MAS Jean-Louis
2020-Dec-16 15:58 UTC
[Samba] Users can't mount shares on a domain member file server
Le 15/12/2020 ? 18:29, Rowland penny via samba a ?crit : Thanks a lot for your advices We changed our conf files /etc/nsswitch.conf and smb.conf (see below) Now our Linux users can't connect as their gid and $HOME are totally wrong, they seems to be generated by winbind in the 400000 range. What we've got using windbind, with my account for example: $ id jlmas uid=20025(jlmas) gid=400005(misi) groupes=400005(misi),400004(lig),400010(wikimisi),400001(domain users),400003(BUILTIN\users) $ getent passwd jlmas jlmas:*:20025:400005:MAS Jean-Louis:/home/LIGLAB/jlmas:/bin/false What it should be $ id jlmas uid=20025(jlmas) gid=20000(misi) groupes=20000(misi),20001(wikimisi),513(Domain Users),29000(labolig) $ getent passwd jlmas jlmas:*:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash>> smbd:backgroundqueue = no> Where did you get the line above from ?It came from our old Centos 6 conf, back from 2013. I delete it in our new smb.conf>> idmap config example : schema_mode = rfc2307 idmap config example >> : range = 500-400000> Why start at 500 ? do you have normal users & groups in AD with > uidNumbers & gidNumbers that start so low ? Not counting the ones > that ones that start with 'Domain' e.g. 'Domain Users'Unfortunately, we have some very very old users accounts id, lowest as 115 (but not used anymore), but some above 500 are still in use today on a broad number of servers. That's why we can't use the recommanded '3000-7999' range for the '*' domain. Our new files # /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files ldap aliases: files nisplus # /etc/smb/smb.conf # Global parameters [global] allow trusted domains = No disable spoolss = Yes domain master = No kerberos method = system keytab load printers = No local master = No log file = /var/log/samba/samba.log ntlm auth = ntlmv1-permitted preferred master = No printcap cache time = 0 printcap name = /dev/null realm = EXAMPLE.COM restrict anonymous = 2 security = ADS server role = member server server string = Samba Server Version %v winbind use default domain = Yes workgroup = EXAMPLE idmap config * : range = 400001-410000 idmap config * : backend = tdb idmap config example : range = 500-400000 idmap config example : schema_mode = rfc2307 idmap config example : backend = ad rpc_daemon:spoolssd = off printing = bsd use sendfile = Yes [profiles] browseable = No path = /var/lib/samba/profiles read only = No [homes] browseable = No comment = Home Directory read only = No [team1] comment = Equipe TEAM1 force group = +team1 path = /home/team1 read only = No valid users = +team1 Any clues on the id numbers and home given by winbind ? Regards -- Jean Louis Mas
Rowland penny
2020-Dec-16 16:17 UTC
[Samba] Users can't mount shares on a domain member file server
On 16/12/2020 15:58, MAS Jean-Louis via samba wrote:> Le 15/12/2020 ? 18:29, Rowland penny via samba a ?crit : > > Thanks a lot for your advices > > We changed our conf files /etc/nsswitch.conf and smb.conf (see below) > > Now our Linux users can't connect as their gid and $HOME are totally > wrong, they seems to be generated by winbind in the 400000 range.You are getting ID's in the 400000 range because that is what you have set in the '*' domain and as you are getting number such as '400002', then 'jlmas' does not have a uidNumber attribute containing a number inside the '500-400000' range or Domain Users does not have a gidNumber attribute containing a number inside the same range, or to put it another way: Have you manually added uidNumber and gidNumber attributes to your users & groups in AD ? Rowland