Il 02/02/21 17:15, Rowland penny via samba ha scritto:> [...] > There doesn't seem to be anything wrong with that smb.conf except for > the 'wins server' line, you don't use wins with Samba AD.you are right, I forgot to remove it.>> Furthermore I don't know if it's normal but getent group or wbinfo >> --group-info doesn't show member users but if I set winbind expand >> groups to 1 the getent group and wbinfo --group-info shows correctly >> the member users. > You need to fix that, 'getent passwd username' & 'getent group > groupname' must produce output....I think I've not explained myself... yes both produce output but getent group <groupname> doesn't produce the members of the group if I don't set winbind expand groups to 1. For example this is what I see if I don't set winbind expand groups to 1: $ getent group dominiocsa\\Domain\ Users DOMINIOCSA\domain users:x:10513: but all domain users are in Domain Users group. Do you think there is something wrong in my samba configuration?> Also, as 'Domain Users' is the default primary group for domain users, > you don't really need the 'force group' line.but it was just for example! Sometimes I use force group but now I can't use it any more and I can't understand why and I would like to know why ... didn't you? Piviul
On 03/02/2021 07:46, Piviul via samba wrote:> Il 02/02/21 17:15, Rowland penny via samba ha scritto: >> [...] >> There doesn't seem to be anything wrong with that smb.conf except for >> the 'wins server' line, you don't use wins with Samba AD. > > you are right, I forgot to remove it. > > >>> Furthermore I don't know if it's normal but getent group or wbinfo >>> --group-info doesn't show member users but if I set winbind expand >>> groups to 1 the getent group and wbinfo --group-info shows correctly >>> the member users. >> You need to fix that, 'getent passwd username' & 'getent group >> groupname' must produce output. > > ...I think I've not explained myself... yes both produce output but > getent group <groupname> doesn't produce the members of the group if I > don't set winbind expand groups to 1. For example this is what I see > if I don't set winbind expand groups to 1: > > $ getent group dominiocsa\\Domain\ Users > DOMINIOCSA\domain users:x:10513: > > but all domain users are in Domain Users group. Do you think there is > something wrong in my samba configuration?No, but I understand your 'problem' now. Try reading 'man smb.conf' about 'winbind expand groups' Rowland
Mandi! Piviul via samba In chel di` si favelave...> but it was just for example! Sometimes I use force group but now I can't use > it any more and I can't understand why and I would like to know why ... > didn't you?I've waited a bit, hoping that someone more knowleagable of me reply. I remember, but my draft cite only a dead link, the old 'samba-it' mailing lists in Simo Sorce's server: http://lists.xsec.it/pipermail/samba-it/2009-December/008290.html that 'force group' is incompatible with 'guest ok', and i've experimented also i trouble with 'force group' and ACLs, so i've disabled it (this totally 'in memory'). If i remember well, the only way to use 'force group' is to disable totally ACLs form share and use only POSIX basic permission, but also set 'force create mode', 'force directory mode', or some other options. Sorry for the vagueness, bus also i've disabled 'force group' use in my shares, roughly when i've started to use ACLs. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)