samba - Mar 2024 - Linux Mint 21.3 client AD joined OK but no usb working

On Thu, 21 Mar 2024 22:12:54 -0300
"Douglas G. Oechsler via samba" <samba at lists.samba.org>
wrote:
> Hi Marco!
> 
> 
> Em qui., 21 de mar. de 2024 ?s 17:41, Marco Gaiarin via samba <
> samba at lists.samba.org> escreveu:
> 
> > Mandi! Douglas G. Oechsler via samba
> >   In chel di` si favelave...
> >
> > > Somebody get this problem or can help please?
> >
> > Probably the access to USB devices (and other things) are granted
> > via some local groups, so if you have AD/winbind users, they does
> > not have this group.
> >
> > For this, i use typically 'pam_group' module, with a simple
config
> > like:
> >
> >  *; *; *; Al0000-2400; plugdev,fuse,scanner,video,audio,cdrom,floppy
> >
> > Right, ok!
> But, where do you insert this config, please?
> 
> For now I disable The Linux Machines on the Office because when I put
> them inside Samba AD, the machines sometimes logon on the AD and
> sometimes not or stay waiting 'find' or try to logon for a long
time.
> When it did work fine, sometimes staying a long time to access file
> server AD. Maybe I need to study for a good way to insert Linux
> machines at the domain that works fine and well for users. Now I
> simply mapped the file server AD path for each user, and well, it's
> working. Today at the same place, I inserted a win10 machine at AD,
> and all works fine.
> 
This now sounds like a different problem to the subject matter, if
Samba is set up correctly, then the computer should always be able to
logon without problem (provided the network is working).

Also the ' *; *; *; Al0000-2400;
plugdev,fuse,scanner,video,audio,cdrom,floppy' line suggested was from
a long time ago and was meant to be used with an NT4-style ldap domain
and not AD.

From rereading this thread, you are running Samba 4.18.0 on Linux Mint
21.3 , where did you get the Samba 4.18.0 packages from ? As far as I
can see, Linux Mint doesn't use 4.18.0

How have you set up Samba ?
If it is as an AD DC, then please post the output of 'samba-tool
testparm'

If it is as a Unix domain member, then please post the output of
'testparm -s'

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
>> > For this, i use typically 'pam_group' module, with a
simple config
>> > like:
>> >  *; *; *; Al0000-2400;
plugdev,fuse,scanner,video,audio,cdrom,floppy
>> But, where do you insert this config, please?
> This now sounds like a different problem to the subject matter, if
> Samba is set up correctly, then the computer should always be able to
> logon without problem (provided the network is working).
?! Probably in Ubuntu where policykit rule them all, but for other distro,
also ubuntu-derivative like mint, still access to some devices is granted by
group membership.
So, yes, you login to the machine, but if you are NOT member of some group,
you cannot do something...

> Also the ' *; *; *; Al0000-2400;
> plugdev,fuse,scanner,video,audio,cdrom,floppy' line suggested was from
> a long time ago and was meant to be used with an NT4-style ldap domain
> and not AD.
Nothing to do with NT or AD; simply pam_group PAM module add/grand some
group membership to user based on some rules. More info:

	https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-pam_group.html

my example is simply: add these group to all user that can auth to this
workstation.

The row have to be added to file /etc/security/group.conf .

-- 
  Ho ancora la forza di starvi a raccontare
  le mie storie di sempre, di come posso amare		(F. Guccini)

Hello

Is there permission to attach image files here in the group or only images
link services?

Thanks







Em sex., 22 de mar. de 2024 ?s 06:15, Rowland Penny via samba <
samba at lists.samba.org> escreveu:
> On Thu, 21 Mar 2024 22:12:54 -0300
> "Douglas G. Oechsler via samba" <samba at lists.samba.org>
wrote:
>
> > Hi Marco!
> >
> >
> > Em qui., 21 de mar. de 2024 ?s 17:41, Marco Gaiarin via samba <
> > samba at lists.samba.org> escreveu:
> >
> > > Mandi! Douglas G. Oechsler via samba
> > >   In chel di` si favelave...
> > >
> > > > Somebody get this problem or can help please?
> > >
> > > Probably the access to USB devices (and other things) are granted
> > > via some local groups, so if you have AD/winbind users, they does
> > > not have this group.
> > >
> > > For this, i use typically 'pam_group' module, with a
simple config
> > > like:
> > >
> > >  *; *; *; Al0000-2400;
plugdev,fuse,scanner,video,audio,cdrom,floppy
> > >
> > > Right, ok!
> > But, where do you insert this config, please?
> >
> > For now I disable The Linux Machines on the Office because when I put
> > them inside Samba AD, the machines sometimes logon on the AD and
> > sometimes not or stay waiting 'find' or try to logon for a
long time.
> > When it did work fine, sometimes staying a long time to access file
> > server AD. Maybe I need to study for a good way to insert Linux
> > machines at the domain that works fine and well for users. Now I
> > simply mapped the file server AD path for each user, and well,
it's
> > working. Today at the same place, I inserted a win10 machine at AD,
> > and all works fine.
> >
>
> This now sounds like a different problem to the subject matter, if
> Samba is set up correctly, then the computer should always be able to
> logon without problem (provided the network is working).
>
> Also the ' *; *; *; Al0000-2400;
> plugdev,fuse,scanner,video,audio,cdrom,floppy' line suggested was from
> a long time ago and was meant to be used with an NT4-style ldap domain
> and not AD.
>
> From rereading this thread, you are running Samba 4.18.0 on Linux Mint
> 21.3 , where did you get the Samba 4.18.0 packages from ? As far as I
> can see, Linux Mint doesn't use 4.18.0
>
> How have you set up Samba ?
> If it is as an AD DC, then please post the output of 'samba-tool
> testparm'
>
> If it is as a Unix domain member, then please post the output of
> 'testparm -s'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
*Douglas Giovani Oechsler*
e-mail: doguibnu at gmail.com <douglasgiovani at oechsler.com.br>
*Prudent?polis - PR*