samba - Apr 2019 - Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server

Log level to 10 was for debug reasons, I can now surely set to 1 now.
Concerning idmap config IPGAD, I don't see why is the reason to start at
1...
I will set to 10000 as according to the documentation, thank you.

What do you mean by "
You are also using the winbind 'ad' backend, so have you added
anything to AD ?
" ?


Le 10/04/2019 à 12:38, Rowland Penny via samba a écrit :
> On Wed, 10 Apr 2019 12:08:55 -0300
> Edouard Guigné via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> Yes, this is an Unix Domain member.
>>
>> Below, my smb.conf :
>>
>> [global]
>>       security = ads
>>       realm = IPGAD.MYDOMAIN.FR
>>       workgroup = IPGAD
>>       kerberos method = secrets and keytab
>>       server signing = mandatory
>>       client signing = mandatory
>>       hosts allow = 127. 10.9.X. 10.9.X. 10.9.X. 10.9.4. 10.9.X.
>>       hosts deny = 10.9.X. 10.9.X.
>>
>>       log file = /var/log/samba/%m.log
>>       max log size = 5000
>>
>>       log level = 10
>>       local master = no
>>       domain master = no
>>       preferred master = no
>>       use sendfile = true
>>       load printers = no
>>       cups options = raw
>>       printcap name = /dev/null
>>
>>      disable spoolss = yes
>>
>>       vfs objects = acl_xattr
>>       map acl inherit = yes
>>       store dos attributes = yes
>>
>>      idmap config * : backend = tdb
>>      idmap config * : range = 15000-99999
>>
>>       winbind nss info = rfc2307
>>       idmap config IPGAD : backend = ad
>>       idmap config IPGAD : schema_mode = rfc2307
>>       idmap config IPGAD : range = 1-14999
>>       idmap config IPGAD : unix_nss_info = yes
>>       idmap config IPGAD : unix_primary_group = yes
>>
>>       client min protocol = SMB2
> I have removed all the default lines, but just a couple of questions
> about [global]:
>
> Why have you set the log level to 10 ? this will swamp your logfile.
> Is there some reason why you have started the 'IPGAD' range at
'1' ?
> The normal practise is at '10000', also using '1' means
that you
> should move everything from /etc/passwd and /etc/group into AD, or to
> put it another way, this is a stupid range.
> You are also using the winbind 'ad' backend, so have you added
> anything to AD ?
> Have you read this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> and this:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
>> #[myshare]
>> [groups]
>>     comment = jaguar2
>>     path = /var/datashared
>>     public = no
>>     writable = yes
>>     guest ok = no
> Interesting fact: 'public' is a synonym for 'guest ok', so
you don't
> need both and the default for 'guest ok' is 'no', so you
don't really
> need either.
>
> Rowland
>
>

On Wed, 10 Apr 2019 13:14:35 -0300
Edouard Guigné via samba <samba at lists.samba.org> wrote:
> Log level to 10 was for debug reasons, I can now surely set to 1 now.
> Concerning idmap config IPGAD, I don't see why is the reason to start
> at 1... I will set to 10000 as according to the documentation, thank
> you.
> 
> What do you mean by "
> You are also using the winbind 'ad' backend, so have you added
> anything to AD ?
> " ?
Just what it says. I don't remember if you said what the AD DC is, but
it doesn't really matter, if you create a user using ADUC or
samba-tool, the user will just be a Windows user. That is unless you
also use the UNIX Attributes tab on ADUC or specify the RFC2307
attributes with 'samba-tool user add'.
The minimum requirement for a Unix AD user is that they must have a
uidNumber attribute containing a unique number inside the range you
set in smb.conf (now do you see why I asked about the range starting
at '1' ?) AND 'Domain Users'(the default user primary group)
must have
a gidNumber attribute inside the same range. You are also using
'unix_primary_group = yes', so your users should also have gidNumber
attribute containing the gidNumber of a group.

It take it you haven't done any of the above, so you may want to
consider using the 'rid' backend instead. I would suggest you read
the wiki pages I pointed you to earlier.

Rowland

I see, yes the unix attributes are set on the AD DC (RFC2307) for each 
users and each groups.

And that's a question, because I am using a Windows Server 2012 R2 as AD DC.
Does the unix attibutes will be still available in the Windows Server 
2019 version ?
I don't talk about the ADUC and how to set unix attributes tab, I ask 
about the attributes on the AD schema
because I know that NIS and unix attributes tab  in ADUC is deprecated 
in Windows server 2016, but it can still be set via a powershell script.

EdG

Le 10/04/2019 à 13:41, Rowland Penny via samba a écrit :
> On Wed, 10 Apr 2019 13:14:35 -0300
> Edouard Guigné via samba <samba at lists.samba.org> wrote:
>
>> Log level to 10 was for debug reasons, I can now surely set to 1 now.
>> Concerning idmap config IPGAD, I don't see why is the reason to
start
>> at 1... I will set to 10000 as according to the documentation, thank
>> you.
>>
>> What do you mean by "
>> You are also using the winbind 'ad' backend, so have you added
>> anything to AD ?
>> " ?
> Just what it says. I don't remember if you said what the AD DC is, but
> it doesn't really matter, if you create a user using ADUC or
> samba-tool, the user will just be a Windows user. That is unless you
> also use the UNIX Attributes tab on ADUC or specify the RFC2307
> attributes with 'samba-tool user add'.
> The minimum requirement for a Unix AD user is that they must have a
> uidNumber attribute containing a unique number inside the range you
> set in smb.conf (now do you see why I asked about the range starting
> at '1' ?) AND 'Domain Users'(the default user primary
group) must have
> a gidNumber attribute inside the same range. You are also using
> 'unix_primary_group = yes', so your users should also have
gidNumber
> attribute containing the gidNumber of a group.
>
> It take it you haven't done any of the above, so you may want to
> consider using the 'rid' backend instead. I would suggest you read
> the wiki pages I pointed you to earlier.
>
> Rowland
>