Arnaud Cruzel
2017-Mar-15 12:23 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
Hi everybody, I have a samba server member for file sharing configured like below. Domains controllers are on samba too. Every servers are on samba 4.5.3. When I created the domain I activated rfc2307. Now I think rfc2307 was a bad idea... My problem is that I'd like to allow users and computers to access to the file server even if uidNumber is not set. If I create an user without uidNumber, he is able to access to sysvol (by exemple) on all DC without problems. But if he try to access to the file server (from a Windows 10 client), he get an "Access refused". I understand that the problem come from uidNumber not set. And I think that the solution is in relation with idmap, winbind and rfc2307. So I'm completely lost with those features : How can I disable idmapping for get the same behavior on the file server than the Domain controller ? And if I do that, is the MacOS users will have problems to access to the shares with afp protocol (netatalk). I'd like this behavior to permit computers to access to shares for installing application with GPO set on DC and applied to computers instead of users section in the GPO. Thanks Below my smb.conf on the file server : ========================================================[global] netbios name = FS1 security = ADS workgroup = IFPOAD realm = IFPOAD.IFPORIENT.ORG log file = /var/log/samba/%m.log log level = 1 interfaces=lo eth0 bind interfaces only=yes server string = %h samba server wins support = yes # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config IFPOAD:backend = ad idmap config IFPOAD:schema_mode = rfc2307 idmap config IFPOAD:range = 10000-99999 winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind trusted domains only = no winbind use default domain = yes # Activation des attributs Etendus Windows vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # For Mac OS compatibility ? unix extensions = no # Spool d'impression rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss: architecture = Windows x64 veto files = /._*/.DS_Store/~*/ delete veto files = yes [Shares] path = /srv/samba/shares read only = no [home] path = /home/samba read only = no [profile$] path = /srv/samba/Profiles read only = no [deploy$] path = /srv/samba/deploy read only = no [BkShares] path = /srv/Backups/bkIFPO/shares read only = no [printers] path = /var/spool/samba/ printable = yes printing = CUPS ========================================================= -- Arnaud Cruzel Administrateur Système et Réseau Institut français du Proche-Orient (Ifpo) المعهد الفرنسي للشرق الأدنى UMIFRE 6 - MAEDI - CNRS - USR 3135 Tél. Liban : +961 76 596 131 Tél. France : +33 6 67 51 68 50 a.cruzel at ifporient.org
Rowland Penny
2017-Mar-15 13:17 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
On Wed, 15 Mar 2017 14:23:23 +0200 Arnaud Cruzel via samba <samba at lists.samba.org> wrote:> Hi everybody, > > I have a samba server member for file sharing configured like below. > Domains controllers are on samba too. > Every servers are on samba 4.5.3. > When I created the domain I activated rfc2307. > > Now I think rfc2307 was a bad idea... >You could use the winbind 'rid' backend instead, this will mean that your users will get different 'IDs', so you will have to change the ownership of any files and directories stored on the fileserver. You will also have to use 'template' lines in smb.conf for Unix home dirs and shell. Rowland
L.P.H. van Belle
2017-Mar-15 14:16 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
> But if he try to access to the file server (from a Windows 10 client), > he get an "Access refused".How did he access the share. \\servername\share or \\servername.dnsdom.tld\share (or by \\ip ) Can he access \\servername without the share. And the Win10 eventid + discription of the "Access refused" would be nice. The "Share Security" settings are? It should work with rfc2307, i works fine for me ADDC 4.5.3 + members 4.5.3/4.6.0 All servers in rfc2307 mode. But i did set extra things, so before i advice something i need the above info first. Greetz, Louis
Chris Weiss
2017-Mar-15 14:31 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba < samba at lists.samba.org> wrote:> > I'd like this behavior to permit computers to access to shares for > installing application with GPO set on DC and applied to computers > instead of users section in the GPO.when a client connects to a share, smbd spawns a new process owned by that user, which is why it needs a uid. if you want your share to be readable by anyone, look into the "map to guest" option to give users that can't be validated an alternate uid.
Arnaud Cruzel
2017-Mar-15 15:13 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
Le mercredi 15 mars 2017 à 13:17 +0000, Rowland Penny via samba a écrit :> On Wed, 15 Mar 2017 14:23:23 +0200 > Arnaud Cruzel via samba <samba at lists.samba.org> wrote: > > > Hi everybody, > > > > I have a samba server member for file sharing configured like > > below. > > Domains controllers are on samba too. > > Every servers are on samba 4.5.3. > > When I created the domain I activated rfc2307. > > > > Now I think rfc2307 was a bad idea... > > > > You could use the winbind 'rid' backend instead, this will mean that > your users will get different 'IDs', so you will have to change the > ownership of any files and directories stored on the fileserver. > > You will also have to use 'template' lines in smb.conf for Unix home > dirs and shell. > > Rowland >Thanks for your answer. OK, I tried that. After what there is no long problems for access to file server by an user without uidNumber. But now it's impossible for unix client to access to samba shares on this server. I think because of uid are differents. For information I didn't have to change shares owner, the server kept the same uids for users (I think because of caching ?) What I did : # diff smb.conf.ad smb.conf.rid 37,39c37,39 < idmap config IFPOAD:backend = ad < idmap config IFPOAD:schema_mode = rfc2307 < idmap config IFPOAD:range = 10000-99999 ---> # idmap config IFPOAD:backend = ad > # idmap config IFPOAD:schema_mode = rfc2307 > # idmap config IFPOAD:range = 10000-9999941,42c41,42 < # idmap config IFPOAD : backend = rid < # idmap config IFPOAD : range = 10000-999999 ---> idmap config IFPOAD : backend = rid > idmap config IFPOAD : range = 10000-99999945,46c45,46 < # winbind nss info = template < # template shell = /bin/bash ---> winbind nss info = template > template shell = /bin/bash47a48,50> template homedir = /Users/%U > > # winbind nss info = rfc230749d51 < winbind nss info = rfc2307 61c63 < unix extensions = no ---> # unix extensions = no75c77 < #username map = /usr/local/samba/etc/user.map ---> username map = /usr/local/samba/etc/user.map
Arnaud Cruzel
2017-Mar-15 15:40 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a écrit :> > But if he try to access to the file server (from a Windows 10 > > client), > > he get an "Access refused". > > How did he access the share. > \\servername\share or \\servername.dnsdom.tld\share > (or by \\ip )by \\servername\share> > Can he access \\servername without the share.no it can't> > And the Win10 eventid + discription of the "Access refused" would be > nice.There is no event ID neither descriptions. I don't find any entry on Windows event viewer.> > The "Share Security" settings are?by exemple for the share 'Shares' : For Administrator / Domain Admins / System / Creator Owner = Full Control on folder, subfolders and files For Authenticated Users / Domain Users = Read and Execute on this folder only> > It should work with rfc2307, i works fine for me > ADDC 4.5.3 + members 4.5.3/4.6.0 > All servers in rfc2307 mode.Yes I don't say it's not working. The problem is for set a GPO to deploy applications, I have to deploy it by user GPO. If I want to do that by computer GPO I have to set uidNumber to all computers. I'm lazy to do that :) And now with Windows 10 who don't allow to set rfc2307 easily with ADUC it become very complicate to set uidNumber manually for each user.> > But i did set extra things, so before i advice something i need the > above info first. > > > Greetz, > > Louis > > > > > >
Arnaud Cruzel
2017-Mar-15 15:42 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
Le mercredi 15 mars 2017 à 14:31 +0000, Chris Weiss via samba a écrit :> On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba < > samba at lists.samba.org> wrote: > > > > > I'd like this behavior to permit computers to access to shares for > > installing application with GPO set on DC and applied to computers > > instead of users section in the GPO. > > > when a client connects to a share, smbd spawns a new process owned by > that > user, which is why it needs a uid. if you want your share to be > readable > by anyone, look into the "map to guest" option to give users that > can't be > validated an alternate uid. >Ok thanks I understand why it does that now. So your suggestion can be a solution but it's not very safe.
L.P.H. van Belle
2017-Mar-15 16:01 UTC
[Samba] Allow user without uidNumber to access to a Samba member file server
Ok, these :> For Administrator / Domain Admins / System / Creator Owner = Full > Control on folder, subfolders and filesAre not available on the "Share security" but are on the "Security" So the "Share security settings" need only. Everyone FULL CONTROLL ( or Verified users ) And i think your done.> For Administrator / Domain Admins / System / Creator Owner = Full Control on folder, subfolders and files> For Authenticated Users / Domain Users = Read and Execute on this folder onlyIn your case i suggest, Domain Admins SYSTEM CREATOR OWNER ( or better GROUP ) CREATOR GROUP All full controll. Authenticated users OR Domain Users. Setting both isnt needed. With at least read. I suggest you set ( in case of GPO things ) Authenticated users. Since that include also the computers. In other cases, use "domain users" and/or the other groups you need. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Arnaud Cruzel [mailto:a.cruzel at ifporient.org] > Verzonden: woensdag 15 maart 2017 16:40 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Allow user without uidNumber to access to a Samba > member file server > > Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a > écrit : > > > But if he try to access to the file server (from a Windows 10 > > > client), > > > he get an "Access refused". > > > > How did he access the share. > > \\servername\share or \\servername.dnsdom.tld\share > > (or by \\ip ) > by \\servername\share > > > > > > Can he access \\servername without the share. > no it can't > > > > And the Win10 eventid + discription of the "Access refused" would be > > nice. > There is no event ID neither descriptions. I don't find any entry on > Windows event viewer. > > > > The "Share Security" settings are? > by exemple for the share 'Shares' : > For Administrator / Domain Admins / System / Creator Owner = Full > Control on folder, subfolders and files > For Authenticated Users / Domain Users = Read and Execute on this > folder only > > > > > > It should work with rfc2307, i works fine for me > > ADDC 4.5.3 + members 4.5.3/4.6.0 > > All servers in rfc2307 mode. > Yes I don't say it's not working. The problem is for set a GPO to > deploy applications, I have to deploy it by user GPO. > If I want to do that by computer GPO I have to set uidNumber to all > computers. I'm lazy to do that :) > And now with Windows 10 who don't allow to set rfc2307 easily with ADUC > it become very complicate to set uidNumber manually for each user. > > > > > But i did set extra things, so before i advice something i need the > > above info first. > > > > > > Greetz, > > > > Louis > > > > > > > > > > > >
Reasonably Related Threads
- Allow user without uidNumber to access to a Samba member file server
- Allow user without uidNumber to access to a Samba member file server
- Allow user without uidNumber to access to a Samba member file server
- Allow user without uidNumber to access to a Samba member file server
- Permission Issues with GPO