samba - Dec 2022 - R: R: winbindd no access console with root

On 22/12/2022 10:18, Corrado Ravinetto via samba wrote:
> I compiled by my self and it's a domain member's role ?
No, I was trying to find out if you had compiled without the DC 
components, but it sounds like you just ran:

./configure
make
make install

and everything ended up in /usr/local/samba/
> 
> [global]
>          client min protocol = NT1
>          log file = /var/log/samba/message.log
>          max log size = 1000
>          ntlm auth = ntlmv1-permitted
>          os level = 250
>          realm = LXCERRUTI.COM
>          security = ADS
>          server min protocol = NT1
>          server role = member server
>          server string = Samba Member - Versione %v
>          winbind offline logon = Yes
>          winbind use default domain = Yes
>          workgroup = LXCERRUTI
>          idmap config * : range = 100000-107999
>          idmap config lxcerruti : backend = ad
>          idmap config lxcerruti : range = 0-99999
>          idmap config lxcerruti : unix_nss_info = yes
>          idmap config * : backend = tdb
>          acl allow execute always = Yes
> 
> 
> [Vol1]
>          admin users = @g_admin
>          comment = Home Directory per ogni User
>          create mask = 0777
>          directory mask = 0777
>          hide unreadable = Yes
>          path = /Cerruti
>          read only = No
>          vfs objects = recycle
>          recycle:maxsize = 500000000
>          recycle:exclude = *.tmp *.ldb *.temp ~$* *.LCK *.dmp
>          recycle:versions = yes
>          recycle:keeptree = yes
>          recycle:touch = yes
>          recycle:repository = .recycle/%U
> 
It looks like you upgraded from an NT4-style domain and are still 
thinking in NT4-style ways.

There is an obvious reason why 'root' isn't working, perhaps you
will
understand why after reading this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

Do you still have any pre-vista Windows machines in your domain ?
If not, you can remove all the SMBv1 lines.

I would also suggest you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

And then set the share permissions from Windows, this will you much 
finer access control.

Rowland

>On 22/12/2022 10:18, Corrado Ravinetto via samba wrote:
>> I compiled by my self and it's a domain member's role ?
>No, I was trying to find out if you had compiled without the DC components,
but it sounds like you just ran:
>./configure
>make
>make install
yes
>and everything ended up in /usr/local/samba/
Yes
>>
>> [global]
>>          client min protocol = NT1
>>          log file = /var/log/samba/message.log
>>          max log size = 1000
>>          ntlm auth = ntlmv1-permitted
>>          os level = 250
>>          realm = LXCERRUTI.COM
>>          security = ADS
>>          server min protocol = NT1
>>          server role = member server
>>          server string = Samba Member - Versione %v
>>          winbind offline logon = Yes
>>          winbind use default domain = Yes
>>          workgroup = LXCERRUTI
>>          idmap config * : range = 100000-107999
>>          idmap config lxcerruti : backend = ad
>>          idmap config lxcerruti : range = 0-99999
>>          idmap config lxcerruti : unix_nss_info = yes
>>          idmap config * : backend = tdb
>>          acl allow execute always = Yes
>>
>>
>> [Vol1]
>>          admin users = @g_admin
>>          comment = Home Directory per ogni User
>>          create mask = 0777
>>          directory mask = 0777
>>          hide unreadable = Yes
>>          path = /Cerruti
>>          read only = No
>>          vfs objects = recycle
>>          recycle:maxsize = 500000000
>>          recycle:exclude = *.tmp *.ldb *.temp ~$* *.LCK *.dmp
>>          recycle:versions = yes
>>          recycle:keeptree = yes
>>          recycle:touch = yes
>>          recycle:repository = .recycle/%U
>>
>It looks like you upgraded from an NT4-style domain and are still thinking
in NT4-style ways.
Yes, this is an upgrade from an old samba 3
>There is an obvious reason why 'root' isn't working, perhaps you
will understand why after reading this:
>https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
I red this, but my Domain User have rid = 503 and all users have like
primarygroup 503
Then i can't change this to all my users.
I haven't unix user, only my linux user is root thai i use to manage my
linux box
So what can i change to use ONLY root as account ??
>Do you still have any pre-vista Windows machines in your domain ?
>If not, you can remove all the SMBv1 lines.
Yes, too much xp ?
>I would also suggest you read this:
>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>And then set the share permissions from Windows, this will you much finer
access control.
>Rowland
Thanks a lot


[Lanificio F.lli CERRUTI]


Corrado Ravinetto
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at
lanificiocerruti.com>
T: +39 015 3591283
[Lanificio F.lli CERRUTI]
Lanificio F.lli Cerruti S.p.A.
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>

[Twitter] <https://twitter.com/Lan_Cerruti> [Facebook] 
<https://www.facebook.com/LanificioCerruti> [Instagram] 
<https://www.instagram.com/lanificiocerruti/>

Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary

[Unesco]