Stefan G. Weichinger
2019-Nov-26 16:00 UTC
[Samba] moved DM config to new server : gids different etc
Last week the mobo in a DM server died, so we had to set up a fallback machine and reinstall Debian 10.2 including Samba I had smb.conf but not /var/lib/samba in backups. Restored krb5.conf and smb.conf, rejoined. Things work mostly ... but for example I get gid 10006 for "domain users" instead of 10513 before. and getent group doesn't show the AD groups, btw - I have: # /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis --- # cat /etc/samba/smb.conf # Samba config file # from sgw 2018/jun/15 # with help from Rowland [global] unix charset = iso8859-15 security = ads realm = XYZ.INTRA workgroup = XYZ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab netbios aliases = u1XYZ server string = U1XYZ winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U restrict anonymous = 2 domain master = no local master = no preferred master = no invalid users = root bin daemon adm sync shutdown halt mail news \ uucp obey pam restrictions = yes interfaces = 192.168.100.4/24 127.0.0.1 bind interfaces only = Yes idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config XYZ : range = 10000-20000 idmap config XYZ : backend = rid # For ACL support on domain member vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes inherit acls = yes unix extensions = no follow symlinks= yes wide links= yes load printers = no printcap name = /dev/null acl allow execute always = True # Audit settings full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice --- wbinfo -u and -g work afaik But permissions and ACLs are screwed up. I might be missing some package to install ... or what ever ... pls advise, Stefan
Rowland penny
2019-Nov-26 16:15 UTC
[Samba] moved DM config to new server : gids different etc
On 26/11/2019 16:00, Stefan G. Weichinger via samba wrote:> Last week the mobo in a DM server died, so we had to set up a fallback > machine and reinstall Debian 10.2 including Samba > > I had smb.conf but not /var/lib/samba in backups. > > Restored krb5.conf and smb.conf, rejoined. > > Things work mostly ... > > but for example I get gid 10006 for "domain users" instead of 10513 before. > > and getent group doesn't show the AD groups, btwThis is very strange, just about the only thing I would really change in your smb.conf is to remove these lines: unix extensions = no follow symlinks= yes wide links= yes And they cannot have anything to do with your problem. The ID for Domain Users (when using the 'rid' backend) is calculated from this: ID = RID + LOW_RANGE_ID The RID for Domain Users is always '513' and your domain low range is '10000', so it becomes: ID = 513 + 10000 So 'ID' == 10513 What packages have you installed to get Samba working on your new server ? Rowland
Stefan G. Weichinger
2019-Nov-26 16:28 UTC
[Samba] moved DM config to new server : gids different etc
Am 26.11.19 um 17:15 schrieb Rowland penny via samba:> On 26/11/2019 16:00, Stefan G. Weichinger via samba wrote: >> Last week the mobo in a DM server died, so we had to set up a fallback >> machine and reinstall Debian 10.2 including Samba >> >> I had smb.conf but not /var/lib/samba in backups. >> >> Restored krb5.conf and smb.conf, rejoined. >> >> Things work mostly ... >> >> but for example I get gid 10006 for "domain users" instead of 10513 >> before. >> >> and getent group doesn't show the AD groups, btw > > This is very strange, just about the only thing I would really change in > your smb.conf is to remove these lines: > > unix extensions = no > follow symlinks= yes > wide links= yesold parameters, defensive ... yes> And they cannot have anything to do with your problem. > > The ID for Domain Users (when using the 'rid' backend) is calculated > from this: > > ID = RID + LOW_RANGE_ID > > The RID for Domain Users is always '513' and your domain low range is > '10000', so it becomes: > > ID = 513 + 10000 > > So 'ID' == 10513Yes, thanks. I maybe messed up something myself. Right now when I run "chgrp -R 10513 somefolder" it gets shown as drwxrwx---+ 4 administrator dom?nen-benutzer 4096 Nov 21 12:14 somefolder which is good. (I dislike the fact that the german "dom?nen-benutzer" has an Umlaut in it ... problematic with some commands) I run some larger chgrp-command now to get these folders accessible again. # getent group | grep -i utzer does show nothing, though, I always forget if that has worked or not, and why ...> What packages have you installed to get Samba working on your new server ?I can't tell exactly anymore, basically stuff like what Louis recommends at https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt # apt-get install samba winbind acl libnss-winbind libpam-winbind ntp krb5-user smbclient samba-vfs-modules samba-dsdb-modules Reading package lists... Done Building dependency tree Reading state information... Done acl is already the newest version (2.2.53-4). krb5-user is already the newest version (1.17-3). ntp is already the newest version (1:4.2.8p12+dfsg-4). libnss-winbind is already the newest version (2:4.10.10+dfsg-0.1~buster~1). libpam-winbind is already the newest version (2:4.10.10+dfsg-0.1~buster~1). samba is already the newest version (2:4.10.10+dfsg-0.1~buster~1). samba-dsdb-modules is already the newest version (2:4.10.10+dfsg-0.1~buster~1). samba-vfs-modules is already the newest version (2:4.10.10+dfsg-0.1~buster~1). smbclient is already the newest version (2:4.10.10+dfsg-0.1~buster~1). winbind is already the newest version (2:4.10.10+dfsg-0.1~buster~1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.