba Server Version %v > socket options = TCP_NODELAY IPTOS_LOWDELAYI would remove the 'socket options' line and rely on the kernel knowing what it is doing.> winbind nss info = rfc2307Remove the line above, it has been replaced.> winbind use default domain = Yes > workgroup = EXAMPLE > rpc_daemon:spoolssd = off > smbd:backgroundqueue = noWhere did you get the line above from ?> idmap config example : backend = adsThe 'ads' in the line above should be 'ad'> idmap config example : schema_mode = rfc2307 > idmap config example : range = 500-400000Why start at 500 ? do you have normal users & groups in AD with uidNumbers & gidNumbers that start so low ? Not counting the ones that start with 'Domain' e.g. 'Domain Users'> idmap config * : schema_mode = rfc2307That line is not used with the '*' domain> idmap config * : range = 400001-410000We recommend the range '3000-7999' for the '*' domain> idmap_ldb : use rfc2307 = YesThe line above is only used on an AD DC> idmap config * : backend = tdb > printing = bsd > use sendfile = Yes > > > [netlogon] > browseable = No > path = /var/lib/samba/sysvol/example.fr/scripts > read only = No > > > [sysvol] > browseable = No > path = /var/lib/samba/sysvol > read only = NoWhy are 'sysvol' & 'netlogon' on a Unix domain member, they should be on your AD DC.
MAS Jean-Louis
2020-Dec-16 15:58 UTC
[Samba] Users can't mount shares on a domain member file server
Le 15/12/2020 ? 18:29, Rowland penny via samba a ?crit : Thanks a lot for your advices We changed our conf files /etc/nsswitch.conf and smb.conf (see below) Now our Linux users can't connect as their gid and $HOME are totally wrong, they seems to be generated by winbind in the 400000 range. What we've got using windbind, with my account for example: $ id jlmas uid=20025(jlmas) gid=400005(misi) groupes=400005(misi),400004(lig),400010(wikimisi),400001(domain users),400003(BUILTIN\users) $ getent passwd jlmas jlmas:*:20025:400005:MAS Jean-Louis:/home/LIGLAB/jlmas:/bin/false What it should be $ id jlmas uid=20025(jlmas) gid=20000(misi) groupes=20000(misi),20001(wikimisi),513(Domain Users),29000(labolig) $ getent passwd jlmas jlmas:*:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash>> smbd:backgroundqueue = no> Where did you get the line above from ?It came from our old Centos 6 conf, back from 2013. I delete it in our new smb.conf>> idmap config example : schema_mode = rfc2307 idmap config example >> : range = 500-400000> Why start at 500 ? do you have normal users & groups in AD with > uidNumbers & gidNumbers that start so low ? Not counting the ones > that ones that start with 'Domain' e.g. 'Domain Users'Unfortunately, we have some very very old users accounts id, lowest as 115 (but not used anymore), but some above 500 are still in use today on a broad number of servers. That's why we can't use the recommanded '3000-7999' range for the '*' domain. Our new files # /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files ldap aliases: files nisplus # /etc/smb/smb.conf # Global parameters [global] allow trusted domains = No disable spoolss = Yes domain master = No kerberos method = system keytab load printers = No local master = No log file = /var/log/samba/samba.log ntlm auth = ntlmv1-permitted preferred master = No printcap cache time = 0 printcap name = /dev/null realm = EXAMPLE.COM restrict anonymous = 2 security = ADS server role = member server server string = Samba Server Version %v winbind use default domain = Yes workgroup = EXAMPLE idmap config * : range = 400001-410000 idmap config * : backend = tdb idmap config example : range = 500-400000 idmap config example : schema_mode = rfc2307 idmap config example : backend = ad rpc_daemon:spoolssd = off printing = bsd use sendfile = Yes [profiles] browseable = No path = /var/lib/samba/profiles read only = No [homes] browseable = No comment = Home Directory read only = No [team1] comment = Equipe TEAM1 force group = +team1 path = /home/team1 read only = No valid users = +team1 Any clues on the id numbers and home given by winbind ? Regards -- Jean Louis Mas