> Lets see if I have got this correct:> Your computer is joined to an AD domain. > You have users in AD with uidNumber attributes. > Domain Users has a gidNumber attribute. > All these '*idNumber' attributes hold numbers inside the '1001-116999' > range.> Is all that correct ?> can you also post your entire smb.conf> RowlandYes, all these are correct including the "Domain Users" which has the gid of 100 which points to the local "users" group. Below the complete smb.conf. I really appreciate your efforts, hopefully it does not take to much time. # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] # workgroup = SAMBA # security = user netbios name = MEGAHOST workgroup = DOMAIN security = ads realm = DOMAIN.LOCAL passdb backend = tdbsam printing = cups printcap name = cups load printers = no cups options = raw idmap config * : backend = tdb idmap config * : range = 117000-117999 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1001-116999 idmap config DOMAIN:unix_nss_info = no idmap config DOMAIN:unix_primary_group = yes template shell = /bin/bash template homedir = /home/%U kerberos method = secrets and keytab ; log level = 5 idmap:10 winbind:10 winbind nss info = template winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [megastapel] path = /opt/mega/megadb/megak/01/fremdstapel valid users = mueller knau @mega read only = No create mask = 0775 [megaplus] path = /opt/mega valid users = @mega kh read only = No create mask = 0775 [sfirm] comment = SFirm-Dtaus-Dateien von MEGA path = /opt/mega/megadb/megak/01/sfirm valid users = @mega read only = No create mask = 0775 [megaausgleich] comment = Bankdaten MEGA path = /opt/mega/megadb/megak/01/ausgleich valid users = megaadm bhzbv mueller admin read only = No create mask = 0775
On 14/12/2022 10:26, Balke IT via samba wrote:>> Lets see if I have got this correct: > >> Your computer is joined to an AD domain. >> You have users in AD with uidNumber attributes. >> Domain Users has a gidNumber attribute. >> All these '*idNumber' attributes hold numbers inside the '1001-116999' >> range. > >> Is all that correct ? > >> can you also post your entire smb.conf > >> Rowland > > Yes, all these are correct including the "Domain Users" which has the gid of 100 which points to the local "users" group.That could be part of your problem. If you use the 'ad' idmap backend on a Unix domain member, all uidNumber and gidNumber attributes must contain a number inside the DOMAIN range you set in smb.conf (in your case 1001-116999) and '100' isn't inside your range. What could be happening here is, the users that are having problems do not have a gidNumber attribute. They are falling back to the primary group 'Domain Users', which, for all intents and purposes, does not have a valid gidNumber. This means that, to the 'DOMAIN' domain, they do not exist, so they are mapped to the default '*' domain and are denied access. Can you please reply to this post, rather than posting a new post, which is what you appear to be doing, this breaks threads. Rowland