Stefan G. Weichinger
2019-Nov-26 17:21 UTC
[Samba] moved DM config to new server : gids different etc
Am 26.11.19 um 17:37 schrieb Rowland penny via samba:> How about 'getent group Domain\ Users' ?no result = empty reply The "admin" there is able to access stuff and reset his ACLs already. So ... things work so far. thanks. I will consider the config Louis suggested ... but not now (my reply was rejected by some samba-ml-SMTP-server ... another problem)
Rowland penny
2019-Nov-26 17:42 UTC
[Samba] moved DM config to new server : gids different etc
On 26/11/2019 17:21, Stefan G. Weichinger via samba wrote:> Am 26.11.19 um 17:37 schrieb Rowland penny via samba: > >> How about 'getent group Domain\ Users' ? > no result = empty replyThen there is something wrong, something isn't set correctly, I take it you replaced 'Domain\ Users' with its German equivalent.> > The "admin" there is able to access stuff and reset his ACLs already.How ? if 'getent' isn't working.> > So ... things work so far. thanks. > > I will consider the config Louis suggested ... but not nowNo, 'rid' should work as before, all you really need to backup on a Unix domain member is the shares and the smb.conf, all the users & groups are stored on the DC.> > (my reply was rejected by some samba-ml-SMTP-server ... another problem)Strange, it didn't reach moderation. Can you download this: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Run it on the Unix domain member and paste the output into a post. Rowland
Stefan G. Weichinger
2019-Nov-26 17:57 UTC
[Samba] moved DM config to new server : gids different etc
Am 26.11.19 um 18:42 schrieb Rowland penny via samba:> On 26/11/2019 17:21, Stefan G. Weichinger via samba wrote: >> Am 26.11.19 um 17:37 schrieb Rowland penny via samba: >> >>> How about 'getent group Domain\ Users' ? >> no result = empty reply > Then there is something wrong, something isn't set correctly, I take it > you replaced 'Domain\ Users' with its German equivalent.I "eye-grepped" for that string as well. Not there. No ADS-groups in "getent">> The "admin" there is able to access stuff and reset his ACLs already. > How ? if 'getent' isn't working. >> >> So ... things work so far. thanks. >> >> I will consider the config Louis suggested ... but not now > No, 'rid' should work as before, all you really need to backup on a Unix > domain member is the shares and the smb.conf, all the users & groups are > stored on the DC. >> >> (my reply was rejected by some samba-ml-SMTP-server ... another problem) > > Strange, it didn't reach moderation. > > Can you download this: > > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh > > Run it on the Unix domain member and paste the output into a post.a little bit anonymized (I hope) That DNS-domain is flaky, I see. That "gigabit.net" came from the former admin and should be rm-ed, I see .... ! -- root at samba:~# cat samba-debug-info.txt Collected config --- 2019-11-26-18:48 ----------- Hostname: samba DNS Domain: gigabit.net FQDN: samba.gigabit.net ipaddress: 192.168.100.4 ----------- Kerberos SRV _kerberos._tcp.gigabit.net record verified ok, sample output: Server: 192.168.100.1 Address: 192.168.100.1#53 Non-authoritative answer: *** Can't find _kerberos._tcp.gigabit.net: No answer Authoritative answers can be found from: gigabit.net origin = ns.123-reg.co.uk mail addr = hostmaster.gigabit.net serial = 2017030702 refresh = 14400 retry = 0 expire = 604800 minimum = 14400 Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.2 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 90:b1:1c:a1:1a:a8 brd ff:ff:ff:ff:ff:ff inet 192.168.100.4/24 brd 192.168.100.255 scope global eno1 inet6 fe80::92b1:1cff:fea1:1aa8/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.100.4 samba.gigabit.net samba ----------- Checking file: /etc/resolv.conf domain mydom.de search mydom.de nameserver 192.168.100.1 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = mydom.INTRA dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # This file is managed remotely, all changes will be lost # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Samba config file # from sgw 2018/jun/15 # with help from Rowland [global] unix charset = iso8859-15 security = ads realm = mydom.INTRA workgroup = mydom dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab netbios aliases = u1mydom server string = U1mydom winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U restrict anonymous = 2 domain master = no local master = no preferred master = no invalid users = root bin daemon adm sync shutdown halt mail news \ uucp obey pam restrictions = yes interfaces = 192.168.100.4/24 127.0.0.1 bind interfaces only = Yes idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config mydom : range = 10000-20000 idmap config mydom : backend = rid # For ACL support on domain member vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes inherit acls = yes unix extensions = no follow symlinks= yes wide links= yes load printers = no printcap name = /dev/null acl allow execute always = True # Audit settings full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice log level = 2 [homes] comment = Home Directories #path = /mnt/MSA2040/smb/Homes/mydom/%U #path = /mnt/MSA2040/smb/Homes/mydom/%S valid users = %S browseable = yes read only = no create mode = 0750 #directory mask = 0700 root preexec = /usr/local/sbin/mkhomedir.sh %U %H [acltest] path = /mnt/MSA2040/smb/acltest read only = No (rm-ed share defs) ----------- Running as Unix domain member and no user.map detected. This is possible with an auth-only setup, checking also for NFS parts ----------- Warning, /etc/idmapd.conf does not exist ----------- Installed packages: ii acl 2.2.53-4 amd64 access control list - utilities ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.8-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba winbind client library ii python3-samba 2:4.10.10+dfsg-0.1~buster~1 amd64 Python 3 bindings for Samba ii samba 2:4.10.10+dfsg-0.1~buster~1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.10.10+dfsg-0.1~buster~1 all common files used by both the Samba server and client ii samba-common-bin 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.10.10+dfsg-0.1~buster~1 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.10.10+dfsg-0.1~buster~1 amd64 service to resolve user and group information from Windows NT servers -----------