Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:> On Fri, 14 Oct 2016 14:32:52 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
>>> It sounds like you don't have IDMU installed, not sure if you
can
>>> install it on 2012.
>> are you trying to say that I should install "Identity Management
for
>> Unix" on a Windows Server 2012? If yes, I am afraid we have a
>> misunderstanding here: I don't use any Windows Server in my set-up.
>>
>> I use a Fileserver with two network interfaces, one connected to a
>> private network, the other connected to our university network. A
>> Samba AD DC is supposed to manage a small Windows Domain in the
>> private net. The fileserver also serves as a gateway to the Windows 7
>> workstations in the private net. Fileserver and AD DC are both
>> running ubuntu 16.04 and have the respective Samba packages
>> installed. For testing I have set up two Windows 7 Instances on ESXi
>> inside the private net, one with the RSAT Tools installed and one as
>> a user PC.
>>
>> Update: I spent the morning setting up a fresh member server
>> ("FILESERVER2") for testing inside the private net (with 1
NIC only,
>> thereby reducing complexity) I think, I have made all the necessary
>> steps and did not forget to grant the SeDiskOperatorPrivilege rights
>> to the Domain Admins
>>
>> root at fileserver2:/var/log/samba# net rpc rights list
'MYDOMAIN\Domain
>> Admins' -U'MYDOMAIN\Administrator' -S addc01
>> Enter MYDOMAIN\Administrator's password:
>> SeDiskOperatorPrivilege
>>
>> Now I'm stuck in the RSAT Computer Management Console where I am
>> denied access to the share configuration. On the navigation tree in
>> the left window "Local users and groups" is shown as locked
(and I
>> remember this went only away after I assigned a uidNumber to the
>> Adminstrator account and made it a member of the Domain Admins Unix
>> Group). Can't tell if this is a useful hint.
>>
> I could have sworn you mentioned a 2012 server,
No problem> so if you are
> authenticating the fileserver to a Samba AD DC, did you provision the
> DC with '--use-rfc2307' ?
Yes, I did. From my shell history
samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN
--domain=MYDOMAIN --server-role='dc' --
adminpass='*******************'
> Not a problem if you didn't, see here:
>
>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
>
> The 'Administrator' is always a member of 'Domain Admins'
>
> Did you remember to add the 'user.map' line to smb.conf ?
Yes I did, but had a typo in the real domain name .... and this was
the problem :-[
Now I have access to the share configuration :-)
What's a little confusing:
"Share Permsissions" has the "Everyone" account already
filled in with
"Full Control".
"Security" has "Everyone", "root",
"ERSTELLER-BESITZER" (Creator Owner),
ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts already
filled in
---> What would you suggest? Remove all unwanted accounts first an then
follow the wiki? I remember trouble started when I removed the
"Everyone" account.
Extended attributes on [home] look like this at this point
root at fileserver2:/var/log/samba# LANG=en_US getfacl /var/share/samba/homes/
getfacl: Removing leading '/' from absolute path names
# file: var/share/samba/homes/
# owner: root
# group: MYDOMAIN\134domain\040admins
user::rwx
group::rwx
other::r-x
BTW: On this server, I changed the id ranges to more modest values
root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
;; Default idmap config used for BUILTIN and local accounts/groups
idmap config * : backend = tdb
idmap config * : range = 2000-9999
;; idmap config for domain MYDOMAIN
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-99999
This is correctly reflected in the id mappings
root at fileserver2:/var/log/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 2004 S-1-5-11
USER HWM 2000
GID 2002 S-1-1-0
GID 2003 S-1-5-2
GROUP HWM 2005
Thanks an best regards
Udo
>
> Rowland
>