Edouard Guigné
2019-Apr-10 16:14 UTC
[Samba] Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
Log level to 10 was for debug reasons, I can now surely set to 1 now. Concerning idmap config IPGAD, I don't see why is the reason to start at 1... I will set to 10000 as according to the documentation, thank you. What do you mean by " You are also using the winbind 'ad' backend, so have you added anything to AD ? " ? Le 10/04/2019 à 12:38, Rowland Penny via samba a écrit :> On Wed, 10 Apr 2019 12:08:55 -0300 > Edouard Guigné via samba <samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> Yes, this is an Unix Domain member. >> >> Below, my smb.conf : >> >> [global] >> security = ads >> realm = IPGAD.MYDOMAIN.FR >> workgroup = IPGAD >> kerberos method = secrets and keytab >> server signing = mandatory >> client signing = mandatory >> hosts allow = 127. 10.9.X. 10.9.X. 10.9.X. 10.9.4. 10.9.X. >> hosts deny = 10.9.X. 10.9.X. >> >> log file = /var/log/samba/%m.log >> max log size = 5000 >> >> log level = 10 >> local master = no >> domain master = no >> preferred master = no >> use sendfile = true >> load printers = no >> cups options = raw >> printcap name = /dev/null >> >> disable spoolss = yes >> >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> >> idmap config * : backend = tdb >> idmap config * : range = 15000-99999 >> >> winbind nss info = rfc2307 >> idmap config IPGAD : backend = ad >> idmap config IPGAD : schema_mode = rfc2307 >> idmap config IPGAD : range = 1-14999 >> idmap config IPGAD : unix_nss_info = yes >> idmap config IPGAD : unix_primary_group = yes >> >> client min protocol = SMB2 > I have removed all the default lines, but just a couple of questions > about [global]: > > Why have you set the log level to 10 ? this will swamp your logfile. > Is there some reason why you have started the 'IPGAD' range at '1' ? > The normal practise is at '10000', also using '1' means that you > should move everything from /etc/passwd and /etc/group into AD, or to > put it another way, this is a stupid range. > You are also using the winbind 'ad' backend, so have you added > anything to AD ? > Have you read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > and this: > > https://wiki.samba.org/index.php/Idmap_config_ad > >> #[myshare] >> [groups] >> comment = jaguar2 >> path = /var/datashared >> public = no >> writable = yes >> guest ok = no > Interesting fact: 'public' is a synonym for 'guest ok', so you don't > need both and the default for 'guest ok' is 'no', so you don't really > need either. > > Rowland > >
Rowland Penny
2019-Apr-10 16:41 UTC
[Samba] Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
On Wed, 10 Apr 2019 13:14:35 -0300 Edouard Guigné via samba <samba at lists.samba.org> wrote:> Log level to 10 was for debug reasons, I can now surely set to 1 now. > Concerning idmap config IPGAD, I don't see why is the reason to start > at 1... I will set to 10000 as according to the documentation, thank > you. > > What do you mean by " > You are also using the winbind 'ad' backend, so have you added > anything to AD ? > " ?Just what it says. I don't remember if you said what the AD DC is, but it doesn't really matter, if you create a user using ADUC or samba-tool, the user will just be a Windows user. That is unless you also use the UNIX Attributes tab on ADUC or specify the RFC2307 attributes with 'samba-tool user add'. The minimum requirement for a Unix AD user is that they must have a uidNumber attribute containing a unique number inside the range you set in smb.conf (now do you see why I asked about the range starting at '1' ?) AND 'Domain Users'(the default user primary group) must have a gidNumber attribute inside the same range. You are also using 'unix_primary_group = yes', so your users should also have gidNumber attribute containing the gidNumber of a group. It take it you haven't done any of the above, so you may want to consider using the 'rid' backend instead. I would suggest you read the wiki pages I pointed you to earlier. Rowland
Edouard Guigné
2019-Apr-10 16:53 UTC
[Samba] Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
I see, yes the unix attributes are set on the AD DC (RFC2307) for each users and each groups. And that's a question, because I am using a Windows Server 2012 R2 as AD DC. Does the unix attibutes will be still available in the Windows Server 2019 version ? I don't talk about the ADUC and how to set unix attributes tab, I ask about the attributes on the AD schema because I know that NIS and unix attributes tab in ADUC is deprecated in Windows server 2016, but it can still be set via a powershell script. EdG Le 10/04/2019 à 13:41, Rowland Penny via samba a écrit :> On Wed, 10 Apr 2019 13:14:35 -0300 > Edouard Guigné via samba <samba at lists.samba.org> wrote: > >> Log level to 10 was for debug reasons, I can now surely set to 1 now. >> Concerning idmap config IPGAD, I don't see why is the reason to start >> at 1... I will set to 10000 as according to the documentation, thank >> you. >> >> What do you mean by " >> You are also using the winbind 'ad' backend, so have you added >> anything to AD ? >> " ? > Just what it says. I don't remember if you said what the AD DC is, but > it doesn't really matter, if you create a user using ADUC or > samba-tool, the user will just be a Windows user. That is unless you > also use the UNIX Attributes tab on ADUC or specify the RFC2307 > attributes with 'samba-tool user add'. > The minimum requirement for a Unix AD user is that they must have a > uidNumber attribute containing a unique number inside the range you > set in smb.conf (now do you see why I asked about the range starting > at '1' ?) AND 'Domain Users'(the default user primary group) must have > a gidNumber attribute inside the same range. You are also using > 'unix_primary_group = yes', so your users should also have gidNumber > attribute containing the gidNumber of a group. > > It take it you haven't done any of the above, so you may want to > consider using the 'rid' backend instead. I would suggest you read > the wiki pages I pointed you to earlier. > > Rowland >
Maybe Matching Threads
- Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
- Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
- Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
- Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server
- Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions