Stefan G. Weichinger
2019-Nov-26 16:28 UTC
[Samba] moved DM config to new server : gids different etc
Am 26.11.19 um 17:15 schrieb Rowland penny via samba:> On 26/11/2019 16:00, Stefan G. Weichinger via samba wrote: >> Last week the mobo in a DM server died, so we had to set up a fallback >> machine and reinstall Debian 10.2 including Samba >> >> I had smb.conf but not /var/lib/samba in backups. >> >> Restored krb5.conf and smb.conf, rejoined. >> >> Things work mostly ... >> >> but for example I get gid 10006 for "domain users" instead of 10513 >> before. >> >> and getent group doesn't show the AD groups, btw > > This is very strange, just about the only thing I would really change in > your smb.conf is to remove these lines: > > unix extensions = no > follow symlinks= yes > wide links= yesold parameters, defensive ... yes> And they cannot have anything to do with your problem. > > The ID for Domain Users (when using the 'rid' backend) is calculated > from this: > > ID = RID + LOW_RANGE_ID > > The RID for Domain Users is always '513' and your domain low range is > '10000', so it becomes: > > ID = 513 + 10000 > > So 'ID' == 10513Yes, thanks. I maybe messed up something myself. Right now when I run "chgrp -R 10513 somefolder" it gets shown as drwxrwx---+ 4 administrator dom?nen-benutzer 4096 Nov 21 12:14 somefolder which is good. (I dislike the fact that the german "dom?nen-benutzer" has an Umlaut in it ... problematic with some commands) I run some larger chgrp-command now to get these folders accessible again. # getent group | grep -i utzer does show nothing, though, I always forget if that has worked or not, and why ...> What packages have you installed to get Samba working on your new server ?I can't tell exactly anymore, basically stuff like what Louis recommends at https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt # apt-get install samba winbind acl libnss-winbind libpam-winbind ntp krb5-user smbclient samba-vfs-modules samba-dsdb-modules Reading package lists... Done Building dependency tree Reading state information... Done acl is already the newest version (2.2.53-4). krb5-user is already the newest version (1.17-3). ntp is already the newest version (1:4.2.8p12+dfsg-4). libnss-winbind is already the newest version (2:4.10.10+dfsg-0.1~buster~1). libpam-winbind is already the newest version (2:4.10.10+dfsg-0.1~buster~1). samba is already the newest version (2:4.10.10+dfsg-0.1~buster~1). samba-dsdb-modules is already the newest version (2:4.10.10+dfsg-0.1~buster~1). samba-vfs-modules is already the newest version (2:4.10.10+dfsg-0.1~buster~1). smbclient is already the newest version (2:4.10.10+dfsg-0.1~buster~1). winbind is already the newest version (2:4.10.10+dfsg-0.1~buster~1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Rowland penny
2019-Nov-26 16:37 UTC
[Samba] moved DM config to new server : gids different etc
On 26/11/2019 16:28, Stefan G. Weichinger via samba wrote:> Am 26.11.19 um 17:15 schrieb Rowland penny via samba: >> On 26/11/2019 16:00, Stefan G. Weichinger via samba wrote: >>> Last week the mobo in a DM server died, so we had to set up a fallback >>> machine and reinstall Debian 10.2 including Samba >>> >>> I had smb.conf but not /var/lib/samba in backups. >>> >>> Restored krb5.conf and smb.conf, rejoined. >>> >>> Things work mostly ... >>> >>> but for example I get gid 10006 for "domain users" instead of 10513 >>> before. >>> >>> and getent group doesn't show the AD groups, btw >> This is very strange, just about the only thing I would really change in >> your smb.conf is to remove these lines: >> >> unix extensions = no >> follow symlinks= yes >> wide links= yes > old parameters, defensive ... yes > >> And they cannot have anything to do with your problem. >> >> The ID for Domain Users (when using the 'rid' backend) is calculated >> from this: >> >> ID = RID + LOW_RANGE_ID >> >> The RID for Domain Users is always '513' and your domain low range is >> '10000', so it becomes: >> >> ID = 513 + 10000 >> >> So 'ID' == 10513 > Yes, thanks. > > I maybe messed up something myself. > > Right now when I run "chgrp -R 10513 somefolder" it gets shown as > > drwxrwx---+ 4 administrator dom?nen-benutzer 4096 Nov 21 12:14 somefolder > > which is good. > > (I dislike the fact that the german "dom?nen-benutzer" has an Umlaut in > it ... problematic with some commands) > > I run some larger chgrp-command now to get these folders accessible again. > > > # getent group | grep -i utzer > > does show nothing, though, I always forget if that has worked or not, > and why ...How about 'getent group Domain\ Users' ? Rowland
Stefan G. Weichinger
2019-Nov-26 17:21 UTC
[Samba] moved DM config to new server : gids different etc
Am 26.11.19 um 17:37 schrieb Rowland penny via samba:> How about 'getent group Domain\ Users' ?no result = empty reply The "admin" there is able to access stuff and reset his ACLs already. So ... things work so far. thanks. I will consider the config Louis suggested ... but not now (my reply was rejected by some samba-ml-SMTP-server ... another problem)