On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 18/01/2023 17:05, Greg Dickie wrote:
>
> > Agree but this was a standalone server that we are now transitioning
> > into the domain and as long as the UIDs and GIDs match everything
should
> > be ok no?
> >
> >
> > Is it possible to see your smb.conf used on the Unix machines ?
> >
> >
> > O=Sure
> >
> > [global]
> > workgroup = TOTO
> > server string = Samba on SRVLXFS2
> > realm = TOTO.CA <http://TOTO.CA>
> > security = ads
> > kerberos method = secrets only
> > winbind use default domain = true
> > winbind offline logon = false
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
> > idmap config * : range = 16777216-33554431
> > idmap config ULTRATCS : schema mode = rfc2307
> > idmap config ULTRATCS : backend = ad
> > idmap config ULTRATCS : range = 500-10000
> > idmap config ULTRATCS : unix_primary_group = yes
> > idmap config ULTRATCS : unix_nss_info = yes
>
> Oh dear, unless it's bad sanitisation, you have a big problem.
> Your workgroup is 'TOTO' but you are using 'ULTRATCS' for
the idmap
> config lines, it should be the workgroup name 'TOTO'
>
Damit, that's just bad sanitization. sorry, pretend you did not see that.
>
> > idmap_ldb:use rfc2307 = yes
> > template homedir = /home/%U
> > min domain uid = 0
> > unix extensions = no
> > wide links = yes
> >
> > printing = cups
> > printcap name = cups
> > load printers = no
> > cups options = raw
> > log file = /var/log/samba/log.%m.%U
> > log level = 0
> > max log size = 50M
> > #syslog = 0
> >
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > # create mask = 0664
> > # directory mask = 0775
> > force create mode = 0775
> > force directory mode = 0775
> > # force security mode = 664
> > # force directory security mode = 775
> > map archive = no
>
> I think you will find that everyone can get into everyone else's
homedir
>
Yes, it was like that before I got to it, so I just left it.
>
> >
> >
> > This has been working fine but now I have some
> > > users who suddenly lose write access to their files,
sometimes.
> > One user
> > > has 2 workstations (1 works always, the other exhibits this
issue
> > so maybe
> > > a patch on the workstation?). When this happens IF I give
their
> > files group
> > > write permission they are good again. Does this ring a bell?
I
> > have a level
> > > 10 debug of an ACCESS_DENIED test but nothing in there looks
> > obviously
> > > wrong until the ACCESS_DENIED so I can't see why.
> >
> > Are they supposed to have 'user' permissions or just
'group'
> > permissions, also are you using extended ACL's ?
> >
> >
> > user permissions, all the users on this system have the same primary
> > group of 1000, No ACLs, or at least not supposed to be.
>
> Would '1000' be the gidNumber for Domain Users ?
>
It's not, It's another group, see below which shows AD mapping vs NIS
mapping:
[root at srvlxfs2 ~]# wbinfo -i gdickie
gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash
[root at srvlxfs2 ~]# wbinfo --gid-info=1000
engineering access:x:1000:
[root at srvlxfs2 ~]# id gdickie
uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga)
[root at srvlxfs2 ~]#
Again, this has all been working 99% except for a few select users at some
times. And at those times the uid as shown in smbstatus is correct.
I don't suppose you want to see the level 10 debug log?
Thanks,
Greg
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Greg Dickie
just a guy
514-983-5400