Thanks, I will give that a try. But I need the 'winbind separator = +'. We use some expensive commercial software (e.g. ANSYS, ABAQUS, ...), which uses shell scripts to start their software under linux. These scripts are not able to handle a backslash in the user name. The only solution was to switch to a "+" character. We reported these issues two years ago. Regards, Andreas Am 10.03.20 um 10:23 schrieb Rowland penny via samba:> On 10/03/2020 08:03, Andreas Hauffe via samba wrote: >> We have a kerberized NFS4 running on that machine, too. > I do hope that you are not resharing the NFS share(s) via Samba, that > way lies madness ;-) > > Try this smb.conf: > > [global] > ??????? workgroup = SUBDOM > ??????? realm = SUBDOM.DOM.EXAMPLE.COM > ??????? security = ADS > > ??????? bind interfaces only = Yes > ??????? interfaces = lo enp1s0f0 > ??????? dedicated keytab file = /etc/krb5.keytab > ??????? kerberos method = secrets and keytab > ??????? winbind refresh tickets = Yes > ??????? idmap config SUBDOM : range = 3000-9999 > ??????? idmap config SUBDOM : backend = rid > ??????? idmap config * : range = 2000-2999 > ??????? idmap config * : backend = tdb > ??????? template homedir = /home/users/linux/%U > ??????? template shell = /bin/bash > ??????? map acl inherit = Yes > ??????? vfs objects = acl_xattr > ??????? smb encrypt = desired > > ??????? recycle:exclude_dir = tmp | temp | cache > ??????? recycle:exclude = *.TMP | *.tmp | ~$*.doc > ??????? recycle:noversions = *.ini | *.dat > ??????? recycle:versions = Yes > ??????? recycle:maxsize = 536870912 > ??????? recycle:touch = Yes > ??????? recycle:keeptree = Yes > ??????? recycle:directory_mode = 0700 > ??????? recycle:repository = %H/.Papierkorb/%S > > [share1] > ??????? comment = Share 1 > ??????? create mask = 0740 > ??????? directory mask = 0750 > ??????? force create mode = 0660 > ??????? force directory mode = 0660 > ??????? force group = SUBDOM\worker > ??????? inherit permissions = Yes > ??????? path = PATHNAME > ??????? read only = No > ??????? root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S > ??????? valid users = SUBDOM\worker > ??????? vfs objects = acl_xattr recycle crossrename > > [share2] > ??????? comment = Share 2 > ??????? inherit acls = Yes > ??????? path = PATHNAME > ??????? read only = No > ??????? valid users = SUBDOM\worker SUBDOM\user > ??????? acl_xattr:ignore system acls = yes > > [share3] > ??????? comment = Share 3 > ??????? create mask = 0660 > ??????? directory mask = 0770 > ??????? force create mode = 0660 > ??????? force directory mode = 0770 > ??????? force group = SUBDOM\group2 > ??????? path = PATHNAME > ??????? read only = No > ??????? root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S > ??????? valid users = SUBDOM\group2 > ??????? vfs objects = acl_xattr recycle crossrename > > [share4] > ??????? comment = Share 4 > ??????? path = PATHNAME > ??????? valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4 > > You will notice a few things: > > 'dom' has gone, whilst allowing it as a trusted domain, you were not > allowing the 'dom' users to actually do anything. > > 'winbind separator = +' has gone, there is no real point to it and > 'testparm' throws a warning. > > As you are using the same recycle lines, you only need to set them > once in [global] and set the recycle vfs in the required shares. > > I would also check that /etc/krb5.keytab contains all the required keys. > > Rowland > > >
On 10/03/2020 11:54, Andreas Hauffe via samba wrote:> Thanks, I will give that a try. > > But I need the 'winbind separator = +'. We use some expensive > commercial software (e.g. ANSYS, ABAQUS, ...), which uses shell > scripts to start their software under linux. These scripts are not > able to handle a backslash in the user name. The only solution was to > switch to a "+" character. We reported these issues two years ago.Who did you report this problem to ? If it was Samba, then I don't think this will get fixed, because there isn't anything to fix. If you reported it to your 'expensive commercial software' then bug them again (and again and again.... until they fix their broken software) There may be another way around this, add: 'winbind use default domain = yes' and then remove any 'SUBDOM\' from the smb.conf. This will change 'SUBDOM\username' to 'username' (same goes for groups), would this work with your software ? (note, you can only do this with one DOMAIN in smb.conf). Rowland
We reported this bug to the expensive commercial software enterprises :-). I know, it is not a samba problem. I think your workaround is not possible in our case, since we are/all clients live in the SUBDOM and most users are from DOM. So we would need to set the default domain to a different domain, which is not possible as far as I know. Regards, Andreas Am 10.03.20 um 13:17 schrieb Rowland penny via samba:> On 10/03/2020 11:54, Andreas Hauffe via samba wrote: >> Thanks, I will give that a try. >> >> But I need the 'winbind separator = +'. We use some expensive >> commercial software (e.g. ANSYS, ABAQUS, ...), which uses shell >> scripts to start their software under linux. These scripts are not >> able to handle a backslash in the user name. The only solution was to >> switch to a "+" character. We reported these issues two years ago. > > Who did you report this problem to ? > > If it was Samba, then I don't think this will get fixed, because there > isn't anything to fix. > > If you reported it to your 'expensive commercial software' then bug > them again (and again and again.... until they fix their broken software) > > There may be another way around this, add: 'winbind use default domain > = yes' and then remove any 'SUBDOM\' from the smb.conf. This will > change 'SUBDOM\username' to 'username' (same goes for groups), would > this work with your software ? (note, you can only do this with one > DOMAIN in smb.conf). > > Rowland > >