correct is not much different, but you need a "correct" config. now your config is simpley wrong. ( sorry ) This proves it. one question.. idmap config * : backend = rid idmap config * : range = 100000-999999 can you write you "rid" to the samba AD.. No. # - must use an read-write-enabled back end, such as tdb. you need also : # idmap config for the SAMDOM domain idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 but do remember ... For every domain, set these parameters individually. The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. Greetz, Louis Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] Verzonden: dinsdag 27 juni 2017 17:07 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] ACL SHARE Hello Thank you for your attention. My conf is not much different from the documentation, and what's different "I believe" is not my problem. As I mentioned the problem only occurs with access via sharing .... Regards Em 27-06-2017 11:32, L.P.H. van Belle via samba escreveu: Hai Carlos, I suggest start here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File Which says.. # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 And you want RID, https://wiki.samba.org/index.php/Idmap_config_rid So fix you smb.conf, restart samba. Run : net cache flush Test id username And try again. Greetz, Louis -----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. Cunha via samba Verzonden: dinsdag 27 juni 2017 16:26 Aan: samba at lists.samba.org Onderwerp: [Samba] ACL SHARE Hello I have a Debian 8 with samba (Version 4.2.10-Debian) that serves as Fileserver. My smb.conf [global] workgroup = XXXXX realm = GRUPO.XXXXX.COM.BR security = ADS idmap config * : backend = rid idmap config * : range = 100000-999999 client schannel = no allow trusted domains = yes winbind use default domain = yes winbind refresh tickets = Yes winbind offline logon = no winbind cache time = 360 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U map to guest = bad user guest account = guest guest ok = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes I have sharing: [QUALIDADELEITE] path = /home/QUALIDADELEITE browseable = yes writeable = yes printable = no create mask = 0770 force directory mode = 0770 force create mode = 0770 force group = +qualidadeleite valid users = @qualidadeleite getfacl /home/QUALIDADELEITE # file: home/QUALIDADELEITE # owner: root # group: qualidadeleite user::rwx group::rwx other::--- default:user::rwx default:group::r-x default:group:qualidadeleite:rwx default:mask::rwx default:other::r-x My doubts inside have an ok.txt file Getfacl ok.txt # File: ok.txt # Owner: root # Group: root User :: rwx Group :: r-x #effective: --- Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: --- The problem in this way a user of the qualidadeleite group can not do anything in the file, even though they have permissions via ACL, this only happens on shares. Direct on the file System the ACL permission is functional. Access to this directory occurs both direct (ssh) and via shares. Do you know what it can be? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hello You're right. Configuration are correct, there is no middle ground :-D But do I change these settings, I will not have problems with IDS changes, and soon problems with permissions (since I changed ids) of the users? Or other problems changing it? Regards Em 27-06-2017 12:23, L.P.H. van Belle via samba escreveu:> correct is not much different, but you need a "correct" config. > > now your config is simpley wrong. ( sorry ) > > This proves it. one question.. > idmap config * : backend = rid > idmap config * : range = 100000-999999 > > can you write you "rid" to the samba AD.. No. > # - must use an read-write-enabled back end, such as tdb. > > > you need also : > # idmap config for the SAMDOM domain > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-999999 > > but do remember ... > For every domain, set these parameters individually. The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. > > Greetz, > > Louis > > > > Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] > Verzonden: dinsdag 27 juni 2017 17:07 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] ACL SHARE > > > > > Hello > Thank you for your attention. > My conf is not much different from the documentation, and what's different "I believe" is not my problem. > As I mentioned the problem only occurs with access via sharing .... > Regards > > Em 27-06-2017 11:32, L.P.H. van Belle via samba escreveu: > > > Hai Carlos, I suggest start here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File Which says.. # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 And you want RID, https://wiki.samba.org/index.php/Idmap_config_rid So fix you smb.conf, restart samba. Run : net cache flush Test id username And try again. Greetz, Louis > > -----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. Cunha via samba Verzonden: dinsdag 27 juni 2017 16:26 Aan: samba at lists.samba.org Onderwerp: [Samba] ACL SHARE Hello I have a Debian 8 with samba (Version 4.2.10-Debian) that serves as Fileserver. My smb.conf [global] workgroup = XXXXX realm = GRUPO.XXXXX.COM.BR security = ADS idmap config * : backend = rid idmap config * : range = 100000-999999 client schannel = no allow trusted domains = yes winbind use default domain = yes winbind refresh tickets = Yes winbind offline logon = no winbind cache time = 360 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U map to guest = bad user guest account = guest guest ok = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes I have sharing: [QUALIDADELEITE] path = /home/QUALIDADELEITE browseable = yes writeable = yes printable = no create mask = 0770 force directory mode = 0770 force create mode = 0770 force group = +qualidadeleite valid users = @qualidadeleite getfacl /home/QUALIDADELEITE # file: home/QUALIDADELEITE # owner: root # group: qualidadeleite user::rwx group::rwx other::--- default:user::rwx default:group::r-x default:group:qualidadeleite:rwx default:mask::rwx default:other::r-x My doubts inside have an ok.txt file Getfacl ok.txt # File: ok.txt # Owner: root # Group: root User :: rwx Group :: r-x #effective: --- Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: --- The problem in this way a user of the qualidadeleite group can not do anything in the file, even though they have permissions via ACL, this only happens on shares. Direct on the file System the ACL permission is functional. Access to this directory occurs both direct (ssh) and via shares. Do you know what it can be? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba > > >
On Tue, 27 Jun 2017 13:03:33 -0300 "Carlos A. P. Cunha via samba" <samba at lists.samba.org> wrote:> Hello > You're right. Configuration are correct, there is no middle ground :-D > But do I change these settings, I will not have problems with IDS > changes, and soon problems with permissions (since I changed ids) of > the users? > Or other problems changing it? > >Well, you are having problems now, but yes, when you set up smb.conf, you will need to fix ownership of any files and dirs. This should be the only problem you will have (famous last words LOL) Rowland
But thats easy scriptable. ;-) I have my scripts always ready for that. This is why i run samba in AD mode and not RID. If you compair the AD backend disavantage Disadvantages: If the Windows Active Directory Users and Computers (ADUC) program is not used, you have to manual track ID values to avoid duplicates. The values for the RFC2307 attributes must be set manually. To RID Disadvantages:>> File ownership of domain users and groups are lost, when the local ID mapping database corrupts. << is ow so nasty.All users on the domain member get the same login shell and home directory base path assigned. User and group IDs are only the same on other domain members using the rid back end, if the same ID ranges are configured for the domain. All accounts and groups are automatically available on the domain member and individual entries cannot be excluded. Not recommended for multi-domain environments because objects in different domains having the same relative identifier (RID) get the same ID assigned. And managing the uid/gids from win7 RSAT tools is fine for me. But thats my opinion. RID.. Fine for home or a office server without shares or shared home folders or guest shares. But you main document server, always for AD for me. It happend to me one.. 9 years ago. Arg .. At that point i also didnt have nice scripts.. A night work.. :-/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 27 juni 2017 18:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] ACL SHARE > > On Tue, 27 Jun 2017 13:03:33 -0300 > "Carlos A. P. Cunha via samba" <samba at lists.samba.org> wrote: > > > Hello > > You're right. Configuration are correct, there is no middle > ground :-D > > But do I change these settings, I will not have problems with IDS > > changes, and soon problems with permissions (since I > changed ids) of > > the users? > > Or other problems changing it? > > > > > > Well, you are having problems now, but yes, when you set up > smb.conf, you will need to fix ownership of any files and dirs. > This should be the only problem you will have (famous last words LOL) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >