On 10/02/2023 06:50, Stefan G. Weichinger via samba wrote:> > Samba 4.17.3 on Debian 11.6 > > [global] > unix charset = iso8859-15 > > security = ads > realm = COMP.INTRA > workgroup = COMP > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind cache time = 10 > winbind use default domain = yes > winbind refresh tickets = Yes > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > domain master = no > local master = no > preferred master = no > > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > idmap config NORAS : range = 10000-20000 > idmap config NORAS : backend = rid >Is this bad sanitisation ? your workgroup is 'COMP' and the idmap config lines are using 'NORAS', they should be the same. If that isn't it, try looking at dns, with things like this, it is usually dns. Rowland
Am 10.02.23 um 09:10 schrieb Rowland Penny via samba:>> idmap config * : range = 3000-7999 >> idmap config * : backend = tdb >> idmap config NORAS : range = 10000-20000 >> idmap config NORAS : backend = rid > > Is this bad sanitisation ? > your workgroup is 'COMP' and the idmap config lines are using 'NORAS', > they should be the same. > > If that isn't it, try looking at dns, with things like this, it is > usually dns.no that was just me trying to anonymize things and failing ... think idmap config COMP : range = 10000-20000 idmap config COMP : backend = rid - Tested on a test share now. That yellow warning still comes, but this "claim types" thing seems only to relate to some conditions I googled this image as reference: https://download.huawei.com/mdl/image/download?uuid=8e4e181d5bcd4626ac44ffe959904264 I was able to add a principal and edit its permission on the testshare. The yellow warning is there on shares belonging to root or Administrator (wrong) - Reading https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs again, sure. I don't have "acl_xattr:ignore system acls = yes" ... changing that sounds dangerous, especially while there are dozens of active users on the server right now.
Am 10.02.23 um 09:10 schrieb Rowland Penny via samba:> If that isn't it, try looking at dns, with things like this, it is > usually dns.hmm the DC uses its own IP and the other 2 DCs as DNS the samba DM uses 2 DC-IPs as DNS Could you point out which system would need to resolve/find which other system to remove that warning? I am still trying to find out what implication that has. Editing perms seems to work somehow, still testing things.