The output is: getent group 'domain admins? Copying without understanding what it does is not smart I know. But sometimes you will understand it later. And atm I am using a test setup. Here are is all the info you need: Main AD: Collected config --- 2020-09-05-18:16 ----------- Hostname: gaia DNS Domain: rompen.local FQDN: gaia.rompen.local ipaddress: 192.168.88.2 ----------- Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: Server: 192.168.88.2 Address: 192.168.88.2#53 _kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local. Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" NAME="Raspbian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- This computer is running Debian 10.4 armv7l ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:7f:ad:98 brd ff:ff:ff:ff:ff:ff inet 192.168.88.2/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0 valid_lft 568sec preferred_lft 493sec inet6 fe80::bbbd:eb9b:bce9:b088/64 scope link 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether b8:27:eb:2a:f8:cd brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.1.1 gaia.rompen.local gaia ----------- Checking file: /etc/resolv.conf # Generated by resolvconf search rompen.local nameserver 192.168.88.2 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = ROMPEN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files group: files shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] dns forwarder = 8.8.8.8 netbios name = GAIA realm = ROMPEN.LOCAL server role = active directory domain controller workgroup = ROMPEN idmap_ldb:use rfc2307 = yes wins support = yes [netlogon] path = /var/lib/samba/sysvol/rompen.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.53-4 armhf access control list - shared library ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin ii libsmbclient:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf shared library for communication with SMB/CIFS servers ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries ii samba-testsuite 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf test suite from Samba ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins ii smbclient 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf command-line SMB/CIFS clients for Unix ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers Member server: Collected config --- 2020-09-05-18:15 ----------- Hostname: dna DNS Domain: rompen.local FQDN: dna.rompen.local ipaddress: 192.168.88.3 ----------- Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: Server: 192.168.88.2 Address: 192.168.88.2#53 _kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local. Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" NAME="Raspbian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ----------- This computer is running Debian 10.4 armv7l ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:97:db:d8 brd ff:ff:ff:ff:ff:ff inet 192.168.88.3/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0 valid_lft 562sec preferred_lft 487sec inet6 fe80::e85c:b84c:8f64:eb20/64 scope link 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether b8:27:eb:c2:8e:8d brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 192.168.88.3 dna.rompen.local dna 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf # Generated by resolvconf domain rompen.local nameserver 192.168.88.2 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = ROMPEN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] netbios name = DNA workgroup = ROMPEN security = ADS realm = ROMPEN.LOCAL encrypt passwords = yes acl allow execute always = yes idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config ROMPEN:backend = rid #idmap config ROMPEN:schema_mode = rfc2307 idmap config ROMPEN:range = 10000-40000 winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes winbind enum users = yes winbind enum groups = yes username map = /etc/samba/user.map dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user.map admin users = administrator [share] path = /nas read only = no inherit acls = yes [users] path = /usr/home comment = a comment browseable = yes read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = @"ROMPEN+Domain Users" <-- define your ADS groups admin users = @"ROMPEN+Domain Admins" <-- define your ads groups with admin rights ----------- Running as Unix domain member and no user.map detected. This is possible with an auth-only setup, checking also for NFS parts ----------- Checking file: /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if it differs from FQDN minus hostname # Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nogroup ----------- Installed packages: ii acl 2.2.53-4 armhf access control list - utilities ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos ii libacl1:armhf 2.2.53-4 armhf access control list - shared library ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library ii libnfsidmap2:armhf 0.25-5.1 armhf NFS idmapping library ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library ii nfs-common 1:1.3.4-2.5+deb10u1 armhf NFS support files common to client and server ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers ----------- Philip> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at lists.samba.org> wrote: > > getent group 'domain admins'
Sorry my mistake. The output is domain admins:x:70009:> On 5 Sep 2020, at 18:21, Philip Offermans <mail at philipoffermans.nl> wrote: > > The output is: > getent group 'domain admins? > > Copying without understanding what it does is not smart I know. But sometimes you will understand it later. And atm I am using a test setup. > > Here are is all the info you need: > > Main AD: > Collected config --- 2020-09-05-18:16 ----------- > > Hostname: gaia > DNS Domain: rompen.local > FQDN: gaia.rompen.local > ipaddress: 192.168.88.2 > > ----------- > > Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: > Server: 192.168.88.2 > Address: 192.168.88.2#53 > > _kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" > NAME="Raspbian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=raspbian > ID_LIKE=debian > HOME_URL="http://www.raspbian.org/ <http://www.raspbian.org/>" > SUPPORT_URL="http://www.raspbian.org/RaspbianForums <http://www.raspbian.org/RaspbianForums>" > BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs <http://www.raspbian.org/RaspbianBugs>" > > ----------- > > > This computer is running Debian 10.4 armv7l > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether b8:27:eb:7f:ad:98 brd ff:ff:ff:ff:ff:ff > inet 192.168.88.2/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0 > valid_lft 568sec preferred_lft 493sec > inet6 fe80::bbbd:eb9b:bce9:b088/64 scope link > 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 > link/ether b8:27:eb:2a:f8:cd brd ff:ff:ff:ff:ff:ff > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 127.0.1.1 gaia.rompen.local gaia > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by resolvconf > search rompen.local > nameserver 192.168.88.2 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = ROMPEN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > dns forwarder = 8.8.8.8 > netbios name = GAIA > realm = ROMPEN.LOCAL > server role = active directory domain controller > workgroup = ROMPEN > idmap_ldb:use rfc2307 = yes > wins support = yes > > [netlogon] > path = /var/lib/samba/sysvol/rompen.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ----------- > > BIND_DLZ not detected in smb.conf > > ----------- > > Installed packages: > ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos > ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos > ii libacl1:armhf 2.2.53-4 armhf access control list - shared library > ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library > ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries > ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library > ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins > ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin > ii libsmbclient:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf shared library for communication with SMB/CIFS servers > ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library > ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client > ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database > ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries > ii samba-testsuite 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf test suite from Samba > ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins > ii smbclient 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf command-line SMB/CIFS clients for Unix > ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers > > > Member server: > > Collected config --- 2020-09-05-18:15 ----------- > > Hostname: dna > DNS Domain: rompen.local > FQDN: dna.rompen.local > ipaddress: 192.168.88.3 > > ----------- > > Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: > Server: 192.168.88.2 > Address: 192.168.88.2#53 > > _kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local. > Samba is running as a Unix domain member > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" > NAME="Raspbian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=raspbian > ID_LIKE=debian > HOME_URL="http://www.raspbian.org/ <http://www.raspbian.org/>" > SUPPORT_URL="http://www.raspbian.org/RaspbianForums <http://www.raspbian.org/RaspbianForums>" > BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs <http://www.raspbian.org/RaspbianBugs>" > > ----------- > > > This computer is running Debian 10.4 armv7l > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether b8:27:eb:97:db:d8 brd ff:ff:ff:ff:ff:ff > inet 192.168.88.3/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0 > valid_lft 562sec preferred_lft 487sec > inet6 fe80::e85c:b84c:8f64:eb20/64 scope link > 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 > link/ether b8:27:eb:c2:8e:8d brd ff:ff:ff:ff:ff:ff > > ----------- > Checking file: /etc/hosts > > 192.168.88.3 dna.rompen.local dna > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by resolvconf > domain rompen.local > nameserver 192.168.88.2 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = ROMPEN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files winbind > group: files winbind > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > netbios name = DNA > workgroup = ROMPEN > security = ADS > realm = ROMPEN.LOCAL > encrypt passwords = yes > > acl allow execute always = yes > > idmap config *:backend = tdb > idmap config *:range = 3000-7999 > idmap config ROMPEN:backend = rid > #idmap config ROMPEN:schema_mode = rfc2307 > idmap config ROMPEN:range = 10000-40000 > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > > username map = /etc/samba/user.map > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > username map = /etc/samba/user.map > > admin users = administrator > [share] > path = /nas > read only = no > inherit acls = yes > > [users] > path = /usr/home > comment = a comment > browseable = yes > read only = no > inherit acls = yes > inherit permissions = yes > create mask = 700 > directory mask = 700 > valid users = @"ROMPEN+Domain Users" <-- define your ADS groups > admin users = @"ROMPEN+Domain Admins" <-- define your ads groups with admin rights > > ----------- > > Running as Unix domain member and no user.map detected. > This is possible with an auth-only setup, checking also for NFS parts > ----------- > Checking file: /etc/idmapd.conf > > [General] > > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > # set your own domain here, if it differs from FQDN minus hostname > # Domain = localdomain > > [Mapping] > > Nobody-User = nobody > Nobody-Group = nogroup > > ----------- > > > Installed packages: > ii acl 2.2.53-4 armhf access control list - utilities > ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos > ii libacl1:armhf 2.2.53-4 armhf access control list - shared library > ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library > ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries > ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library > ii libnfsidmap2:armhf 0.25-5.1 armhf NFS idmapping library > ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins > ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin > ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library > ii nfs-common 1:1.3.4-2.5+deb10u1 armhf NFS support files common to client and server > ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client > ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database > ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries > ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins > ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers > > ----------- > > > Philip > > > >> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> getent group 'domain admins' >
On 05/09/2020 17:21, Philip Offermans wrote:> The output is: > /getent group 'domain admins? / > / > /OK, try using this smb.conf: [global] ? workgroup = ROMPEN ? security = ADS ? realm = ROMPEN.LOCAL ? dedicated keytab file = /etc/krb5.keytab ? kerberos method = secrets and keytab ? winbind use default domain = yes ? winbind expand groups = 2 ? winbind refresh tickets = Yes ? dns proxy = no ? idmap config *:backend = tdb ? idmap config *:range = 3000-7999 ? idmap config ROMPEN:backend = rid ? idmap config ROMPEN:range = 10000-40000 ? template shell = /bin/bash ? template homedir = /home/%U ? # user Administrator workaround, without it you are unable to set privileges ? username map = /etc/samba/user.map ? vfs objects = acl_xattr ? map acl inherit = Yes ? store dos attributes = Yes ? acl allow execute always = yes [share] ?? path = /nas ?? read only = no ?? inherit acls = yes [users] ?? path = /usr/home ?? comment = users share ?? read only = no ?? inherit acls = yes ?? inherit permissions = yes ?? create mask = 700 ?? directory mask = 700 ?? valid users = @"ROMPEN\Domain Users" ?? admin users = @"ROMPEN\Domain Admins" Create /etc/samba/user.map (it doesn't seem to exist) containing this: !root = ROMPEN\Administrator Restart Samba Rowland
Hai, Not that its wrong what Rowland made you change ( AD to RID backend). But this "should" simply not be needed. The only/mostly thing(s) people do wrong with AD-backends, is the order in how it all is setup. Currently this is due 2 things, 1) "in my opionin" a missing part in samba(-tool) 2) The missing part in samba(-tool) Lets hope this will enter samba in 4.13 then. If you use AD-backend the order is most important when you setup shares and set rights. # This is a must to set as first. samba-tool group addunixattrs ?Domain Users? 10001 # These are optional, but this is how i use it. (WARNING !!! my setup is not exaclty like the WIKI, both work !! ) samba-tool group addunixattrs ?Domain Admins? 10000 samba-tool group addunixattrs ?Domain Guests? 10002 username map = /etc/samba/user.map In here you put : BUILTIN\Administrators And you can happely use GID for Domain Admins. Windows defaults are: Domain Admins is member of BUILTIN\Administrators Now this is out of scope with the Samba Wiki, but this is how I run my setup. All my SePrivileges set are base on "BUILTIN\Administrators" So, !root = BUILTIN\Administrators is what i use. And then you add the UID to the users. samba-tool user addunixattrs username UID samba-tool user addunixattrs someusers 10001 samba-tool user addunixattrs Administrator 10000 Yes, again i use UID on Administrator, (against Wiki setups recommendations ) Because, this "DOM\Adminsitrator is not BUILTIN\Administrator" and BUILTIN\Administrator is equal to root You pick your poision.. You cant mix the 2 setups. Because if you mix it, root and Dom\Adminstrator will conflict. Or you pick my setup, or you follow the Wiki Setup. Wiki setup, DONT SETUP ANY UID/GID on DOM\Adminsitrator or "Domain admins" So, the bigest problem here only with the UID/GIDS is. You need to keep track of these numbers.. Which is pretty lame, Because its can be easy done within the AD. Only because it this above, and only because if that, i use a Windows 7 PC for Administring samba. Because ADUC does count the UID/GIDS for you. Now, the key here is .. ! In this order ! 1) add a GID on "domain users". 2) add gids on all groups you need on the file systems (thats the minimal requirement). Do this BEFORE you set rights or change shares 3) add uids to all users, simpley a must. It's adviced to keep "Domain Users" as primary group. 3a) Use security groups to allow/deny access. If you followed "domain users" is primary group. 3b) Use the security groups you set as primary group. Both then there own advantage and flaws.. 5) Now you can add the needed stuff like. Like set the profile path to ?\\hostname.internal.example.com\profiles\%username%? Like set the HomeFolder (Driveletter: ) to ?\\hostname.internal.example.com\users\%username%? Use : getfacl DONT use : chmod/chown, it kills your Acls. Per example, if you set a right and you have backend AD on the member, And you didnt add the GID to the group when you're using and setting ACLs. Use getfacl and look at the output, the group you want, is not shown. Add the GID you want, is not shown also. Now add the gid BEFORE you set the rights, and.. The group GID/name you want, IS shown. This all has todo with, when info is looked up and when ACLs on the filesystem are saved. @above is also thanks to Bob Wooden being very patient to find some parts in my setup where people often fail. I gave way more insight, when and why parts are going wrong. I hope above helps people. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: zaterdag 5 september 2020 19:07 > Aan: Philip Offermans > CC: sambalist > Onderwerp: Re: [Samba] Acls > > On 05/09/2020 17:21, Philip Offermans wrote: > > The output is: > > /getent group 'domain admins? / > > / > > / > > OK, try using this smb.conf: > > [global] > ? workgroup = ROMPEN > ? security = ADS > ? realm = ROMPEN.LOCAL > > ? dedicated keytab file = /etc/krb5.keytab > ? kerberos method = secrets and keytab > > ? winbind use default domain = yes > ? winbind expand groups = 2 > ? winbind refresh tickets = Yes > ? dns proxy = no > > ? idmap config *:backend = tdb > ? idmap config *:range = 3000-7999 > ? idmap config ROMPEN:backend = rid > ? idmap config ROMPEN:range = 10000-40000 > > ? template shell = /bin/bash > ? template homedir = /home/%U > > ? # user Administrator workaround, without it you are unable to set > privileges > ? username map = /etc/samba/user.map > > ? vfs objects = acl_xattr > ? map acl inherit = Yes > ? store dos attributes = Yes > ? acl allow execute always = yes > > [share] > ?? path = /nas > ?? read only = no > ?? inherit acls = yes > > [users] > ?? path = /usr/home > ?? comment = users share > ?? read only = no > ?? inherit acls = yes > ?? inherit permissions = yes > ?? create mask = 700 > ?? directory mask = 700 > ?? valid users = @"ROMPEN\Domain Users" > ?? admin users = @"ROMPEN\Domain Admins" > > Create /etc/samba/user.map (it doesn't seem to exist) containing this: > > !root = ROMPEN\Administrator > > Restart Samba > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 07/09/2020 10:11, L.P.H. van Belle via samba wrote:> Hai, > > Not that its wrong what Rowland made you change ( AD to RID backend). > But this "should" simply not be needed. >The big mistake that users make is to think that the ID's produced on a DC are uidNumbers or gidNumbers and that they can then use the 'ad' backend on Unix domain members. This is what appears to be the problem in this thread, so it was easier to change the OP to 'rid'. This proved that there was a connection to the domain and will work, if the OP now wants to use the 'ad' backend he can do. It just means adding RFC2307 attributes to AD, altering smb.conf to the 'ad' backend and restarting Samba on the Unix domain member.
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 7 september 2020 11:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Acls > > On 07/09/2020 10:11, L.P.H. van Belle via samba wrote: > > Hai, > > > > Not that its wrong what Rowland made you change ( AD to RID > backend). > > But this "should" simply not be needed. > > > The big mistake that users make is to think that the ID's > produced on a DC are uidNumbers or gidNumbers and that they can then use the 'ad' > backend on Unix domain members. This is what appears to be > the problem in this thread, so it was easier to change the OP to 'rid'. > This proved that there was a connection to the domain and will work, if > the OP now wants to use the 'ad' backend he can do. It just means adding RFC2307 > attributes to AD, altering smb.conf to the 'ad' backend and > restarting Samba on the Unix domain member.Yes, thats a good point also.. The "confusion between AD and member setups" :-) And, its not that the wiki isnt good, the wiki is great. It just missing the "howto setup with AD-backends in the right order" Greetz, Louis