Marco Gaiarin
2018-Sep-04 15:14 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
I'm starting to upgrade my domain members to debian stretch/samba 4.8,
using louis packages.
Domain controllers still on jessie/samba45.
Upgrade went smooth, but after upgrade seems that the DM was not able
anymore to retrieve rfc2307 data, eg:
root at vdmsv2:~# getent passwd gaio
gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false
root at vdmsv2:~# ldbsearch -H ldap://vdcsv1.ad.fvg.lnf.it -P -b
DC=ad,DC=fvg,DC=lnf,DC=it
"(&(objectClass=user)(sAMAccountName=gaio))" | egrep -i
"(unixhome|shell)"
loginShell: /bin/bash
unixHomeDirectory: /home/gaio
smb.conf seems ok to me:
root at vdmsv2:~# samba-tool testparm
Press enter to see a dump of your service definitions
# Global parameters
[global]
disable spoolss = Yes
log file = /var/log/samba/log.%m
log level = 0
map to guest = Bad User
max log size = 5000
netbios aliases = MEDIASV
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
realm = AD.FVG.LNF.IT
security = ADS
username map = /etc/samba/user.map
winbind nss info = rfc2307 # Samba 4.5-
winbind offline logon = Yes
winbind use default domain = Yes
workgroup = LNFFVG
idmap config lnffvg : unix_nss_info = yes # Samba 4.6+
idmap config lnffvg : range = 10000-49999
idmap config lnffvg : backend = ad
idmap config * : range = 5000-9999
idmap config * : backend = tdb
include = /etc/samba/smb.conf.%m
[...]
What i'm missing?! Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2018-Sep-04 15:19 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
> What i'm missing?! Thanks.Ahem read the logs, luke... [2018/09/04 16:37:11.137151, 0] ../lib/param/loadparm.c:398(lp_bool) lp_bool(yes # Samba 4.6+): value is not boolean! but now i've discovered that in smb.conf it is forbidden to use comments after a keyword. I'm sure i'm using that for years, but... sorry. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-05 06:35 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
Hai Marco,
The idmap config part. The this for the member.
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 5000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config LNFFVG: backend = ad
idmap config LNFFVG: schema_mode = rfc2307
idmap config LNFFVG: range = 10000-49999
idmap config LNFFVG: unix_nss_info = yes
idmap config LNFFVG: unix_primary_group = yes
And about :
[2018/09/04 16:37:11.137151, 0] ../lib/param/loadparm.c:398(lp_bool)
lp_bool(yes # Samba 4.6+): value is not boolean!
Put the comment above or below the line and see what happens.
It looks like "yes # Samba 4.6+" is seen as the value.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: dinsdag 4 september 2018 17:15
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Upgraded a member server to 4.8, rfc2307 data?
>
>
> I'm starting to upgrade my domain members to debian stretch/samba 4.8,
> using louis packages.
> Domain controllers still on jessie/samba45.
>
> Upgrade went smooth, but after upgrade seems that the DM was not able
> anymore to retrieve rfc2307 data, eg:
>
> root at vdmsv2:~# getent passwd gaio
> gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false
>
> root at vdmsv2:~# ldbsearch -H ldap://vdcsv1.ad.fvg.lnf.it -P
> -b DC=ad,DC=fvg,DC=lnf,DC=it
> "(&(objectClass=user)(sAMAccountName=gaio))" | egrep -i
> "(unixhome|shell)"
> loginShell: /bin/bash
> unixHomeDirectory: /home/gaio
>
> smb.conf seems ok to me:
>
> root at vdmsv2:~# samba-tool testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> disable spoolss = Yes
> log file = /var/log/samba/log.%m
> log level = 0
> map to guest = Bad User
> max log size = 5000
> netbios aliases = MEDIASV
> panic action = /usr/share/samba/panic-action %d
> printcap name = /dev/null
> realm = AD.FVG.LNF.IT
> security = ADS
> username map = /etc/samba/user.map
> winbind nss info = rfc2307 # Samba 4.5-
> winbind offline logon = Yes
> winbind use default domain = Yes
> workgroup = LNFFVG
> idmap config lnffvg : unix_nss_info = yes # Samba 4.6+
> idmap config lnffvg : range = 10000-49999
> idmap config lnffvg : backend = ad
> idmap config * : range = 5000-9999
> idmap config * : backend = tdb
> include = /etc/samba/smb.conf.%m
>
> [...]
>
>
> What i'm missing?! Thanks.
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Marco Gaiarin
2018-Sep-05 14:14 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> idmap config LNFFVG: unix_primary_group = yesIt is needed? AFAI've understood it means that users will have UNIX primary group the windows group and not 'domain users', but reeally i don't need that... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-05 14:59 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
Hai Marco, If you dont need it, then you can remove it. And in addition to Rowland comment, i'll show how i use it. In reply to.>It is needed? AFAI've understood it means that users will have UNIX primary group the windows group >and not 'domain users', but reeally i don't need that...I'll explain how i use it and why, maybe its useable for you or others. My windows group "Domain User" always the default for the users, it is the default group for every user, except guests. This is the windows default, i did assign GID's to "domain users" "domain admins" < most people dont use this or use with care on the linux side. "domain guest" "domain computer" < most people dont use this or use with care on the linux side. And some other groups i need on linux, only the groups i need (on linux) have GID assigned. And yes, i did need all the "domain ...." groups in linux also.. I needed these. That why domain admins is having a GID. I do want my windows users to login on linux systems and use "Domain Users" as primary group. I use this to overcome some inherit problems. Remember this, and this is the most important part imo. 17XX "Creator Owner" 277X "Creator Group" 377X "Creator Owner and Creator Group" /data root:"Domain Admins" 1755 ( allow everybody in this folder, even guests ) everyone can walk/enter this folder (/data) due to the last 5 in 1775 on linux. /data/dep1 root:"Dep1" 2770 ( allow users/group rights) and if member of "Dep1" only then you can enter and read/write. /data/dep2 root:"Dep2" 2770 ( allow users/group rights) and if member of "Dep2" only then you can enter and read/write. If user1 creates a file in /data/dep1 , it creates it as user1:"Domain User" If user2 creates a file in /data/dep2 , it creates it as user2:"Domain User" But User1 is not able to access /data/dep2 due to the group restriction Dep1. User2 is not able to access /data/dep1 due to the group restriction Dep2. >> The headache points for people. << Now my users switch departments, if wrongly setup, both users and read/write one anothers files. In my case, both users and read/write the created files from one another, no headache ;-) This is a bit how i setup my rights. ( depending on server and use of the server ). And please note, this is only the LINUX PART of the rights. And best is to keep this as much as possible in line. I hope this helps a bit for you and others. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 5 september 2018 16:15 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgraded a member server to 4.8, rfc2307 data? > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > idmap config LNFFVG: unix_primary_group = yes > > It is needed? AFAI've understood it means that users will > have UNIX primary > group the windows group and not 'domain users', but reeally i > don't need > that... > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >