Hi, I have installed samba 4.4.4 and configured and works perfect, now I need to configure roaming profiles and reading https://wiki.samba.org/index.php/Shares_with_Windows_ACLs I have detected that I can't configure chgrp "Domain Admins" /srv/samba/Demo/ I'm creating this share on our dc, but seem that with # getent group "Domain Admins" any samba AD group is recovered I have found "If you don't get an output showing the queried name and its ID, there may be something wrong in your NSS configuration <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=edit&redlink=1> or if you are using Winbindd with RFC2307 (idmap_ad) <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have an ID assigned (see User and group management <https://wiki.samba.org/index.php/User_and_group_management> for how to administer Unix Attributes in an AD)" but I don't know where is the problem with wbinfo we recover user and group but with getent not. We are making thins test on our samba doamin controller with samba 4.4.4 and debian jessie Where is the problem? Thanks
Did you adjust the nsswitch.conf ? To passwd: compat winbind group: compat winbind Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Trenta sis > Verzonden: donderdag 7 juli 2016 9:57 > Aan: samba > Onderwerp: [Samba] cifs share for profiles > > Hi, > > I have installed samba 4.4.4 and configured and works perfect, now I need > to configure roaming profiles and reading > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > I have detected that I can't configure > > chgrp "Domain Admins" /srv/samba/Demo/ > > > I'm creating this share on our dc, but seem that with > # getent group "Domain Admins" > > any samba AD group is recovered > > > > I have found > "If you don't get an output showing the queried name and its ID, there may > be something wrong in your NSS configuration > <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=e > dit&redlink=1> > or > if you are using Winbindd with RFC2307 (idmap_ad) > <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have an > ID assigned (see User and group management > <https://wiki.samba.org/index.php/User_and_group_management> for how to > administer Unix Attributes in an AD)" > > but I don't know where is the problem with wbinfo we recover user and > group > but with getent not. > > We are making thins test on our samba doamin controller with samba 4.4.4 > and debian jessie > > > Where is the problem? > > Thanks > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 07/07/16 08:56, Trenta sis wrote:> Hi, > > I have installed samba 4.4.4 and configured and works perfect, now I need > to configure roaming profiles and reading > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > I have detected that I can't configure > > chgrp "Domain Admins" /srv/samba/Demo/ > > > I'm creating this share on our dc, but seem that with > # getent group "Domain Admins" > > any samba AD group is recoveredHave you altered the smb.conf on the Samba4 DC and if you have, can you post your smb.conf. Can you also post an example of what you get when you run 'getent group "Domain Admins" Rowland> > > > I have found > "If you don't get an output showing the queried name and its ID, there may > be something wrong in your NSS configuration > <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=edit&redlink=1> > or > if you are using Winbindd with RFC2307 (idmap_ad) > <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have an > ID assigned (see User and group management > <https://wiki.samba.org/index.php/User_and_group_management> for how to > administer Unix Attributes in an AD)" > > but I don't know where is the problem with wbinfo we recover user and group > but with getent not. > > We are making thins test on our samba doamin controller with samba 4.4.4 > and debian jessie > > > Where is the problem? > > Thanks
Own anyway.. https://wiki.samba.org/index.php/Implementing_roaming_profiles and choose 1 to the 2 options. Or you use windows ACL Or you use POSIX ACL Best options is. Use Windows ACL, do NO chown/chmod.. do it from within windows. And add : acl_xattr:ignore system acls = yes to smb.conf in the profiles share. This should be oblicated in my opinion for the windows profiles share. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 7 juli 2016 10:35 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] cifs share for profiles > > On 07/07/16 08:56, Trenta sis wrote: > > Hi, > > > > I have installed samba 4.4.4 and configured and works perfect, now I > need > > to configure roaming profiles and reading > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > > > I have detected that I can't configure > > > > chgrp "Domain Admins" /srv/samba/Demo/ > > > > > > I'm creating this share on our dc, but seem that with > > # getent group "Domain Admins" > > > > any samba AD group is recovered > > Have you altered the smb.conf on the Samba4 DC and if you have, can you > post your smb.conf. > > Can you also post an example of what you get when you run 'getent group > "Domain Admins" > > Rowland > > > > > > > > > I have found > > "If you don't get an output showing the queried name and its ID, there > may > > be something wrong in your NSS configuration > > > <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=e > dit&redlink=1> > > or > > if you are using Winbindd with RFC2307 (idmap_ad) > > <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have > an > > ID assigned (see User and group management > > <https://wiki.samba.org/index.php/User_and_group_management> for how to > > administer Unix Attributes in an AD)" > > > > but I don't know where is the problem with wbinfo we recover user and > group > > but with getent not. > > > > We are making thins test on our samba doamin controller with samba 4.4.4 > > and debian jessie > > > > > > Where is the problem? > > > > Thanks > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi, Tried to add winbind in nsswtich but same result , getent group "domain admins" without any result smb.conf # Global parameters [global] bind interfaces only = Yes interfaces = lo eth0 netbios name = dc realm = domain.com server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbin dd, ntp_signd, kcc, dnsupdate workgroup = domain server role = active directory domain controller idmap_ldb:use rfc2307 = yes comment [profilesad] path = /local/var/profilesad read only = No I have used shares with windows acl and also posix acl I have configured cifs profiles and we can create but with getfacl I have detected that doamin users has no permission, only thing that we need is add features to domain admins to allow access cifs profiles, with our actual config only owner can.... Where is the problem? Thanks 2016-07-07 9:56 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:> Hi, > > I have installed samba 4.4.4 and configured and works perfect, now I need > to configure roaming profiles and reading > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > I have detected that I can't configure > > chgrp "Domain Admins" /srv/samba/Demo/ > > > I'm creating this share on our dc, but seem that with > # getent group "Domain Admins" > > any samba AD group is recovered > > > > I have found > "If you don't get an output showing the queried name and its ID, there may > be something wrong in your NSS configuration > <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=edit&redlink=1> or > if you are using Winbindd with RFC2307 (idmap_ad) > <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have an > ID assigned (see User and group management > <https://wiki.samba.org/index.php/User_and_group_management> for how to > administer Unix Attributes in an AD)" > > but I don't know where is the problem with wbinfo we recover user and > group but with getent not. > > We are making thins test on our samba doamin controller with samba 4.4.4 > and debian jessie > > > Where is the problem? > > Thanks > >
with getfacl userprofiles appear that domain admins has no permission, and I have configured as appear in wiki profiles, but only step that I can't configure is chgrp doamin admins # getfacl /local/var/profilesad/usertest/ getfacl: Removing leading '/' from absolute path names # file: local/var/profilesad/usertest/ # owner: 20087 # group: 513 user::rwx user:20087:rwx user:3000001:rwx group::--- group:513:--- group:3000001:rwx mask::rwx other::--- default:user::rwx default:user:20087:rwx default:user:3000001:rwx default:group::--- default:group:513:--- default:group:3000001:rwx default:mask::rwx default:other::--- getent passwd and getent group in samba 4 ad dc server no result related with users and roup from samba doamin Where is the problem? 2016-07-07 11:29 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:> Hi, > > Tried to add winbind in nsswtich but same result , getent group "domain > admins" without any result > > smb.conf > > # Global parameters > [global] > bind interfaces only = Yes > interfaces = lo eth0 > netbios name = dc > realm = domain.com > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbin > dd, ntp_signd, kcc, dnsupdate > workgroup = domain > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > comment > > [profilesad] > path = /local/var/profilesad > read only = No > > > I have used shares with windows acl and also posix acl > > > I have configured cifs profiles and we can create but with getfacl I have > detected that doamin users has no permission, only thing that we need is > add features to domain admins to allow access cifs profiles, with our > actual config only owner can.... > > > Where is the problem? > > Thanks > > > 2016-07-07 9:56 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > >> Hi, >> >> I have installed samba 4.4.4 and configured and works perfect, now I need >> to configure roaming profiles and reading >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs >> >> I have detected that I can't configure >> >> chgrp "Domain Admins" /srv/samba/Demo/ >> >> >> I'm creating this share on our dc, but seem that with >> # getent group "Domain Admins" >> >> any samba AD group is recovered >> >> >> >> I have found >> "If you don't get an output showing the queried name and its ID, there >> may be something wrong in your NSS configuration >> <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=edit&redlink=1> or >> if you are using Winbindd with RFC2307 (idmap_ad) >> <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have >> an ID assigned (see User and group management >> <https://wiki.samba.org/index.php/User_and_group_management> for how to >> administer Unix Attributes in an AD)" >> >> but I don't know where is the problem with wbinfo we recover user and >> group but with getent not. >> >> We are making thins test on our samba doamin controller with samba 4.4.4 >> and debian jessie >> >> >> Where is the problem? >> >> Thanks >> >> >
What happens if you add : winbind enum users = Yes winbind enum groups = Yes Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Trenta sis > Verzonden: donderdag 7 juli 2016 11:40 > Aan: samba > Onderwerp: Re: [Samba] cifs share for profiles > > with getfacl userprofiles appear that domain admins has no permission, > and > I have configured as appear in wiki profiles, but only step that I can't > configure is chgrp doamin admins > > # getfacl /local/var/profilesad/usertest/ > getfacl: Removing leading '/' from absolute path names > # file: local/var/profilesad/usertest/ > # owner: 20087 > # group: 513 > user::rwx > user:20087:rwx > user:3000001:rwx > group::--- > group:513:--- > group:3000001:rwx > mask::rwx > other::--- > default:user::rwx > default:user:20087:rwx > default:user:3000001:rwx > default:group::--- > default:group:513:--- > default:group:3000001:rwx > default:mask::rwx > default:other::--- > > > getent passwd and getent group in samba 4 ad dc server no result related > with users and roup from samba doamin > > > Where is the problem? > > > > 2016-07-07 11:29 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > > > Hi, > > > > Tried to add winbind in nsswtich but same result , getent group "domain > > admins" without any result > > > > smb.conf > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > interfaces = lo eth0 > > netbios name = dc > > realm = domain.com > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, > > winbin > > dd, ntp_signd, kcc, dnsupdate > > workgroup = domain > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > comment > > > > [profilesad] > > path = /local/var/profilesad > > read only = No > > > > > > I have used shares with windows acl and also posix acl > > > > > > I have configured cifs profiles and we can create but with getfacl I > have > > detected that doamin users has no permission, only thing that we need is > > add features to domain admins to allow access cifs profiles, with our > > actual config only owner can.... > > > > > > Where is the problem? > > > > Thanks > > > > > > 2016-07-07 9:56 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > > > >> Hi, > >> > >> I have installed samba 4.4.4 and configured and works perfect, now I > need > >> to configure roaming profiles and reading > >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > >> > >> I have detected that I can't configure > >> > >> chgrp "Domain Admins" /srv/samba/Demo/ > >> > >> > >> I'm creating this share on our dc, but seem that with > >> # getent group "Domain Admins" > >> > >> any samba AD group is recovered > >> > >> > >> > >> I have found > >> "If you don't get an output showing the queried name and its ID, there > >> may be something wrong in your NSS configuration > >> > <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=e > dit&redlink=1> or > >> if you are using Winbindd with RFC2307 (idmap_ad) > >> <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have > >> an ID assigned (see User and group management > >> <https://wiki.samba.org/index.php/User_and_group_management> for how to > >> administer Unix Attributes in an AD)" > >> > >> but I don't know where is the problem with wbinfo we recover user and > >> group but with getent not. > >> > >> We are making thins test on our samba doamin controller with samba > 4.4.4 > >> and debian jessie > >> > >> > >> Where is the problem? > >> > >> Thanks > >> > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 07/07/16 10:29, Trenta sis wrote:> Hi, > > Tried to add winbind in nsswtich but same result , getent group "domain > admins" without any result > > smb.conf > > # Global parameters > [global] > bind interfaces only = Yes > interfaces = lo eth0 > netbios name = dc > realm = domain.com > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbin > dd, ntp_signd, kcc, dnsupdate > workgroup = domain > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > comment > > [profilesad] > path = /local/var/profilesad > read only = No > > > I have used shares with windows acl and also posix acl > > > I have configured cifs profiles and we can create but with getfacl I have > detected that doamin users has no permission, only thing that we need is > add features to domain admins to allow access cifs profiles, with our > actual config only owner can.... > > > Where is the problem? > > Thanks > > > 2016-07-07 9:56 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > >> Hi, >> >> I have installed samba 4.4.4 and configured and works perfect, now I need >> to configure roaming profiles and reading >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs >> >> I have detected that I can't configure >> >> chgrp "Domain Admins" /srv/samba/Demo/ >> >> >> I'm creating this share on our dc, but seem that with >> # getent group "Domain Admins" >> >> any samba AD group is recovered >> >> >> >> I have found >> "If you don't get an output showing the queried name and its ID, there may >> be something wrong in your NSS configuration >> <https://wiki.samba.org/index.php?title=Name_service_switch_(NSS)&action=edit&redlink=1> or >> if you are using Winbindd with RFC2307 (idmap_ad) >> <https://wiki.samba.org/index.php/Idmap_config_ad>, you might not have an >> ID assigned (see User and group management >> <https://wiki.samba.org/index.php/User_and_group_management> for how to >> administer Unix Attributes in an AD)" >> >> but I don't know where is the problem with wbinfo we recover user and >> group but with getent not. >> >> We are making thins test on our samba doamin controller with samba 4.4.4 >> and debian jessie >> >> >> Where is the problem? >> >> Thanks >> >>Did you compile Samba your self, or are you using packages from somewhere ?? Rowland