I messed up on my reply yesterday. On 17/07/2020 21:05, Rowland penny via samba wrote:> > On 17/07/2020 19:57, Nick Howitt via samba wrote: >> Hi, >> I have a ClearOS 7.8 system which is running >> samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a >> week ago (probably not relevant). A couple of days ago all the group >> shares failed. I discovered that if I switched them to the built-in >> group "allusers" the share worked fine. It fails for any user-defined >> group but it used to work. Samba is running as a PDC and the configs, >> including one share are: >> >> If I change the valid users to the "allusers" group and change the >> folder permissions, it works fine. >> >> >> >> ?? [root at server ~]# wbinfo --group-info='allusers' >> ?? allusers:x:63000: > > Interesting, you have: idmap config * : range = 20000000-29999999 > > So where is '63000' coming from ? >No idea. This is how the O/S is provided and it was probably designed when John Terpestra was helping out.>> >> ?? Jul 16 04:34:28 server winbindd[21471]: [2020/07/16 >> ?? 04:34:28.069299,? 0] >> ?? ../../source3/winbindd/idmap_ldap.c:85(get_credentials) >> ?? Jul 16 04:34:28 server winbindd[21471]:? get_credentials: Unable to >> ?? fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in * >> >> >> I have tried clearing the winbindd_cache.tdb and gencache.tdb but am >> wary of clearing anything else without instruction. > > Have you run these commands : > > smbpasswd -w <ldap password> > net idmap set secret '*' <ldap password>Yes and it does not make any difference. How do I proceed with debugging?> > ClearOS is in for an interesting time when they upgrade to version 8, > no Openldap or smbldap-tools, or to put it another way, can I suggest > you jump distro and upgrade to AD. >The dev's are aware and I am not sure which way they will take the product. Personally I really want to have AD DC compatibility and think it would be good for business, but it may be onerous for small installations and non-Windows environments. Nick
Bump, please. On 18/07/2020 08:41, Nick Howitt via samba wrote:> > I messed up on my reply yesterday. > > On 17/07/2020 21:05, Rowland penny via samba wrote: >> >> On 17/07/2020 19:57, Nick Howitt via samba wrote: >>> Hi, >>> I have a ClearOS 7.8 system which is running >>> samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a >>> week ago (probably not relevant). A couple of days ago all the group >>> shares failed. I discovered that if I switched them to the built-in >>> group "allusers" the share worked fine. It fails for any >>> user-defined group but it used to work. Samba is running as a PDC >>> and the configs, including one share are: >>> >>> If I change the valid users to the "allusers" group and change the >>> folder permissions, it works fine. >>> >>> >>> >>> ?? [root at server ~]# wbinfo --group-info='allusers' >>> ?? allusers:x:63000: >> >> Interesting, you have: idmap config * : range = 20000000-29999999 >> >> So where is '63000' coming from ? >> > No idea. This is how the O/S is provided and it was probably designed > when John Terpestra was helping out. >>> >>> ?? Jul 16 04:34:28 server winbindd[21471]: [2020/07/16 >>> ?? 04:34:28.069299,? 0] >>> ?? ../../source3/winbindd/idmap_ldap.c:85(get_credentials) >>> ?? Jul 16 04:34:28 server winbindd[21471]:? get_credentials: Unable to >>> ?? fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in * >>> >>> >>> I have tried clearing the winbindd_cache.tdb and gencache.tdb but am >>> wary of clearing anything else without instruction. >> >> Have you run these commands : >> >> smbpasswd -w <ldap password> >> net idmap set secret '*' <ldap password> > Yes and it does not make any difference. How do I proceed with debugging? >> >> ClearOS is in for an interesting time when they upgrade to version 8, >> no Openldap or smbldap-tools, or to put it another way, can I suggest >> you jump distro and upgrade to AD. >> > The dev's are aware and I am not sure which way they will take the > product. Personally I really want to have AD DC compatibility and > think it would be good for business, but it may be onerous for small > installations and non-Windows environments. > > Nick > > > >
On 20/07/2020 10:37, Nick Howitt via samba wrote:> Bump, please.I have reviewed all the posts in this thread and I 'think' I know what is going on and also answers a question I asked. You have in your smb.conf: unix password sync = Yes This possibly means that you have a group in /etc/group called allusers with the ID of 63000 I would replace the line with: ldap password sync = yes Do you have libnss-ldap installed ? What are the 'passwd' and 'group' lines in /etc/nsswitch.conf ? Rowland