On 01-04-2023 20:38, Rowland Penny via samba wrote:>
>
> On 01/04/2023 19:10, Gary Dale via samba wrote:
>
>> https://wiki.samba.org/index.php/Idmap_config_ad in the Configuring
>> the ad Back End section.
>
> Yes, but right at the top there is a warning box that says:
>
> ID mapping back ends are not supported in the smb.conf file on a Samba
> Active Directory (AD) domain controller (DC).
> For details, see Failure To Access Shares on Domain Controllers If
> idmap config Parameters Set in the smb.conf File.
>
> I will update that say, do not add anything on this page to a Samba AD
> DC smb.conf.
>
>>
>> Which shows that the documentation is fragmented and contradictory
>> (not to mention obfuscated). If something is OK to set in one
>> instance but not another, shouldn't that be highlighted? We have
>> hyperlinks these days.
>>
>
> It isn't as easy as that on the Samba wiki, I wish it was. I know that
> the Samba wiki isn't the best in the world, but I cannot change the
> wiki software.
>
>> Not according to a lot of the recent documentation. It's telling me
>> to use the Windows tools, which are a nightmare, to do things that
>> I'd prefer to do through the Linux tools.
>>
>
> The Samba wiki mentions ADUC a lot, but this isn't as easy to use as
> it once was and samba-tool has got a lot better.
>
>>
>> How would that stop my Windows 10 VM from accessing shares? I recall
>> some registry settings being needed to get Windows 7 to work with
>> Samba but that's ancient history...
>
> The lack of SMBv1 shouldn't stop Win10 access a share, it would stop
> Network Browsing though. If Win10 cannot access a Samba share, then
> there should be something in the Windows event log and or the logs of
> the Samba server. There are two things to note, Win10 may require the
> latest Heimdal and if you are trying to connect to a guest Samba
> share, you should check if Windows doesn't have guest access turned
off.
>
>> Haven't tried it since pre-pandemic - certainly not with a Bullseye
>> server - so it is not going to be interesting to look at. It
>> definitely predates the backports version of Samba.
>>
>> That's why I'm looking for something more recent so I can
retry.
>
> The actual way you setup a smb.conf hasn't changed much for quite a
> few years, so it should be valid.
>
>> I tried using Samba once rather than NFS but that broke things. I
>> keep my mail on the server and Thunderbird didn't work properly.
>> Reverting to NFS fixed that. Also, Samba shares seemed slower and
>> less reliable. NFS just works.
>
> I use Thunderbird on a Unix domain member and apart from an annoying
> Thunderbird bug, everything works okay.
>
> As for speed, there isn't much difference between the two now, but you
> can use NFS with Samba authentication, I just wouldn't share an NFS
> export.
Indeed share the same directory over SMB and over NFS is a bad idea.
Hosting a Samba share on an NFS share is a similar bad
idea.>
> There are probably users out there using NFS with AD authentication, I
> hope one of them will help here.
For NFS the most important thing is to have a single source for UIDs and
GIDs, winbind + Samba-ADDC does a great job get this done.
Next you decide if you are good with unencrypted shares authorized by
client-machine-IP, if so the simplest form of NFS4 (very similar to the
setup of NFS3) will do. If not you have to setup Kerberized NFS which
has user-authentication (due to kerberos) and allows shares encrypted on
the wire just as SMB has in recent versions.
At the moment I am still using NFS4 for my Linux clients because Samba
does not offer the Unix-extensions with SMB3 yet. Unfortunately I
noticed that did not make it into 4.18.
- Kees.
>
> Rowland
>
>
>