On 19/09/2019 19:33, Bart?omiej Solarz-Nies?uchowski via samba wrote:> Dear List, > > After migration I have found some problems: > > 1. > > directives in /etc/samba/smb.conf > > force user > > force groupYou shouldn't be using those anymore, you should use Windows ACLs> > I have found similar problems like here: > https://bugzilla.samba.org/show_bug.cgi?id=11320 > > if i have share: > > [global] > > ??????? workgroup = WSISIZ.EDU.PLIs that really your workgroup name ? I would have expected something like 'AD' based on your realm (which incidentally should be in uppercase)> realm = ad.wsisiz.edu.pl > ??????? server role = member server > ??????? security = ads > ?.... > > ??????? winbind use default domain = Yes > > [admin] > > ?valid users = +laboratoria > ?write list = +laboratoria > ?force group = laboratoria > > i cannot connect: > > oceanic:~# smbclient \\oceanic\admins -U solarz > Enter WSISIZ.EDU.PL\solarz's password: > tree connect failed: NT_STATUS_NO_SUCH_GROUP > > BUT > > if i change "force group" to: > > ?force group = unix group\laboratoria > > it works! (prefix unix group is not documented?)I think you had better post your full smb.conf from the Unix domain member.> > Samba is at version: > > Name??????? : samba > Epoch?????? : 2 > Version???? : 4.10.7 > Release???? : 0.fc30 > Architecture: x86_64 > > > I have some strange problems with AD: > > at domain member: > > oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" > S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) > oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 > failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 > to gid > > oceanic:~# wbinfo? --online-status > BUILTIN : active connection > OCEANIC : active connection > WSISIZ.EDU.PL : active connection > > wbinfo -u and -g works as expected....Bit meaningless on a Unix computer> > at DC AD server: > > root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" > S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) > root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 > 1038 > root at themes:~# wbinfo? --online-status > BUILTIN : active connection > WSISIZ.EDU.PL : active connection > > > It looks very strange ... Those conversion from sid to gid is an > essential one? >As I said, post your smb.conf Rowland
Bartłomiej Solarz-Niesłuchowski
2019-Sep-19 19:04 UTC
[Samba] Migrating Samba NT4 Domain to Samba AD
W dniu 19.09.2019 o?20:49, Rowland penny via samba pisze:> On 19/09/2019 19:33, Bart?omiej Solarz-Nies?uchowski via samba wrote: >> Dear List, >> >> After migration I have found some problems: >> >> 1. >> >> directives in /etc/samba/smb.conf >> >> force user >> >> force group > You shouldn't be using those anymore, you should use Windows ACLs >> >> I have found similar problems like here: >> https://bugzilla.samba.org/show_bug.cgi?id=11320 >> >> if i have share: >> >> [global] >> >> ??????? workgroup = WSISIZ.EDU.PL > > Is that really your workgroup name ?yes> > I would have expected something like 'AD' based on your realm (which > incidentally should be in uppercase) > >> realm = ad.wsisiz.edu.pl >> ??????? server role = member server >> ??????? security = ads >> ?.... >> >> ??????? winbind use default domain = Yes >> >> [admin] >> >> ?valid users = +laboratoria >> ?write list = +laboratoria >> ?force group = laboratoria >> >> i cannot connect: >> >> oceanic:~# smbclient \\oceanic\admins -U solarz >> Enter WSISIZ.EDU.PL\solarz's password: >> tree connect failed: NT_STATUS_NO_SUCH_GROUP >> >> BUT >> >> if i change "force group" to: >> >> ?force group = unix group\laboratoria >> >> it works! (prefix unix group is not documented?) > I think you had better post your full smb.conf from the Unix domain > member. >> >> Samba is at version: >> >> Name??????? : samba >> Epoch?????? : 2 >> Version???? : 4.10.7 >> Release???? : 0.fc30 >> Architecture: x86_64 >> >> >> I have some strange problems with AD: >> >> at domain member: >> >> oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" >> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) >> oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 >> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND >> Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 >> to gid >> >> oceanic:~# wbinfo? --online-status >> BUILTIN : active connection >> OCEANIC : active connection >> WSISIZ.EDU.PL : active connection >> >> wbinfo -u and -g works as expected.... > Bit meaningless on a Unix computer >> >> at DC AD server: >> >> root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" >> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) >> root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 >> 1038 >> root at themes:~# wbinfo? --online-status >> BUILTIN : active connection >> WSISIZ.EDU.PL : active connection >> >> >> It looks very strange ... Those conversion from sid to gid is an >> essential one? >> > As I said, post your smb.conf > > Rowland > > > >[global] ??????? dos charset = CP852 ??????? unix charset = UTF8 ??????? workgroup = WSISIZ.EDU.PL ??????? realm = ad.wsisiz.edu.pl ??????? server role = member server ??????? security = ads ??????? allow trusted domains = No ??????? log level = 0 ??????? time server = Yes ??????? deadtime = 60 ??????? hostname lookups = Yes ??????? printcap cache time = 600 ??????? printcap name = cups ??????? wins proxy = Yes ??????? wins support = Yes ??????? remote browse sync = oxygene.ibspan.waw.pl antarctica china spiral direct odyssey ??????? winbind use default domain = Yes ??????? create mask = 0644 ??????? inherit acls = Yes ??????? hosts allow = 127., 10.100.0.0/255.255.0.0 213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 2001:1a68:a::/48 ??????? ea support = Yes ??????? map acl inherit = Yes ??????? cups options = raw ??????? hide dot files = No ??????? store dos attributes = Yes ??????? wide links = Yes ??????? acl allow execute always = yes [admins] ??????? comment = oceanic:/opt/windows/staff/admins - katalog Adminow! ??????? path = /opt/windows/staff/admins ??????? valid users = +laboratoria ??????? write list = +laboratoria ??????? force group = unix group\laboratoria ??????? create mask = 0660 ??????? directory mask = 0770 ??????? vfs objects = recycle ??????? recycle:keeptree = yes ??????? recycle:versions = yes ??????? recycle:touch_mtime = yes ??????? recycle:maxsize = 10000000 ??????? recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lst|*.rcv|*.RCV|*.TMP ??????? recycle:exclude_dir = /tmp|/temp|/cache ??????? recycle:noversions = *.doc|*.xls|*.ppt /etc/krb5.conf [libdefaults] ??????? default_realm = AD.WSISIZ.EDU.PL ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true Best Regards -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 19/09/2019 20:04, Bart?omiej Solarz-Nies?uchowski via samba wrote:> W dniu 19.09.2019 o?20:49, Rowland penny via samba pisze: >> On 19/09/2019 19:33, Bart?omiej Solarz-Nies?uchowski via samba wrote: >>> Dear List, >>> >>> After migration I have found some problems: >>> >>> 1. >>> >>> directives in /etc/samba/smb.conf >>> >>> force user >>> >>> force group >> You shouldn't be using those anymore, you should use Windows ACLs >>> >>> I have found similar problems like here: >>> https://bugzilla.samba.org/show_bug.cgi?id=11320 >>> >>> if i have share: >>> >>> [global] >>> >>> ??????? workgroup = WSISIZ.EDU.PL >> >> Is that really your workgroup name ? > yes >> >> I would have expected something like 'AD' based on your realm (which >> incidentally should be in uppercase) >> >>> realm = ad.wsisiz.edu.pl >>> ??????? server role = member server >>> ??????? security = ads >>> ?.... >>> >>> ??????? winbind use default domain = Yes >>> >>> [admin] >>> >>> ?valid users = +laboratoria >>> ?write list = +laboratoria >>> ?force group = laboratoria >>> >>> i cannot connect: >>> >>> oceanic:~# smbclient \\oceanic\admins -U solarz >>> Enter WSISIZ.EDU.PL\solarz's password: >>> tree connect failed: NT_STATUS_NO_SUCH_GROUP >>> >>> BUT >>> >>> if i change "force group" to: >>> >>> ?force group = unix group\laboratoria >>> >>> it works! (prefix unix group is not documented?) >> I think you had better post your full smb.conf from the Unix domain >> member. >>> >>> Samba is at version: >>> >>> Name??????? : samba >>> Epoch?????? : 2 >>> Version???? : 4.10.7 >>> Release???? : 0.fc30 >>> Architecture: x86_64 >>> >>> >>> I have some strange problems with AD: >>> >>> at domain member: >>> >>> oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" >>> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) >>> oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 >>> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND >>> Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 >>> to gid >>> >>> oceanic:~# wbinfo? --online-status >>> BUILTIN : active connection >>> OCEANIC : active connection >>> WSISIZ.EDU.PL : active connection >>> >>> wbinfo -u and -g works as expected.... >> Bit meaningless on a Unix computer >>> >>> at DC AD server: >>> >>> root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" >>> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) >>> root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 >>> 1038 >>> root at themes:~# wbinfo? --online-status >>> BUILTIN : active connection >>> WSISIZ.EDU.PL : active connection >>> >>> >>> It looks very strange ... Those conversion from sid to gid is an >>> essential one? >>> >> As I said, post your smb.conf >> >> Rowland >> >> >> >> > [global] > ??????? dos charset = CP852 > ??????? unix charset = UTF8 > ??????? workgroup = WSISIZ.EDU.PL > ??????? realm = ad.wsisiz.edu.pl > ??????? server role = member server > ??????? security = ads > ??????? allow trusted domains = No > ??????? log level = 0 > ??????? time server = Yes > ??????? deadtime = 60 > ??????? hostname lookups = Yes > ??????? printcap cache time = 600 > ??????? printcap name = cups > ??????? wins proxy = Yes > ??????? wins support = Yes > ??????? remote browse sync = oxygene.ibspan.waw.pl antarctica china > spiral direct odyssey > ??????? winbind use default domain = Yes > ??????? create mask = 0644 > ??????? inherit acls = Yes > ??????? hosts allow = 127., 10.100.0.0/255.255.0.0 > 213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, > 213.135.48.0/255.255.254.0, 2001:1a68:a::/48 > ??????? ea support = Yes > ??????? map acl inherit = Yes > ??????? cups options = raw > ??????? hide dot files = No > ??????? store dos attributes = Yes > ??????? wide links = Yes > ??????? acl allow execute always = yes > > > [admins] > > ??????? comment = oceanic:/opt/windows/staff/admins - katalog Adminow! > ??????? path = /opt/windows/staff/admins > ??????? valid users = +laboratoria > ??????? write list = +laboratoria > ??????? force group = unix group\laboratoria > ??????? create mask = 0660 > ??????? directory mask = 0770 > ??????? vfs objects = recycle > ??????? recycle:keeptree = yes > ??????? recycle:versions = yes > ??????? recycle:touch_mtime = yes > ??????? recycle:maxsize = 10000000 > ??????? recycle:exclude = > *.tmp|*.temp|*.o|*.obj|~$*|*.lst|*.rcv|*.RCV|*.TMP > ??????? recycle:exclude_dir = /tmp|/temp|/cache > ??????? recycle:noversions = *.doc|*.xls|*.pptThere are a few parameters that should be removed, but your main problem is that you appear to be using sssd (either that or you have no auth method) Samba does not support sssd, because we do not produce it. You need to ask on the sssd-users mailing list, but there is a problem with that, Red-Hat no longer supports? using sssd with winbind and you must use winbind on a Unix domain member. Can I suggest you do two things: yum remove sssd* Read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland