samba - Dec 2021 - Administrator User Has no access to Remote File Server

On Mon, Dec 6, 2021 at 3:11 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Can we have a bit more info:
> What OS's are you using ?
DC and File Server are both running Ubuntu 20.04.3
> What versions of Samba are you using ?
DC1: 4.13.14-Debian (Using Van-Belle's Repo)
Filesrv1: 4.13.14-Ubuntu (Using Standard Ubuntu Repo)
> Have you added any RFC2307 attributes to AD ?
Here is my SMB config from DC1:
# Global parameters
[global]
       dns forwarder = 10.60.4.31
       netbios name = DC1
       realm = DOMAIN.COM
       server role = active directory domain controller
       workgroup = DOMAIN
       idmap_ldb:use rfc2307 = yes

# Template settings for login shell and home directory
       template shell = /bin/bash
       template homedir = /home/%U

       winbind enum users = yes
       winbind enum groups = yes
       server services = -dns
[sysvol]
       path = /var/lib/samba/sysvol
       read only = No

[netlogon]
       path = /var/lib/samba/sysvol/domain.com/scripts
       read only = No

So yes, in both DC1, rfc2307 has been set to yes for the idmap_ldb,
and is being called in the idmap settings of filesrv1 (posted before).

Regards,
Ralph

On Mon, 2021-12-06 at 15:19 -0500, ralph strebbing
wrote:
> On Mon, Dec 6, 2021 at 3:11 PM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > Can we have a bit more info:
> > What OS's are you using ?
> DC and File Server are both running Ubuntu 20.04.3
> > What versions of Samba are you using ?
> DC1: 4.13.14-Debian (Using Van-Belle's Repo)
> Filesrv1: 4.13.14-Ubuntu (Using Standard Ubuntu Repo)
> > Have you added any RFC2307 attributes to AD ?
> Here is my SMB config from DC1:
> # Global parameters
> [global]
>        dns forwarder = 10.60.4.31
>        netbios name = DC1
>        realm = DOMAIN.COM
>        server role = active directory domain controller
>        workgroup = DOMAIN
>        idmap_ldb:use rfc2307 = yes
> 
> # Template settings for login shell and home directory
>        template shell = /bin/bash
>        template homedir = /home/%U
> 
>        winbind enum users = yes
>        winbind enum groups = yes
You do not need those two lines above, they only slow things down.
>        server services = -dns
> [sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
> 
> [netlogon]
>        path = /var/lib/samba/sysvol/domain.com/scripts
>        read only = No
> 
> So yes, in both DC1, rfc2307 has been set to yes for the idmap_ldb,
> and is being called in the idmap settings of filesrv1 (posted
> before).
That isn't what I asked, but it possibly answers the question. If you
use the winbind 'ad' backend, you must manually add RFC2307 attributes,
nothing adds them automatically, so if you haven't added them, they
will not be there. If you haven't added them yet, can I suggest you
start at '10000' and adjust your 'idmap config' lines on the
Unix
domain members.

After you have done the above, add 'min domain uid = 0' to your Unix
domain members.

Rowland