On 11/12/2015 2:59 PM, Rowland Penny wrote:> On 12/11/15 20:31, Dale Schroeder wrote: >> OK, try this smb.conf, don't add anything else until you have getent >> working: >>> >>> [global] >>> workgroup = DOMAIN >>> security = ADS >>> realm = DOMAIN.COM >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> idmap config * : range = 1000000-2000000 >>> idmap config * : backend = tdb >>> idmap config DOMAIN : range = 1000-2000 >>> idmap config DOMAIN : backend = rid >>> winbind nss info = template >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind refresh tickets = Yes >>> winbind offline logon = Yes >>> username map = /etc/samba/users.map >>> template homedir = /data/users/%U >>> template shell = /bin/bash >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> store dos attributes = yes >>> >>> The above should work against an AD DC >>> >>> Your users.map should be: >>> >>> !root = DOMAIN\Administrator DOMAIN\administrator >>> >>> Rowland >>> >>> >> Thanks, Rowland. I've gotten it working for the most part. There are >> some permissions issues with vfs recycle, but I'll have to work those >> out later. >> >> Just to satisfy my curiosity more than anything, I'd like to clarify >> a few things. >> >> 1. What is the benefit of using 'secrets and keytab'? All of my >> other member servers seem to function OK with the default 'secrets >> only'. > > It tries to use the secrets.tdb first for kerberos verification and if > it cannot do this, it uses the system keytab, bit of a belt & braces > situation really. > >> 2. What does the syntax of the users.map file that you have >> presented mean, or maybe it would be better stated as what does it >> do? That is nothing at all like the mapping files I have used for >> the past 12 years. I have seen this before, but have never seen an >> explanation of it. > > Fairly simple, it maps the windows domain Administrator to the local > Unix 'root' user, you can then change file permissions on samba Unix > shares from windows.Then ! is not being interpreted as "not", which is how I interpreted it. :-D To me, it looks like it's saying the users on the right side of the equal sign are "not root". Like I said, it's hard to wrap my head around the syntax. It looks like the inverse of what it actually is.> >> >> 3. Some time back, you mentioned the name of the file in Debian that >> listed the default mount options. Would you please state it again? >> I can't seem to locate that particular email in the archives. > > Well I would if could, but what do you mean by 'default mount options' > ? autofs ? cifs ? ???Actually, I was thinking of the ext4 defaults for mount options in fstab. At least, that's how I'm remembering it. Then again, my memory is not what it used to be. ;-) Dale> > Rowland > >> >> Thanks again, >> Dale >> > >
On 12/11/15 21:37, Dale Schroeder wrote:> On 11/12/2015 2:59 PM, Rowland Penny wrote: >> On 12/11/15 20:31, Dale Schroeder wrote: >>> OK, try this smb.conf, don't add anything else until you have getent >>> working: >>>> >>>> [global] >>>> workgroup = DOMAIN >>>> security = ADS >>>> realm = DOMAIN.COM >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> idmap config * : range = 1000000-2000000 >>>> idmap config * : backend = tdb >>>> idmap config DOMAIN : range = 1000-2000 >>>> idmap config DOMAIN : backend = rid >>>> winbind nss info = template >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = Yes >>>> winbind enum groups = Yes >>>> winbind refresh tickets = Yes >>>> winbind offline logon = Yes >>>> username map = /etc/samba/users.map >>>> template homedir = /data/users/%U >>>> template shell = /bin/bash >>>> vfs objects = acl_xattr >>>> map acl inherit = yes >>>> store dos attributes = yes >>>> >>>> The above should work against an AD DC >>>> >>>> Your users.map should be: >>>> >>>> !root = DOMAIN\Administrator DOMAIN\administrator >>>> >>>> Rowland >>>> >>>> >>> Thanks, Rowland. I've gotten it working for the most part. There >>> are some permissions issues with vfs recycle, but I'll have to work >>> those out later. >>> >>> Just to satisfy my curiosity more than anything, I'd like to clarify >>> a few things. >>> >>> 1. What is the benefit of using 'secrets and keytab'? All of my >>> other member servers seem to function OK with the default 'secrets >>> only'. >> >> It tries to use the secrets.tdb first for kerberos verification and >> if it cannot do this, it uses the system keytab, bit of a belt & >> braces situation really. >> >>> 2. What does the syntax of the users.map file that you have >>> presented mean, or maybe it would be better stated as what does it >>> do? That is nothing at all like the mapping files I have used for >>> the past 12 years. I have seen this before, but have never seen an >>> explanation of it. >> >> Fairly simple, it maps the windows domain Administrator to the local >> Unix 'root' user, you can then change file permissions on samba Unix >> shares from windows. > Then ! is not being interpreted as "not", which is how I interpreted > it. :-D To me, it looks like it's saying the users on the right side > of the equal sign are "not root". Like I said, it's hard to wrap my > head around the syntax. It looks like the inverse of what it actually > is. >> >>> >>> 3. Some time back, you mentioned the name of the file in Debian >>> that listed the default mount options. Would you please state it >>> again? I can't seem to locate that particular email in the archives. >> >> Well I would if could, but what do you mean by 'default mount >> options' ? autofs ? cifs ? ??? > Actually, I was thinking of the ext4 defaults for mount options in > fstab. At least, that's how I'm remembering it. Then again, my > memory is not what it used to be. ;-) >Ah, those mount options in fstab, if you are using ext4, then it is simple, you do not need to add any. All the ones that various websites tell you to add, are already part of the default settings. see: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt Rowland
On 11/13/2015 2:20 AM, Rowland Penny wrote:> On 12/11/15 21:37, Dale Schroeder wrote: >> On 11/12/2015 2:59 PM, Rowland Penny wrote: >>> On 12/11/15 20:31, Dale Schroeder wrote: >>>> OK, try this smb.conf, don't add anything else until you have >>>> getent working: >>>>> >>>>> [global] >>>>> workgroup = DOMAIN >>>>> security = ADS >>>>> realm = DOMAIN.COM >>>>> dedicated keytab file = /etc/krb5.keytab >>>>> kerberos method = secrets and keytab >>>>> idmap config * : range = 1000000-2000000 >>>>> idmap config * : backend = tdb >>>>> idmap config DOMAIN : range = 1000-2000 >>>>> idmap config DOMAIN : backend = rid >>>>> winbind nss info = template >>>>> winbind trusted domains only = no >>>>> winbind use default domain = yes >>>>> winbind enum users = Yes >>>>> winbind enum groups = Yes >>>>> winbind refresh tickets = Yes >>>>> winbind offline logon = Yes >>>>> username map = /etc/samba/users.map >>>>> template homedir = /data/users/%U >>>>> template shell = /bin/bash >>>>> vfs objects = acl_xattr >>>>> map acl inherit = yes >>>>> store dos attributes = yes >>>>> >>>>> The above should work against an AD DC >>>>> >>>>> Your users.map should be: >>>>> >>>>> !root = DOMAIN\Administrator DOMAIN\administrator >>>>> >>>>> Rowland >>>>> >>>>> >>>> Thanks, Rowland. I've gotten it working for the most part. There >>>> are some permissions issues with vfs recycle, but I'll have to work >>>> those out later. >>>> >>>> Just to satisfy my curiosity more than anything, I'd like to >>>> clarify a few things. >>>> >>>> 1. What is the benefit of using 'secrets and keytab'? All of my >>>> other member servers seem to function OK with the default 'secrets >>>> only'. >>> >>> It tries to use the secrets.tdb first for kerberos verification and >>> if it cannot do this, it uses the system keytab, bit of a belt & >>> braces situation really. >>> >>>> 2. What does the syntax of the users.map file that you have >>>> presented mean, or maybe it would be better stated as what does it >>>> do? That is nothing at all like the mapping files I have used for >>>> the past 12 years. I have seen this before, but have never seen an >>>> explanation of it. >>> >>> Fairly simple, it maps the windows domain Administrator to the local >>> Unix 'root' user, you can then change file permissions on samba Unix >>> shares from windows. >> Then ! is not being interpreted as "not", which is how I interpreted >> it. :-D To me, it looks like it's saying the users on the right >> side of the equal sign are "not root". Like I said, it's hard to >> wrap my head around the syntax. It looks like the inverse of what it >> actually is. >>> >>>> >>>> 3. Some time back, you mentioned the name of the file in Debian >>>> that listed the default mount options. Would you please state it >>>> again? I can't seem to locate that particular email in the archives. >>> >>> Well I would if could, but what do you mean by 'default mount >>> options' ? autofs ? cifs ? ??? >> Actually, I was thinking of the ext4 defaults for mount options in >> fstab. At least, that's how I'm remembering it. Then again, my >> memory is not what it used to be. ;-) >> > > Ah, those mount options in fstab, if you are using ext4, then it is > simple, you do not need to add any. All the ones that various websites > tell you to add, are already part of the default settings. > > see: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt > > Rowland > >There is a lot of information in that document, but I did not find the definitive answer to "defaults equals what?". I did finally find a Linux Mint article dated 11/12/14 (http://community.linuxmint.com/tutorial/view/1513) that states the following: *defaults *- Use default settings. Equivalent to rw, suid, dev, exec, auto, nouser, async. There is no mention of acl, user_xattr, or journal_checksum - options that I routinely use. Basically, I'm trying to find out if anything has changed since that time (Debian specific), and, up until now, such documentation has been extremely hard to find. Anything else that you can provide will be greatly appreciated. Thanks again. Dale