On Thu, 01 Jun 2017 14:55:40 +0200
Supporter via samba <samba at lists.samba.org> wrote:
>> Hello All,
>>
>> I have big problem. I don't know how can i resolve it.
>>
>> Design:
>>
>> |server Samba AD 4.6.2| <---------- | Samba File Server
>> v4.6.2/v4.6.4 | <--------- | Windows 7 client |
>>
>>
>> -----------------------
>> On Windows & client:
>>
>> User can open files in share.
>> Problem is when he wants to change privileges
>> (Proporties>Security>Edit>Add).
>> "Application can't open required window...".
>> Next windows: "The user selection dialog can not be displayed.
RPC
>> Server is unavailable.".
>>
>>
>> -----------------------
>> On Samba File Server:
>>
>> - server is connected to domain:
>> net ads testjoin -k
>> Join is OK
>> - wbinfo -i (show users correctly),
>> - wbinfo -g (show groups corrsctly),
>> - users have access to files on share,
>> - files/directories have right privileges
>>
>> getfacl example_dir
>> # file: example_dir
>> # owner: xxx
>> # group: xxy
>> user::rwx
>> user:root:rwx
>> user:50000:rwx
>> user:50002:rwx
>> user:51151:rwx
>> user:58522:rwx
>> group::---
>> group:50000:rwx
>> group:50002:rwx
>> group:50068:rwx
>> group:58522:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:50000:rwx
>> default:user:50002:rwx
>> default:user:51151:rwx
>> default:user:58522:rwx
>> default:group::---
>> default:group:50000:rwx
>> default:group:50002:rwx
>> default:group:50068:rwx
>> default:group:58522:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>
> It looks like either /etc/nsswitch.conf or libnss_winbind isn't set up
> correctly, or possibly both.
> You should get names not numbers.
>
This is my nsswitch file:
passwd: files ldap compat winbind
group: files ldap compat winbind
shadow: files ldap compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
When i use wbinfo i see names and groups.
wbninfo -u
XYZ\user1
XYZ\user2
XYZ\user3
XYZ\user4
...
wbninfo -g
XYZ\group1
XYZ\group2
...
>>
>> config samba file share:
>> [global]
>> workgroup = XYZ
>> server string = %h server (Samba)
>> realm = XYZ.LOCAL
>>
>> password server = pdc.xyz.local
>
> I suggest you remove the 'password server line.
>
Ok, i removed.
>
>> idmap config * : range = 50000-60000
>> idmap config * : backend = tdb
>> idmap config XYZ : range = 50000-60000
>> idmap config XYZ : backend = rid
>
> The ranges shouldn't overlap
>
>>
>> idmap config * : unix_primary_group = yes
>
> I think you can only use the above line with the 'ad' backend.
When i set backet to 'ad' i can't start winbindd
Output: "main: FATAL: Invalid idmap backend ad configured as the default
backend!"
>
> Rowland
>
Best regards,
Supporter 3eb