I checked my entire setup again and again. Now I can see the my share. The most relevant change I did (afaik - ofcourse): - since I am using ad backend I created dedicated unix admin groups (as recommended in the docs) - I removed the $ from the share section/defnition ([projects$] -> [projects]) - I changed browseable switch from 'no' to 'yes' Iam still getting the "event viewer cannot connect..." Error. Probably this natural, because it is a linux host. Am Mi., 27. Nov. 2019 um 13:31 Uhr schrieb Marian Thieme < marian.thieme at gmail.com>:> Here is smb.conf: > > https://pastebin.com/EVuAy3iB > > Am Mi., 27. Nov. 2019 um 13:25 Uhr schrieb Marian Thieme < > marian.thieme at gmail.com>: > >> Hello, >> >> according to documentation: >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> User is required to setup the file share using ms windows (Computer >> Management->Connect to another computer). That I am trying without success. >> When I connect with Windows 7 client I get error message: "Event Viewer >> cannot connect to computer 'SAMDOM.EXAMPLE.COM. The error ported is: The >> RPC server is unavailable." >> >> When I connect with Windows 10 client I get lengthier but also not >> helpful error message: "Computer xxx cannot be connected. Verify network >> paht is correct, ...." >> >> The error occurs when clicking to "SystemTools".It still opens System >> Tools and I can also open Shared Folders->Shares. But there are no shares. >> (Except IPC$) >> >> My Samba File server is joined to our AD domain. I tried with version >> 4.9.1 and with source installation (4.11.2). >> >> Server side samba logs do not report an error. I am able to map the share >> from Windows. However, I need to configure permissions for Domain Users. >> Which I am unable to do according to the problem. >> >> Any suggestions ? Do you need entire smb/nmb/winbind logs ? >> >> In the connection log for the Windows client I see an error when it tries >> to fetch users from database. >> [2019/11/27 13:21:49.244061, 5] >> ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam) >> pdb_getsampwnam (TDB): error fetching database. >> Key: USER_root >> >> Is user root required to be there ? >> >> Regards, >> Marian >> >
On 27/11/2019 15:24, Marian Thieme via samba wrote:> I checked my entire setup again and again. Now I can see the my share. The > most relevant change I did (afaik - ofcourse): > - since I am using ad backend I created dedicated unix admin groups (as > recommended in the docs)What 'docs' ? From your smb.conf, you have commented out: idmap config SAMDOM : range = 10000-999999 and replaced it with: idmap config SAMDOM : range = 1000-99999 Do you have users in /etc/passwd and AD ? Have you added rfc2307 attributes to your users & groups in AD ? Rowland
On 27/11/2019 15:56, Marian Thieme wrote:> yes, to both: > our users have uids usually from 4000-6000. And we also maintain the > relevant groups in that range. I've added uidNumber and gidNumber. THe > setup is the result of a migration from an pure openLdap Directory to > an AD. > I have local users on the samba based file server in /etc/passwd with > uids below 1000. I can see all the AD users if search them via > samba/windbind/nss in AD.if you have, for instance, a user called 'fred' in /etc/passwd and a user also called 'fred' in AD, delete the user in /etc/passwd. The same goes for groups. Unless you are referring to local system users with an ID of less than 1000 (e.g. sshd), then move them to the range where they belong, 1000 upwards. I asked what docs you have been following, you never said, but I think it is the outdated ones, try reading here: https://wiki.samba.org/index.php/Main_Page and here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File Rowland
On 27/11/2019 20:18, Marian Thieme wrote:> First of all I would like to thank you for your help ! > > Secondly, I think I got you wrong: My local users are just system > users. So I don't have to worry about /etc/passwd. No collision to > expect And that's why I think I am safe with the range. Actually you > are right, I should allow for local users that might be created in > future maybe for administration and "reserve"? uids in range like > 1000-1050. At this point this will be no problem at all. > > Regarding the doc: I was referring to the Info Box just below Section: > "Granting the SeDiskOperatorPrivilege Privilege" on website: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > And I followed the docs you mentioned for setting up the domain member. > However the initial problem is solved, somehow, because I am able to > use MMC to initially assign User "everyone". If I understood > correctly, having assigned user everyone as security group to the > share, I am then able to maintain perms and ownerships just via folder > properties after connecting the network share with some admin user > account to some windows box. > I am wondering if I have to take care about the errors I mentioned > while connecting to the samba file server using MMC. Or is it save to > ignore it ? > > Marian > >It is fairly common to get errors using ADUC similar to yours, normally it is possible to click through them and then everything works, if this is your case, just ignore them. Can I also introduce you to the wonderful world of 'samba-tool', this can do a lot of what ADUC does, but on the Unix command line, just open a terminal on the Samba AD DC and type 'samba-tool --help' for more info. Rowland
On 27/11/2019 20:38, Marian Thieme wrote:> On 11/27/19 9:29 PM, Rowland penny via samba wrote: >> On 27/11/2019 20:18, Marian Thieme wrote: >>> First of all I would like to thank you for your help ! >>> >>> Secondly, I think I got you wrong: My local users are just system >>> users. So I don't have to worry about /etc/passwd. No collision to >>> expect And that's why I think I am safe with the range. Actually you >>> are right, I should allow for local users that might be created in >>> future maybe for administration and "reserve"? uids in range like >>> 1000-1050. At this point this will be no problem at all. >>> >>> Regarding the doc: I was referring to the Info Box just below >>> Section: "Granting the SeDiskOperatorPrivilege Privilege" on >>> website: >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >>> And I followed the docs you mentioned for setting up the domain member. >>> However the initial problem is solved, somehow, because I am able to >>> use MMC to initially assign User "everyone". If I understood >>> correctly, having assigned user everyone as security group to the >>> share, I am then able to maintain perms and ownerships just via >>> folder properties after connecting the network share with some admin >>> user account to some windows box. >>> I am wondering if I have to take care about the errors I mentioned >>> while connecting to the samba file server using MMC. Or is it save >>> to ignore it ? >>> >>> Marian >>> >>> >> It is fairly common to get errors using ADUC similar to yours, >> normally it is possible to click through them and then everything >> works, if this is your case, just ignore them. >> >> Can I also introduce you to the wonderful world of 'samba-tool', this >> can do a lot of what ADUC does, but on the Unix command line, just >> open a terminal on the Samba AD DC and type 'samba-tool --help' for >> more info. >> >> Rowland >> > Of course, yes please ! Actually I would prefer doing it based on > linux console alone. > > Since the topic w.r.t. share configuration is somewhat new to me I > following the, lets say, documented way. Also I looked around in the > web and I found this post: > https://serverfault.com/questions/875298/change-windows-acls-of-smb-samba-shares-directly-in-linux > My impression in the end has been: seems to be even more difficult. An > how-to for the basic setup would be great. Or do we have any ? > > Marian >Yes, you could do it that way, actually running the command is easy, it is creating the sddl that is the hard part ;-) Easiest way at the moment is to set the permissions from Windows. Rowland