Am 2018-07-26 um 18:14 schrieb Rowland Penny via samba:> On Thu, 26 Jul 2018 17:46:26 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: >> I also don't know how to use that group "domänen-benutzer" in "valid >> users" or "read list" ...> Stefan, you know all that knowledge you learnt about NT4-style domains, > well, forget most of it ;-) > > You will better setting the permissions from Windows, see here: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsSo you suggest getting rid of the parameters in the share-definition and only doing it via Windows ACLs?> However, are you sure it is 'domanen-benutzer' ? > As far as I know 'benutzer' is German for 'users' and 'domanen' is > 'domain'. > > If I run: getent group Domain\ Users > I get back: domain users:x:10000:(list of users) > > So, should 'domanen-benutzer' be 'domanen benutzer'"getent group" doesn't even return the domain groups here ... oh my # wbinfo -g dom�nencomputer dom�nencontroller dom�nen-admins dom�nen-benutzer dom�nen-g�ste [..etc]
On Thu, 26 Jul 2018 18:31:48 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2018-07-26 um 18:14 schrieb Rowland Penny via samba: > > On Thu, 26 Jul 2018 17:46:26 +0200 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> I also don't know how to use that group "domänen-benutzer" in > >> "valid users" or "read list" ... > > > > Stefan, you know all that knowledge you learnt about NT4-style > > domains, well, forget most of it ;-) > > > > You will better setting the permissions from Windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > So you suggest getting rid of the parameters in the share-definition > and only doing it via Windows ACLs?Yes.> > > However, are you sure it is 'domanen-benutzer' ? > > As far as I know 'benutzer' is German for 'users' and 'domanen' is > > 'domain'. > > > > If I run: getent group Domain\ Users > > I get back: domain users:x:10000:(list of users) > > > > So, should 'domanen-benutzer' be 'domanen benutzer' > > "getent group" doesn't even return the domain groups here ... oh myIf 'getent group Domain\ Users' (or what ever your German windows calls the group) doesn't return output, then you have problems. If you are just running 'getent group' then this will not work without the 'winbind enum' lines in smb.conf i.e. winbind enum users = yes winbind enum groups = yes But only add these for testing.> > > # wbinfo -g > dom�nencomputer > dom�nencontroller > dom�nen-admins > dom�nen-benutzer > dom�nen-g�ste > [..etc] > >The problem here is, when I run that command on a Unix domain member, I get all the domain groups, but the '-' is a space: wbinfo -g domain admins unixgroup enterprise read-only domain controllers wingroup domain users unix admins denied rodc password replication group domain guests ...... Rowland
Am 2018-07-26 um 18:44 schrieb Rowland Penny via samba:>> "getent group" doesn't even return the domain groups here ... oh my > > If 'getent group Domain\ Users' (or what ever your German windows calls > the group) doesn't return output, then you have problems. If you are > just running 'getent group' then this will not work without the 'winbind > enum' lines in smb.conf > i.e. > winbind enum users = yes > winbind enum groups = yes > > But only add these for testing.I just compared nsswitch.conf with another DM server (at another customer), looks OK to me. passwd: compat winbind files group: compat winbind files shadow: compat files (the files is there because gentoo-glibc needs it, I referred to that some months ago) Share access for the users works, and I even managed to set up that new share with the required permissions ... so I hesitate to fiddle with the current config.> The problem here is, when I run that command on a Unix domain member, I > get all the domain groups, but the '-' is a space: > > wbinfo -g > domain admins > unixgroup > enterprise read-only domain controllers > wingroup > domain users > unix admins > denied rodc password replication group > domain guests > ......I will leave it for now as I am not 100% fit in these days. thanks for now, Stefan