samba - May 2018 - DM 3.6.25 -> 4.x

On Wed, 30 May 2018 15:26:37 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba:
> 
> > There are three main winbind backends, but only two are really used
> > on Unix domain members, the 'ad' and the 'rid'
backends. Which you
> > use is really down to a simple choice, do you want to add posix
> > attrs to AD or not. If you don't want to add anything to AD, then
> > use the 'rid' backend. If you do add the posix attrs to AD,
then
> > use the 'ad' backend.
> 
> I want to keep things as close to as they are with the current
> outdated 3.6.25 setup. This is why the former admin didn't update, I
> guess ;-)
> 
> So I think "rid" here. I want kind of "read only"
access to ADS.
> 
> > Having decided which backend, you then have to decide on the ranges
> > to use. If you use the 'rid' backend, then good ranges would
be
> > 3000-7999 for the '*' domain and
> > 10000-whatever_upper_limit_you_decide for your DOMAIN (there is a
> > slight problem with this on Debian, they thought it was a good idea
> > to use the ID 65534 for nobody/nogroup, but you can work around
> > this). This will lead to to user & group IDs starting from
'11000'
> > 
> > If you use the 'ad' backend, things are a little different,
you
> > probably can use the same '*' range as the 'rid'
backend, but the
> > DOMAIN range will depend on the posix attrs in AD, so if the lowest
> > uidNumber or gidNumber in AD is '10000', you could start at
'10000'
> > 
> > Things to note:
> > If you place the '*' range below the 'DOMAIN' range,
you can easily
> > expand the 'DOMAIN' range by increasing the upper range.
> > 
> > A user can have the same ID as a group, they will never be mixed up.
> > 
> > A 'rid' user with the ID 11000 is very very unlikely to be the
same
> > user as an 'ad' user with the same ID. i.e. If you run the
'ad'
> > backend on one Unix domain member, but the 'rid' backend on
> > another, your users will have different ID numbers.
> 
> And you think this is easy? ;-)
Well yes, once you get your head around it ;-)
> 
> testparm shows:
> 
> 
> # testparm -sv | grep idmap
> 
> 	ldap idmap suffix > 	idmap backend = tdb
> 	idmap cache time = 604800
> 	idmap negative cache time = 120
> 	idmap uid > 	idmap gid > 	idmap config * : range = 10000 - 20000
> 	idmap config * : backend = tdb
> 
> So I would love to "convert" the existing ranges to new
parameters,
> without guessing or trying something.
If the last two lines are actually in your smb.conf on disk and you
want use the 'rid' backend, then set the something like this will work:

 	idmap config DOMAIN : range =310000-40000
 	idmap config DOMAIN : backend = rid
> 
> the two lines
> 
>  idmap uid >  idmap gid > 
> should be removed, I assume
I would love to see how you remove them ;-)
I would image that the smb.conf fragment is from a very long smb.conf
'testparm -v' means print every line in smb.conf including all the
defaults. Can I suggest you just run 'cat /etc/samba/smb.conf'

Rowland

Am 2018-05-30 um 15:56 schrieb Rowland Penny via samba:
> If the last two lines are actually in your smb.conf on disk and you
> want use the 'rid' backend, then set the something like this will
work:
> 
>  	idmap config DOMAIN : range =310000-40000
>  	idmap config DOMAIN : backend = rid
> 
>>
>> the two lines
>>
>>  idmap uid >>  idmap gid >>
>> should be removed, I assume
> 
> I would love to see how you remove them ;-)
> I would image that the smb.conf fragment is from a very long smb.conf
> 'testparm -v' means print every line in smb.conf including all the
> defaults. Can I suggest you just run 'cat /etc/samba/smb.conf'

sure ;-)

We see that it is old ("SWAT", date) and ugly ...


# cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from UNKNOWN (192.168.100.66)
# Date: 2012/07/23 14:38:02

[global]
	unix charset = iso8859-15

	security = ads
	realm = CUSTOMER.INTRA
	#password server = 192.168.100.32
	workgroup = CUSTOMER
	idmap uid = 10000 - 20000
	idmap gid = 10000 - 20000
	winbind enum users = yes
	winbind enum groups = yes
	winbind cache time = 10
	winbind use default domain = yes
	template homedir = /mnt/MSA2040/smb/Homes/%D/%U
	template shell = /bin/false
	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes
	restrict anonymous = 2
	domain master = no
	local master = no
	preferred master = no
	os level = 0	
	invalid users = root bin daemon adm sync shutdown halt mail news uucp
	obey pam restrictions = yes
	#debug level = 5

	netbios name = U1CUSTOMER
	netbios aliases = samba
	server string = U1CUSTOMER
	interfaces = 192.168.100.4/24
	bind interfaces only = Yes
	map to guest = Bad User
	name resolve order = wins lmhosts hosts bcast
	wins support = Yes
#	idmap config * : range #	idmap config * : backend = tdb
	force unknown acl user = Yes
	hosts allow = 10.98.1., 10.0.8., 192.168.1., 192.168.90., 192.168.101,
192.168.100.5, 192.168.100.11, 192.168.100.13, 192.168.100.30,
192.168.100.31, 192.168.100.32, 192.168.100.33, 192.168.100.34,
192.168.100.35, 192.168.100.36, 192.168.100.37, 192.168.100.38,
192.168.100.39, 192.168.100.50, 192.168.100.51, 192.168.100.52,
192.168.100.53, 192.168.100.54, 192.168.100.55, 192.168.100.56,
192.168.100.57, 192.168.100.58, 192.168.100.59, 192.168.100.60,
192.168.100.61, 192.168.100.62, 192.168.100.63, 192.168.100.64,
192.168.100.65, 192.168.100.66, 192.168.100.67, 192.168.100.68,
192.168.100.69, 192.168.100.70, 192.168.100.71, 192.168.100.72,
192.168.100.73, 192.168.100.74, 192.168.100.75, 192.168.100.76,
192.168.100.77, 192.168.100.78, 192.168.100.79, 192.168.100.80,
192.168.100.81, 192.168.100.82, 192.168.100.83, 192.168.100.84,
192.168.100.85, 192.168.100.86, 192.168.100.87, 192.168.100.88,
192.168.100.89, 192.168.100.90, 192.168.100.91, 192.168.100.92,
192.168.100.93, 192.168.100.94, 192.168.100.95, 192.168.100.96,
192.168.100.97, 192.168.100.98, 192.168.100.99, 192.168.100.100,
192.168.100.101, 192.168.100.102, 192.168.100.103, 192.168.100.104,
192.168.100.105, 192.168.100.106, 192.168.100.107, 192.168.100.108,
192.168.100.109, 192.168.100.110, 192.168.100.111, 192.168.100.112,
192.168.100.113, 192.168.100.114, 192.168.100.115, 192.168.100.116,
192.168.100.117, 192.168.100.118, 192.168.100.119, 192.168.100.120,
192.168.100.121, 192.168.100.122, 192.168.100.123, 192.168.100.124,
192.168.100.125, 192.168.100.126, 192.168.100.127, 192.168.100.128,
192.168.100.129, 192.168.100.130, 192.168.100.131, 192.168.100.132,
192.168.100.133, 192.168.100.134, 192.168.100.135, 192.168.100.136,
192.168.100.137, 192.168.100.138, 192.168.100.139, 192.168.100.140,
192.168.100.141, 192.168.100.142, 192.168.100.143, 192.168.100.144,
192.168.100.145, 192.168.100.146, 192.168.100.147, 192.168.100.148,
192.168.100.149, 192.168.100.200, 192.168.100.203, 192.168.100.204
	nt acl support = No
	unix extensions = no
	follow symlinks= yes
	wide links= yes

##########################################
## changes since 2016-02-11 ##############
##########################################
# log level = 2
	load printers = no
	printcap name = /dev/null
# Audit settings
	vfs objects = full_audit
	full_audit:prefix = %u|%I|%S
	full_audit:failure = connect
#full_audit:success = connect disconnect opendir mkdir rmdir closedir
open close read pread write pwrite sendfile rename unlink chmod fchmod
chown fchown chdir ftruncate lock symlink readlink link mknod realpath
	full_audit:success = mkdir rmdir write pwrite rename unlink chmod
fchmod chown fchown ftruncate
	full_audit:facility = local5
	full_audit:priority = notice

On Wed, 30 May 2018 16:03:30 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> We see that it is old ("SWAT", date) and ugly ...
> 
> 
> # cat /etc/samba/smb.conf
> # Samba config file created using SWAT
> # from UNKNOWN (192.168.100.66)
> # Date: 2012/07/23 14:38:02
It isn't that old;-)
You wont be using swat again, it went away, funnily enough just about
the same time as your old smb.conf was created.

Try this smb.conf:

[global]
    unix charset = iso8859-15

    security = ads
    realm = CUSTOMER.INTRA
    workgroup = CUSTOMER
    netbios aliases = samba
    server string = U1CUSTOMER

    winbind cache time = 10
    winbind use default domain = yes
    template homedir = /mnt/MSA2040/smb/Homes/%D/%U

    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no
    invalid users = root bin daemon adm sync shutdown halt mail news \
uucp
    obey pam restrictions = yes

    interfaces = 192.168.100.4/24
    bind interfaces only = Yes

    idmap config * : range = 3000-7999
    idmap config * : backend = tdb
    idmap config CUSTOMER : range = 10000-20000
    idmap config CUSTOMER : backend = rid

    # For ACL support on domain member
    vfs objects = acl_xattr full_audit
    map acl inherit = Yes
    store dos attributes = Yes

    unix extensions = no
    follow symlinks= yes
    wide links= yes

    load printers = no
    printcap name = /dev/null
    # Audit settings
    full_audit:prefix = %u|%I|%S
    full_audit:failure = connect
    full_audit:success = mkdir rmdir write pwrite rename unlink \
chmod fchmod chown fchown ftruncate 
    full_audit:facility = local5
    full_audit:priority = notice

Rowland