The output is:
getent group 'domain admins?
Copying without understanding what it does is not smart I know. But sometimes
you will understand it later. And atm I am using a test setup.
Here are is all the info you need:
Main AD:
Collected config --- 2020-09-05-18:16 -----------
Hostname: gaia
DNS Domain: rompen.local
FQDN: gaia.rompen.local
ipaddress: 192.168.88.2
-----------
Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output:
Server: 192.168.88.2
Address: 192.168.88.2#53
_kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
-----------
This computer is running Debian 10.4 armv7l
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether b8:27:eb:7f:ad:98 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.2/24 brd 192.168.88.255 scope global dynamic noprefixroute
eth0
valid_lft 568sec preferred_lft 493sec
inet6 fe80::bbbd:eb9b:bce9:b088/64 scope link
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether b8:27:eb:2a:f8:cd brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 gaia.rompen.local gaia
-----------
Checking file: /etc/resolv.conf
# Generated by resolvconf
search rompen.local
nameserver 192.168.88.2
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = ROMPEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = GAIA
realm = ROMPEN.LOCAL
server role = active directory domain controller
workgroup = ROMPEN
idmap_ldb:use rfc2307 = yes
wins support = yes
[netlogon]
path = /var/lib/samba/sysvol/rompen.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii attr 1:2.4.48-4 armhf
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 armhf
basic programs to authenticate using MIT Kerberos
ii libacl1:armhf 2.2.53-4 armhf
access control list - shared library
ii libattr1:armhf 1:2.4.48-4 armhf
extended attribute handling - shared library
ii libgssapi-krb5-2:armhf 1.17-3 armhf
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:armhf 1.17-3 armhf
MIT Kerberos runtime libraries
ii libkrb5support0:armhf 1.17-3 armhf
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba nameservice integration plugins
ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Windows domain authentication integration plugin
ii libsmbclient:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
shared library for communication with SMB/CIFS servers
ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba common files used by both the server and the client
ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba Directory Services Database
ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba core libraries
ii samba-testsuite 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
test suite from Samba
ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
service to resolve user and group information from Windows NT servers
Member server:
Collected config --- 2020-09-05-18:15 -----------
Hostname: dna
DNS Domain: rompen.local
FQDN: dna.rompen.local
ipaddress: 192.168.88.3
-----------
Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output:
Server: 192.168.88.2
Address: 192.168.88.2#53
_kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
-----------
This computer is running Debian 10.4 armv7l
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether b8:27:eb:97:db:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.3/24 brd 192.168.88.255 scope global dynamic noprefixroute
eth0
valid_lft 562sec preferred_lft 487sec
inet6 fe80::e85c:b84c:8f64:eb20/64 scope link
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether b8:27:eb:c2:8e:8d brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
192.168.88.3 dna.rompen.local dna
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by resolvconf
domain rompen.local
nameserver 192.168.88.2
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = ROMPEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
netbios name = DNA
workgroup = ROMPEN
security = ADS
realm = ROMPEN.LOCAL
encrypt passwords = yes
acl allow execute always = yes
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config ROMPEN:backend = rid
#idmap config ROMPEN:schema_mode = rfc2307
idmap config ROMPEN:range = 10000-40000
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
admin users = administrator
[share]
path = /nas
read only = no
inherit acls = yes
[users]
path = /usr/home
comment = a comment
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"ROMPEN+Domain Users" <-- define your ADS
groups
admin users = @"ROMPEN+Domain Admins" <-- define your ads
groups with admin rights
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Checking file: /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-----------
Installed packages:
ii acl 2.2.53-4 armhf
access control list - utilities
ii attr 1:2.4.48-4 armhf
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-user 1.17-3 armhf
basic programs to authenticate using MIT Kerberos
ii libacl1:armhf 2.2.53-4 armhf
access control list - shared library
ii libattr1:armhf 1:2.4.48-4 armhf
extended attribute handling - shared library
ii libgssapi-krb5-2:armhf 1.17-3 armhf
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:armhf 1.17-3 armhf
MIT Kerberos runtime libraries
ii libkrb5support0:armhf 1.17-3 armhf
MIT Kerberos runtime libraries - Support library
ii libnfsidmap2:armhf 0.25-5.1 armhf
NFS idmapping library
ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba nameservice integration plugins
ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Windows domain authentication integration plugin
ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba winbind client library
ii nfs-common 1:1.3.4-2.5+deb10u1 armhf
NFS support files common to client and server
ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba common files used by both the server and the client
ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba Directory Services Database
ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba core libraries
ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf
service to resolve user and group information from Windows NT servers
-----------
Philip
> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at
lists.samba.org> wrote:
>
> getent group 'domain admins'
Sorry my mistake. The output is domain admins:x:70009:> On 5 Sep 2020, at 18:21, Philip Offermans <mail at philipoffermans.nl> wrote: > > The output is: > getent group 'domain admins? > > Copying without understanding what it does is not smart I know. But sometimes you will understand it later. And atm I am using a test setup. > > Here are is all the info you need: > > Main AD: > Collected config --- 2020-09-05-18:16 ----------- > > Hostname: gaia > DNS Domain: rompen.local > FQDN: gaia.rompen.local > ipaddress: 192.168.88.2 > > ----------- > > Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: > Server: 192.168.88.2 > Address: 192.168.88.2#53 > > _kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" > NAME="Raspbian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=raspbian > ID_LIKE=debian > HOME_URL="http://www.raspbian.org/ <http://www.raspbian.org/>" > SUPPORT_URL="http://www.raspbian.org/RaspbianForums <http://www.raspbian.org/RaspbianForums>" > BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs <http://www.raspbian.org/RaspbianBugs>" > > ----------- > > > This computer is running Debian 10.4 armv7l > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether b8:27:eb:7f:ad:98 brd ff:ff:ff:ff:ff:ff > inet 192.168.88.2/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0 > valid_lft 568sec preferred_lft 493sec > inet6 fe80::bbbd:eb9b:bce9:b088/64 scope link > 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 > link/ether b8:27:eb:2a:f8:cd brd ff:ff:ff:ff:ff:ff > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 127.0.1.1 gaia.rompen.local gaia > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by resolvconf > search rompen.local > nameserver 192.168.88.2 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = ROMPEN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > dns forwarder = 8.8.8.8 > netbios name = GAIA > realm = ROMPEN.LOCAL > server role = active directory domain controller > workgroup = ROMPEN > idmap_ldb:use rfc2307 = yes > wins support = yes > > [netlogon] > path = /var/lib/samba/sysvol/rompen.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ----------- > > BIND_DLZ not detected in smb.conf > > ----------- > > Installed packages: > ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos > ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos > ii libacl1:armhf 2.2.53-4 armhf access control list - shared library > ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library > ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries > ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library > ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins > ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin > ii libsmbclient:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf shared library for communication with SMB/CIFS servers > ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library > ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client > ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database > ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries > ii samba-testsuite 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf test suite from Samba > ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins > ii smbclient 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf command-line SMB/CIFS clients for Unix > ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers > > > Member server: > > Collected config --- 2020-09-05-18:15 ----------- > > Hostname: dna > DNS Domain: rompen.local > FQDN: dna.rompen.local > ipaddress: 192.168.88.3 > > ----------- > > Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: > Server: 192.168.88.2 > Address: 192.168.88.2#53 > > _kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local. > Samba is running as a Unix domain member > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" > NAME="Raspbian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=raspbian > ID_LIKE=debian > HOME_URL="http://www.raspbian.org/ <http://www.raspbian.org/>" > SUPPORT_URL="http://www.raspbian.org/RaspbianForums <http://www.raspbian.org/RaspbianForums>" > BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs <http://www.raspbian.org/RaspbianBugs>" > > ----------- > > > This computer is running Debian 10.4 armv7l > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether b8:27:eb:97:db:d8 brd ff:ff:ff:ff:ff:ff > inet 192.168.88.3/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0 > valid_lft 562sec preferred_lft 487sec > inet6 fe80::e85c:b84c:8f64:eb20/64 scope link > 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 > link/ether b8:27:eb:c2:8e:8d brd ff:ff:ff:ff:ff:ff > > ----------- > Checking file: /etc/hosts > > 192.168.88.3 dna.rompen.local dna > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by resolvconf > domain rompen.local > nameserver 192.168.88.2 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = ROMPEN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files winbind > group: files winbind > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > netbios name = DNA > workgroup = ROMPEN > security = ADS > realm = ROMPEN.LOCAL > encrypt passwords = yes > > acl allow execute always = yes > > idmap config *:backend = tdb > idmap config *:range = 3000-7999 > idmap config ROMPEN:backend = rid > #idmap config ROMPEN:schema_mode = rfc2307 > idmap config ROMPEN:range = 10000-40000 > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > > username map = /etc/samba/user.map > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > username map = /etc/samba/user.map > > admin users = administrator > [share] > path = /nas > read only = no > inherit acls = yes > > [users] > path = /usr/home > comment = a comment > browseable = yes > read only = no > inherit acls = yes > inherit permissions = yes > create mask = 700 > directory mask = 700 > valid users = @"ROMPEN+Domain Users" <-- define your ADS groups > admin users = @"ROMPEN+Domain Admins" <-- define your ads groups with admin rights > > ----------- > > Running as Unix domain member and no user.map detected. > This is possible with an auth-only setup, checking also for NFS parts > ----------- > Checking file: /etc/idmapd.conf > > [General] > > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > # set your own domain here, if it differs from FQDN minus hostname > # Domain = localdomain > > [Mapping] > > Nobody-User = nobody > Nobody-Group = nogroup > > ----------- > > > Installed packages: > ii acl 2.2.53-4 armhf access control list - utilities > ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos > ii libacl1:armhf 2.2.53-4 armhf access control list - shared library > ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library > ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries > ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library > ii libnfsidmap2:armhf 0.25-5.1 armhf NFS idmapping library > ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins > ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin > ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library > ii nfs-common 1:1.3.4-2.5+deb10u1 armhf NFS support files common to client and server > ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client > ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database > ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries > ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins > ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers > > ----------- > > > Philip > > > >> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> getent group 'domain admins' >
On 05/09/2020 17:21, Philip Offermans wrote:> The output is: > /getent group 'domain admins? / > / > /OK, try using this smb.conf: [global] ? workgroup = ROMPEN ? security = ADS ? realm = ROMPEN.LOCAL ? dedicated keytab file = /etc/krb5.keytab ? kerberos method = secrets and keytab ? winbind use default domain = yes ? winbind expand groups = 2 ? winbind refresh tickets = Yes ? dns proxy = no ? idmap config *:backend = tdb ? idmap config *:range = 3000-7999 ? idmap config ROMPEN:backend = rid ? idmap config ROMPEN:range = 10000-40000 ? template shell = /bin/bash ? template homedir = /home/%U ? # user Administrator workaround, without it you are unable to set privileges ? username map = /etc/samba/user.map ? vfs objects = acl_xattr ? map acl inherit = Yes ? store dos attributes = Yes ? acl allow execute always = yes [share] ?? path = /nas ?? read only = no ?? inherit acls = yes [users] ?? path = /usr/home ?? comment = users share ?? read only = no ?? inherit acls = yes ?? inherit permissions = yes ?? create mask = 700 ?? directory mask = 700 ?? valid users = @"ROMPEN\Domain Users" ?? admin users = @"ROMPEN\Domain Admins" Create /etc/samba/user.map (it doesn't seem to exist) containing this: !root = ROMPEN\Administrator Restart Samba Rowland
Hai, Not that its wrong what Rowland made you change ( AD to RID backend). But this "should" simply not be needed. The only/mostly thing(s) people do wrong with AD-backends, is the order in how it all is setup. Currently this is due 2 things, 1) "in my opionin" a missing part in samba(-tool) 2) The missing part in samba(-tool) Lets hope this will enter samba in 4.13 then. If you use AD-backend the order is most important when you setup shares and set rights. # This is a must to set as first. samba-tool group addunixattrs ?Domain Users? 10001 # These are optional, but this is how i use it. (WARNING !!! my setup is not exaclty like the WIKI, both work !! ) samba-tool group addunixattrs ?Domain Admins? 10000 samba-tool group addunixattrs ?Domain Guests? 10002 username map = /etc/samba/user.map In here you put : BUILTIN\Administrators And you can happely use GID for Domain Admins. Windows defaults are: Domain Admins is member of BUILTIN\Administrators Now this is out of scope with the Samba Wiki, but this is how I run my setup. All my SePrivileges set are base on "BUILTIN\Administrators" So, !root = BUILTIN\Administrators is what i use. And then you add the UID to the users. samba-tool user addunixattrs username UID samba-tool user addunixattrs someusers 10001 samba-tool user addunixattrs Administrator 10000 Yes, again i use UID on Administrator, (against Wiki setups recommendations ) Because, this "DOM\Adminsitrator is not BUILTIN\Administrator" and BUILTIN\Administrator is equal to root You pick your poision.. You cant mix the 2 setups. Because if you mix it, root and Dom\Adminstrator will conflict. Or you pick my setup, or you follow the Wiki Setup. Wiki setup, DONT SETUP ANY UID/GID on DOM\Adminsitrator or "Domain admins" So, the bigest problem here only with the UID/GIDS is. You need to keep track of these numbers.. Which is pretty lame, Because its can be easy done within the AD. Only because it this above, and only because if that, i use a Windows 7 PC for Administring samba. Because ADUC does count the UID/GIDS for you. Now, the key here is .. ! In this order ! 1) add a GID on "domain users". 2) add gids on all groups you need on the file systems (thats the minimal requirement). Do this BEFORE you set rights or change shares 3) add uids to all users, simpley a must. It's adviced to keep "Domain Users" as primary group. 3a) Use security groups to allow/deny access. If you followed "domain users" is primary group. 3b) Use the security groups you set as primary group. Both then there own advantage and flaws.. 5) Now you can add the needed stuff like. Like set the profile path to ?\\hostname.internal.example.com\profiles\%username%? Like set the HomeFolder (Driveletter: ) to ?\\hostname.internal.example.com\users\%username%? Use : getfacl DONT use : chmod/chown, it kills your Acls. Per example, if you set a right and you have backend AD on the member, And you didnt add the GID to the group when you're using and setting ACLs. Use getfacl and look at the output, the group you want, is not shown. Add the GID you want, is not shown also. Now add the gid BEFORE you set the rights, and.. The group GID/name you want, IS shown. This all has todo with, when info is looked up and when ACLs on the filesystem are saved. @above is also thanks to Bob Wooden being very patient to find some parts in my setup where people often fail. I gave way more insight, when and why parts are going wrong. I hope above helps people. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: zaterdag 5 september 2020 19:07 > Aan: Philip Offermans > CC: sambalist > Onderwerp: Re: [Samba] Acls > > On 05/09/2020 17:21, Philip Offermans wrote: > > The output is: > > /getent group 'domain admins? / > > / > > / > > OK, try using this smb.conf: > > [global] > ? workgroup = ROMPEN > ? security = ADS > ? realm = ROMPEN.LOCAL > > ? dedicated keytab file = /etc/krb5.keytab > ? kerberos method = secrets and keytab > > ? winbind use default domain = yes > ? winbind expand groups = 2 > ? winbind refresh tickets = Yes > ? dns proxy = no > > ? idmap config *:backend = tdb > ? idmap config *:range = 3000-7999 > ? idmap config ROMPEN:backend = rid > ? idmap config ROMPEN:range = 10000-40000 > > ? template shell = /bin/bash > ? template homedir = /home/%U > > ? # user Administrator workaround, without it you are unable to set > privileges > ? username map = /etc/samba/user.map > > ? vfs objects = acl_xattr > ? map acl inherit = Yes > ? store dos attributes = Yes > ? acl allow execute always = yes > > [share] > ?? path = /nas > ?? read only = no > ?? inherit acls = yes > > [users] > ?? path = /usr/home > ?? comment = users share > ?? read only = no > ?? inherit acls = yes > ?? inherit permissions = yes > ?? create mask = 700 > ?? directory mask = 700 > ?? valid users = @"ROMPEN\Domain Users" > ?? admin users = @"ROMPEN\Domain Admins" > > Create /etc/samba/user.map (it doesn't seem to exist) containing this: > > !root = ROMPEN\Administrator > > Restart Samba > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 07/09/2020 10:11, L.P.H. van Belle via samba wrote:> Hai, > > Not that its wrong what Rowland made you change ( AD to RID backend). > But this "should" simply not be needed. >The big mistake that users make is to think that the ID's produced on a DC are uidNumbers or gidNumbers and that they can then use the 'ad' backend on Unix domain members. This is what appears to be the problem in this thread, so it was easier to change the OP to 'rid'. This proved that there was a connection to the domain and will work, if the OP now wants to use the 'ad' backend he can do. It just means adding RFC2307 attributes to AD, altering smb.conf to the 'ad' backend and restarting Samba on the Unix domain member.
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 7 september 2020 11:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Acls > > On 07/09/2020 10:11, L.P.H. van Belle via samba wrote: > > Hai, > > > > Not that its wrong what Rowland made you change ( AD to RID > backend). > > But this "should" simply not be needed. > > > The big mistake that users make is to think that the ID's > produced on a DC are uidNumbers or gidNumbers and that they can then use the 'ad' > backend on Unix domain members. This is what appears to be > the problem in this thread, so it was easier to change the OP to 'rid'. > This proved that there was a connection to the domain and will work, if > the OP now wants to use the 'ad' backend he can do. It just means adding RFC2307 > attributes to AD, altering smb.conf to the 'ad' backend and > restarting Samba on the Unix domain member.Yes, thats a good point also.. The "confusion between AD and member setups" :-) And, its not that the wiki isnt good, the wiki is great. It just missing the "howto setup with AD-backends in the right order" Greetz, Louis