On 22/09/2022 19:38, Sonic via samba wrote:> I'm trying to set up a new Samba install as a Domain Member to a > Windows AD to act as a fileserver and am having little success > following the Wiki in setting up a share using Windows ACLs. > > First problem was even connecting to the system with the Administrator > account as it was mapped to the root user via the user.map per the > wiki. Setting "min domain uid = 0" solved that but this seems a bit > counterintuitive and maybe dangerous.It is the only thing that works.> > All seems fine until I connect to the share via Computer Management as > shown on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > under the heading "Setting Share Permissions and ACLs". When I right > click share and select properties the properties box comes up but the > smbd log does indicate NT_STATUS_PRIVILEGE_NOT_HELD. The Share > Permissions tab looks fine but when I select the security tab the smbd > log indicates NT_STATUS_BUFFER_TOO_SMALL and attempts to add > permissions fail, the smbd log indicates NT_STATUS_ACCESS_DENIED. > > smb.conf: > ==================================> [global] > log level = 3 > min domain uid = 0 > map to guest = Bad User > printcap name = /dev/null > realm = PIZZA.EXAMPLE.COM > security = ADS > server role = member server > server string = Quinine Data > username map = /etc/samba/user.map > workgroup = PIZZA3 > idmap config pizza3 : backend = rid > idmap config pizza3 : range = 50000-89999 > idmap config quinine : range = 5000-5999 > idmap config quinine : backend = tdb > idmap config * : range = 10000-19999 > idmap config * : backend = tdbYou need to reset the 'idmap config' lines, I presume 'quinine' is the hostname of the Unix domain member, if so, remove the two idmap config lines that mention 'quinine' and I suggest you use the ranges on the wiki (at least as a starting point) they are known to work. Rowland
On Thu, Sep 22, 2022 at 2:58 PM Rowland Penny via samba <samba at lists.samba.org> wrote:> You need to reset the 'idmap config' lines, I presume 'quinine' is the > hostname of the Unix domain member, if so, remove the two idmap config > lines that mention 'quinine' and I suggest you use the ranges on the > wiki (at least as a starting point) they are known to work.Those changes made no difference. Same results. I think at one time it was recommended to have a range for the local host, not sure if it was ever used.