Hi I have a share running on a domain member. My domain root user is linked to the domain Administrator (user map). When I go on windows to the share as Administrator I can access it. Then I change the acl settings. I give domain users access to the share. For some reason the changes are not visible on the unix system getfacl returns: root at dna:/data# getfacl /data/share/ getfacl: Removing leading '/' from absolute path names # file: data/share/ # owner: root # group: root user::rwx user:root:rwx group::rwx group:root:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:mask::rwx default:other::--- I can?t access the share as a domain user. I think it has something to do with winbind. Winbind is running btw. Philip
On 01/11/2020 12:25, Philip Offermans via samba wrote:> Hi I have a share running on a domain member. My domain root user is linked to the domain Administrator (user map). > When I go on windows to the share as Administrator I can access it. Then I change the acl settings. I give domain users access to the share. For some reason the changes are not visible on the unix system getfacl returns: > root at dna:/data# getfacl /data/share/ > getfacl: Removing leading '/' from absolute path names > # file: data/share/ > # owner: root > # group: root > user::rwx > user:root:rwx > group::rwx > group:root:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::r-x > default:group:root:r-x > default:mask::rwx > default:other::--- > > I can?t access the share as a domain user. I think it has something to do with winbind. Winbind is running btw. > > PhilipSorry, more info required, the usual suspects, what OS, What version of Samba, what is in your smb.conf, how are you changing the ACL's and what to ? Rowland
On 01/11/2020 13:11, Philip Offermans wrote:> Samba config: > [global] > vfsobjects= acl_xattr > mapaclinherit= Yes > storedosattributes = Yes > > > vfsobjects= acl_xattr > mapaclinherit= yes > storedosattributes = yesYou have the above lines twice and you no longer need the 'store dos attributes' line> > idmap_ldb:use rfc2307 = yesThe above line is only used on a Samba DC> > winbindnss info = rfc2307The above line is no longer used> winbindenumusers= yes > winbindenumgroups= yesYou should only have the above lines for testing, remove them once you are sure everything works. Now we come to what is probably your main problem, you are missing the 'idmap.config' lines, why ?> > > > ACL in Windows: > Root(Unix User\root) | Full?Control | This folder, subfolders and files > Domain Admins(Domain\Domain Admins) | Full?Control | This folder, > subfolders and files > Domain Users(Domain\Domain Users) | Change | This folder, subfolders > and filesDomain Users is probably going to need Read, modify at least> > I think it has something to do with winbind.Correct, winbind has no idea who your users and groups are because you do not have the 'idmap config' lines Rowland
On 01/11/2020 14:23, Philip Offermans wrote:> True I have this not setup because I don?t know how it works. From my understanding the idmap config line?s are there to give Windows users, and groups an unix id. But all the documentation I find is about idmap with an DC. >I take it that you missed this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Which leads to this: https://wiki.samba.org/index.php/Idmap_config_ad Or this: https://wiki.samba.org/index.php/Idmap_config_rid Or this: https://wiki.samba.org/index.php/Idmap_config_autorid Without one of those, it will not work. Use 'ad' if you have uidNumbers & gidNumbers in AD (these are not there by default). Use 'rid' if you do not have uidNumbers & gidNumbers in AD and have only one domain. Use 'autorid' if you do not have uidNumbers & gidNumbers in AD and have multiple domains, in which, do not use 'winbind use default domain = yes' in smb.conf. Rowland
On 01/11/2020 14:44, Philip Offermans wrote:> Thanks > It works :) > > It works but I still don?t fully understand what | did so; where I right. Is idmapping used to map windows users and groups, to unix? > > Philip >Basically yes, it just depends on which backend you used on how it is done. 'ad' uses uidNumber and gidNumber attributes that must be manually set in AD 'rid' calculates the Unix ID from the Accounts RID in AD 'autorid' calculates the Unix ID from the Accounts RID and Domain SID. They all depend on the 'idmap config' lines and the ranges you set in them. Rowland