But thats easy scriptable. ;-) I have my scripts always ready for that. This is why i run samba in AD mode and not RID. If you compair the AD backend disavantage Disadvantages: If the Windows Active Directory Users and Computers (ADUC) program is not used, you have to manual track ID values to avoid duplicates. The values for the RFC2307 attributes must be set manually. To RID Disadvantages:>> File ownership of domain users and groups are lost, when the local ID mapping database corrupts. << is ow so nasty.All users on the domain member get the same login shell and home directory base path assigned. User and group IDs are only the same on other domain members using the rid back end, if the same ID ranges are configured for the domain. All accounts and groups are automatically available on the domain member and individual entries cannot be excluded. Not recommended for multi-domain environments because objects in different domains having the same relative identifier (RID) get the same ID assigned. And managing the uid/gids from win7 RSAT tools is fine for me. But thats my opinion. RID.. Fine for home or a office server without shares or shared home folders or guest shares. But you main document server, always for AD for me. It happend to me one.. 9 years ago. Arg .. At that point i also didnt have nice scripts.. A night work.. :-/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 27 juni 2017 18:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] ACL SHARE > > On Tue, 27 Jun 2017 13:03:33 -0300 > "Carlos A. P. Cunha via samba" <samba at lists.samba.org> wrote: > > > Hello > > You're right. Configuration are correct, there is no middle > ground :-D > > But do I change these settings, I will not have problems with IDS > > changes, and soon problems with permissions (since I > changed ids) of > > the users? > > Or other problems changing it? > > > > > > Well, you are having problems now, but yes, when you set up > smb.conf, you will need to fix ownership of any files and dirs. > This should be the only problem you will have (famous last words LOL) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 27 Jun 2017 21:55:15 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> But thats easy scriptable. ;-) > I have my scripts always ready for that. > This is why i run samba in AD mode and not RID. > > If you compair the AD backend disavantage > Disadvantages: > If the Windows Active Directory Users and Computers (ADUC) program is > not used, you have to manual track ID values to avoid duplicates. The > values for the RFC2307 attributes must be set manually.You don't have to manually track the IDs, if you are using your own scripts, you can script around this by adding the two missing attributes and then updating these after adding a new user or group> > To RID > Disadvantages: > >> File ownership of domain users and groups are lost, when the local > >> ID mapping database corrupts. << is ow so nasty.Corrupt databases are possible whatever you use, but when you get one, yes it is nasty.> All users on the domain member get the same login shell and home > directory base path assigned. User and group IDs are only the same on > other domain members using the rid back end, if the same ID ranges > are configured for the domain. All accounts and groups are > automatically available on the domain member and individual entries > cannot be excluded. Not recommended for multi-domain environments > because objects in different domains having the same relative > identifier (RID) get the same ID assigned.Agree with all those points, though I should comment on the last one. Work has been made to make it so that the DOMAIN ranges can overlap, though this will mean that you will probably not be able to use 'winbind use default domain = yes', not sure if this will make 4.7> > And managing the uid/gids from win7 RSAT tools is fine for me. > > But thats my opinion. > > RID.. Fine for home or a office server without shares or shared home > folders or guest shares. But you main document server, always for AD > for me. It happend to me one.. 9 years ago. Arg .. At that point i > also didnt have nice scripts.. A night work.. :-/ > >I would tend to agree, if you only have one or two fileservers, you can use the 'rid' backend, any more than that, use the 'ad' backend. If you use a DC as a fileserver (not really recommended, but sometimes you have to) use the 'ad' backend. Rowland
Hello! From what I realized the problem is not in Samba, but in the way that ACL work, with mascara question. I did several tests: touch bla chmod 700 ls -l bla -rwx------ 1 USERX domain users 0 Jun 29 09:53 bla cp bla /home/QUALIDADELEIT getfacl /home/QUALIDADELEIT getfacl /home/QUALIDADELEITE/ getfacl: Removing leading '/' from absolute path names # file: home/QUALIDADELEITE/ # owner: administrator # group: qualidadeleite user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:qualidadeleite:rwx default:mask::rwx default:other::--- getfacl bla # file: bla # owner: root # group: root user::rw- group::rwx *#effective:r--* group:qualidadeleite:rwx *#effective:r--* mask::r-- other::--- Even configuring mask, the "effective" permission and recalculated by my file is 700 ... Any ideas on that? Regards Em 27-06-2017 17:29, Rowland Penny via samba escreveu:> On Tue, 27 Jun 2017 21:55:15 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> But thats easy scriptable. ;-) >> I have my scripts always ready for that. >> This is why i run samba in AD mode and not RID. >> >> If you compair the AD backend disavantage >> Disadvantages: >> If the Windows Active Directory Users and Computers (ADUC) program is >> not used, you have to manual track ID values to avoid duplicates. The >> values for the RFC2307 attributes must be set manually. > You don't have to manually track the IDs, if you are using your own > scripts, you can script around this by adding the two missing > attributes and then updating these after adding a new user or group > >> To RID >> Disadvantages: >>>> File ownership of domain users and groups are lost, when the local >>>> ID mapping database corrupts. << is ow so nasty. > Corrupt databases are possible whatever you use, but when you get one, > yes it is nasty. > >> All users on the domain member get the same login shell and home >> directory base path assigned. User and group IDs are only the same on >> other domain members using the rid back end, if the same ID ranges >> are configured for the domain. All accounts and groups are >> automatically available on the domain member and individual entries >> cannot be excluded. Not recommended for multi-domain environments >> because objects in different domains having the same relative >> identifier (RID) get the same ID assigned. > Agree with all those points, though I should comment on the last one. > Work has been made to make it so that the DOMAIN ranges can overlap, > though this will mean that you will probably not be able to use > 'winbind use default domain = yes', not sure if this will make 4.7 > >> And managing the uid/gids from win7 RSAT tools is fine for me. >> >> But thats my opinion. >> >> RID.. Fine for home or a office server without shares or shared home >> folders or guest shares. But you main document server, always for AD >> for me. It happend to me one.. 9 years ago. Arg .. At that point i >> also didnt have nice scripts.. A night work.. :-/ >> >> > I would tend to agree, if you only have one or two fileservers, you > can use the 'rid' backend, any more than that, use the 'ad' backend. If > you use a DC as a fileserver (not really recommended, but sometimes you > have to) use the 'ad' backend. > > Rowland > >
On Tue, Jun 27, 2017 at 3:29 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> > I would tend to agree, if you only have one or two fileservers, you > can use the 'rid' backend, any more than that, use the 'ad' backend. If > you use a DC as a fileserver (not really recommended, but sometimes you > have to) use the 'ad' backend. > > Rowland >A bit off topic, but I'm curious about why you advise not using the idmap_rid backend if you have more than one or two servers. Is this for simplicity in administration (i.e. not having to configure idmap ranges) or is there something about idmap_rid that makes it somewhat undesirable in such scenarios? Andrew