On 17/11/16 19:48, Rowland Penny via samba wrote:> If you are running Samba as an AD DC or domain member, then you > shouldn't be using 'valid' & 'invalid' any more. As for creating > users etc, samba-tool comes with help, try running 'samba-tool --help' > > If you have more questions, please feel free to ask ;-) > > Rowland >What? Really? "valid users" and "invalid users" doesn't work on a Samba 4 AD member? We reply on this for shares that have other shares below them (Posix ACLs only). Where is it documented that this is now not functional? I'm hoping it just means it's deprecated and some other mechanism has supplanted it, in which case I'd like to know how to restrict at the share level properly! Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
I prefer a book witch more example: the wiki of samba it's really well documentation but my english it's very so so. thanks a lot Il 17/11/2016 21:07, Alex Crow via samba ha scritto:> > On 17/11/16 19:48, Rowland Penny via samba wrote: >> If you are running Samba as an AD DC or domain member, then you >> shouldn't be using 'valid' & 'invalid' any more. As for creating >> users etc, samba-tool comes with help, try running 'samba-tool --help' >> >> If you have more questions, please feel free to ask ;-) >> >> Rowland >> > What? Really? "valid users" and "invalid users" doesn't work on a Samba > 4 AD member? > > We reply on this for shares that have other shares below them (Posix > ACLs only). Where is it documented that this is now not functional? > > I'm hoping it just means it's deprecated and some other mechanism has > supplanted it, in which case I'd like to know how to restrict at the > share level properly! > > Cheers > > Alex > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). >
On Thu, 17 Nov 2016 20:07:26 +0000 Alex Crow via samba <samba at lists.samba.org> wrote:> > > On 17/11/16 19:48, Rowland Penny via samba wrote: > > If you are running Samba as an AD DC or domain member, then you > > shouldn't be using 'valid' & 'invalid' any more. As for creating > > users etc, samba-tool comes with help, try running 'samba-tool > > --help' > > > > If you have more questions, please feel free to ask ;-) > > > > Rowland > > > > What? Really? "valid users" and "invalid users" doesn't work on a > Samba 4 AD member?Just where did I say 'doesn't' ??? I said 'shouldn't', you should use ACL's instead, either by setting the permissions from windows or with setfacl> > We reply on this for shares that have other shares below them (Posix > ACLs only). Where is it documented that this is now not functional?It is still functional, but is the old way of doing things, if you are using them, carry on, but there are better ways of doing it now.> > I'm hoping it just means it's deprecated and some other mechanism has > supplanted it, in which case I'd like to know how to restrict at the > share level properly!Try reading this: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs Rowland
On Thu, 17 Nov 2016 21:13:56 +0100 marco pirola via samba <samba at lists.samba.org> wrote:> I prefer a book witch more example: the wiki of samba it's really > well documentation but my english it's very so so. > > thanks a lot >You sound just like the person we need to read the wiki, if you can understand it, then anybody can. If you cannot understand it, we need to know why you cannot and what we need to do to fix it. Rowland
On 17/11/16 20:19, Rowland Penny via samba wrote:> On Thu, 17 Nov 2016 20:07:26 +0000 > Alex Crow via samba <samba at lists.samba.org> wrote: > >> >> On 17/11/16 19:48, Rowland Penny via samba wrote: >>> If you are running Samba as an AD DC or domain member, then you >>> shouldn't be using 'valid' & 'invalid' any more. As for creating >>> users etc, samba-tool comes with help, try running 'samba-tool >>> --help' >>> >>> If you have more questions, please feel free to ask ;-) >>> >>> Rowland >>> >> What? Really? "valid users" and "invalid users" doesn't work on a >> Samba 4 AD member? > Just where did I say 'doesn't' ??? > > I said 'shouldn't', you should use ACL's instead, either by setting the > permissions from windows or with setfaclWell, "shouldn't" often implies "deprecated" and "will break soon"! We've suffered breakages with idMap on our old Samba 3 NT Domain with member file servers. It was quite unexpected and we had to contract a commercial support company to help us resolve it. And think this even happened within a minor version update. So I hope you can understand that I'm naturally cautious about future changes.>> We reply on this for shares that have other shares below them (Posix >> ACLs only). Where is it documented that this is now not functional? > It is still functional, but is the old way of doing things, if you are > using them, carry on, but there are better ways of doing it now.As long as it's clearly announced in release notes (in new/removed features part) when a) it's deprecated and b) it has been disabled, that's fine with me.> >> I'm hoping it just means it's deprecated and some other mechanism has >> supplanted it, in which case I'd like to know how to restrict at the >> share level properly! > Try reading this: > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > Rowland >I've read that, but we have a number of scripts that currently work with the "old way". I assume that the "new way" will not actually stop permissions set with POSIX ACLs from working properly? It seems so from my testing with our staging AD domain where we have the "new way" enabled but no changes have been made to FS ACLs/xattrs so far... Cheers Alex>-- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).