Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba:> On Sun, 13 Jan 2019 20:22:22 +0100 > Anton Blau via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I try to migrate my old SAMBA Installation to a new Installation. >> SAMBA is running. But my Windows users can see the shares but cannot >> open Files. >> >> My old Installation /etc/samba/smb.con >> >> ... >> >> >> workgroup = DUCK >> server string = %h server (Samba, Ubuntu) >> interfaces = eth0 192.168.1.200/255.255.255.0 localhost >> bind interfaces only = Yes >> security = USER >> map to guest = Bad User >> obey pam restrictions = Yes >> pam password change = Yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> unix password sync = Yes >> log file = /var/log/samba/log.%M >> max log size = 1000 >> time server = Yes >> unix extensions = No >> printcap name = cups >> logon script = %U\logon.bat >> logon path = \\gustav\profiles\%U\winxpprofile >> logon drive = z: >> logon home = \\gustav\profiles\%U\w9xprofile >> domain logons = Yes >> os level = 255 >> preferred master = Yes >> domain master = Yes >> wins proxy = Yes >> wins support = Yes >> usershare allow guests = Yes >> >> New (Proxmox LXV) with: /etc/samba/smb.con >> >> -- snip because false file >> >> I think the problem is the mappig to the uid/gid of the new samba. >> >> The user "testuser" on the old System has uid 500 and gid 100. I >> created my testuser - who can access on the old Installation on the >> new Installation: >> >> samba-tool user create testuser --unix-home=/home/gerhard >> --uid-number=501 --login-shell=/bin/bash --gid-number=100 >> >> >> What is to to to get full access? >> > Well, as you are using samba-tool to create users and your last post > was about setting up an AD DC, you could try setting up your Unix > domain member correctly and when you do, do not use such low ID numbers. > I suggest you read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Your smb.conf above is for an NT4-style PDC. > > Rowland > >Sorry, I posted the wrong text. This is the /etc/samba/smb.conf (testparm) of the new LXC SAMBA Server: realm = SMBDOMAIN.DUCK workgroup = SMBDOMAIN dns forwarder = 192.168.1.254 disable spoolss = Yes load printers = No printcap name = /dev/null passdb backend = samba_dsdb server role = active directory domain controller rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes printing = bsd vfs objects = dfs_samba4 acl_xattr In future only the new Samba should run. So Samba is not a Domain Member. I hope I understand you correct. NT4-style PDC should be migrated to AD DC. Tony
Am 13.01.2019 um 21:41 schrieb Anton Blau via samba:> Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba: >> On Sun, 13 Jan 2019 20:22:22 +0100 >> Anton Blau via samba <samba at lists.samba.org> wrote: > > NT4-style PDC should be migrated to AD DC. > > Tony > >I found https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) but I have only 7 users to migrate. So I am looking for a way to create them in the new Samba Server with the UID/GID Rights to access the Data. Thank you! Tony
On Sun, 13 Jan 2019 21:41:39 +0100 Anton Blau via samba <samba at lists.samba.org> wrote:> Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba: > > On Sun, 13 Jan 2019 20:22:22 +0100 > > Anton Blau via samba <samba at lists.samba.org> wrote: > > > >> Hello, > >> > >> I try to migrate my old SAMBA Installation to a new Installation. > >> SAMBA is running. But my Windows users can see the shares but > >> cannot open Files. > >> > >> My old Installation /etc/samba/smb.con > >> > >> ... > >> > >> > >> workgroup = DUCK > >> server string = %h server (Samba, Ubuntu) > >> interfaces = eth0 192.168.1.200/255.255.255.0 localhost > >> bind interfaces only = Yes > >> security = USER > >> map to guest = Bad User > >> obey pam restrictions = Yes > >> pam password change = Yes > >> passwd program = /usr/bin/passwd %u > >> passwd chat = *Enter\snew\s*\spassword:* %n\n > >> *Retype\snew\s*\spassword:* %n\n > >> *password\supdated\ssuccessfully* . unix password sync = Yes > >> log file = /var/log/samba/log.%M > >> max log size = 1000 > >> time server = Yes > >> unix extensions = No > >> printcap name = cups > >> logon script = %U\logon.bat > >> logon path = \\gustav\profiles\%U\winxpprofile > >> logon drive = z: > >> logon home = \\gustav\profiles\%U\w9xprofile > >> domain logons = Yes > >> os level = 255 > >> preferred master = Yes > >> domain master = Yes > >> wins proxy = Yes > >> wins support = Yes > >> usershare allow guests = Yes > >> > >> New (Proxmox LXV) with: /etc/samba/smb.con > >> > >> -- snip because false file > >> > >> I think the problem is the mappig to the uid/gid of the new samba. > >> > >> The user "testuser" on the old System has uid 500 and gid 100. I > >> created my testuser - who can access on the old Installation on the > >> new Installation: > >> > >> samba-tool user create testuser --unix-home=/home/gerhard > >> --uid-number=501 --login-shell=/bin/bash --gid-number=100 > >> > >> > >> What is to to to get full access? > >> > > Well, as you are using samba-tool to create users and your last post > > was about setting up an AD DC, you could try setting up your Unix > > domain member correctly and when you do, do not use such low ID > > numbers. I suggest you read this: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > Your smb.conf above is for an NT4-style PDC. > > > > Rowland > > > > > Sorry, > > I posted the wrong text. This is the /etc/samba/smb.conf (testparm) > of the new LXC SAMBA Server: > > > realm = SMBDOMAIN.DUCK > workgroup = SMBDOMAIN > dns forwarder = 192.168.1.254 > disable spoolss = Yes > load printers = No > printcap name = /dev/null > passdb backend = samba_dsdb > server role = active directory domain controller > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > printing = bsd > vfs objects = dfs_samba4 acl_xattr > > In future only the new Samba should run. So Samba is not a Domain > Member. I hope I understand you correct. > > NT4-style PDC should be migrated to AD DC. >So, you only have the DC running in container but you do not want to run another container with a Unix domain member in it. This does not make sense, why not just run the DC on the computer without all the bother of the container ? Where did all those lines in your smb.conf come from ? It really should only be: netbios name = SHORTHOSTNAME_IN_UPPERCASE realm = SMBDOMAIN.DUCK server role = active directory domain controller dns forwarder = 192.168.1.254 workgroup = SMBDOMAIN idmap_ldb:use rfc2307 = yes load printers = No printing = bsd printcap name = /dev/null disable spoolss = Yes None of the other lines are needed By default, a Samba AD DC is only used for authentication and it isn't set up to allow users to login or connect. To allow this on a Debian computer, you need to install the libpam-winbind, libnss-winbind and libpam-krb5 packages, you will also have to change /etc/nsswitch, so that the passwd and group lines look like this: passwd: compat winbind group: compat winbind You should then be able to run 'getent passwd AN_AD_USER' and get something like this: root at dc4:~# getent passwd rowland SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash The problem is, by default, you are more likely to see numbers in the '3000000' range. To use any other numbers, you will have to add uidNumber attributes to your users and gidNumber attributes to your groups. All users will have Domain Users as their primary group (ID 100) Do not use Unix IDs in the 500 range, these are just too much like the RIDs Windows uses e.g. Administrator has the RID '500' which on a DC is mapped to the Unix ID '0' Rowland
On Sun, 13 Jan 2019 21:50:58 +0100 Anton Blau via samba <samba at lists.samba.org> wrote:> Am 13.01.2019 um 21:41 schrieb Anton Blau via samba: > > Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba: > >> On Sun, 13 Jan 2019 20:22:22 +0100 > >> Anton Blau via samba <samba at lists.samba.org> wrote: > > > > NT4-style PDC should be migrated to AD DC. > > > > Tony > > > > > I found > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) > > but I have only 7 users to migrate. > > So I am looking for a way to create them in the new Samba Server with > the UID/GID Rights to access the Data. >Seven users, I do hope you are planning to add more users, or you are going way over the top here. If you do have only 7 users, then you really only need a standalone server. Rowland
Am 13.01.2019 um 22:40 schrieb Rowland Penny via samba:> On Sun, 13 Jan 2019 21:41:39 +0100 > Anton Blau via samba <samba at lists.samba.org> wrote: > >> Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba: >>> On Sun, 13 Jan 2019 20:22:22 +0100 >>> Anton Blau via samba <samba at lists.samba.org> wrote: >>> >>>Rowland - thank you for your super help.> So, you only have the DC running in container but you do not want to run > another container with a Unix domain member in it. This does not make > sense, why not just run the DC on the computer without all the bother > of the container ?The Server is a Proxmox/KVM- System. I thougt that is a good Idea to put the fileserver - like all another server daemons (Mail, ...) in a LXC.> Where did all those lines in your smb.conf come from ?I posted the output of "testparm". This is the /etc/samba/smb.conf [global] netbios name = FILESERVER realm = SMBDOMAIN.DUCK workgroup = SMBDOMAIN dns forwarder = 192.168.1.254 server role = active directory domain controller idmap_ldb:use rfc2307 = yes printing = bsd load printers = no printcap name = /dev/null disable spoolss = yes [Allgemein] comment = Fuer jeden User zugreifbares Verzeichnis path = /srv/user public = yes browseable = yes writeable = yes read only = no create mode = 0777 create mask = 0777 directory mask = 0777 #[home] # comment = Home Directories # path = /home/%D/%U # read only = no [Daten] comment = Daten path = /srv read only = no [netlogon] path = /var/lib/samba/sysvol/smbdomain.duck/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No> By default, a Samba AD DC is only used for authentication and it isn't > set up to allow users to login or connect. To allow this on a Debian > computer, you need to install the libpam-winbind, libnss-winbind and > libpam-krb5 packages, you will also have to change /etc/nsswitch, so > that the passwd and group lines look like this: > > passwd: compat winbind > group: compat winbind >I added this: /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis (other lines unchanged).> You should then be able to run 'getent passwd AN_AD_USER' and get > something like this: > > root at dc4:~# getent passwd rowland > SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bashI get root at fileserver:~# getent passwd testuser SMBDOMAIN\testuser:*:501:100::/home/SMBDOMAIN/testuser:/bin/false root at fileserver:~# ls /srv/user -la total 2259116 drwxrwxrwx 6 SMBDOMAIN\testuser users 24 Jan 13 13:26 . drwxr-xr-x 11 root root 11 Jan 13 14:40 .. drwx------ 2 SMBDOMAIN\testuser users 7 Jan 13 13:26 .Papierkorb -rw-r--r-- 1 1000 1002 1327771 Nov 11 15:14 test.pdf drwxr-xr-x 2 SMBDOMAIN\testuser users 18 Nov 4 15:44 Englisch Passiv ??bungen -rwxrwxr-- 1 1012 1012 15593 Aug 12 2017 Checkliste.dotx But if I try to connect from win 10 I get the Error-Message: Auf \\fileserver.duck\Allgemein kann nicht zugegriffen werden ...