Michael Tokarev
2022-Nov-21 06:26 UTC
[Samba] samba crashes windows explorer (while trying to view file permissions)
19.11.2022 18:57, Michael Tokarev via samba wrote: ..> I *think* this is "winbind nss info = rfc2307" setting.?? With this one, > I *have* to configure gidNumbers for every group in the AD.? But these > groups are *not* propagated into winbindd even after multiple reload-config and > net cache flush, some *time* have to pass...So, the problem was with winbind nss info = rfc2307. And commenting it out in smb.conf and doing 'smbcontrol all reload-config' does not change things, this is why it took so long to find out. After restarting whole thing, the changes do take effect and becomes visible. It looks like quite some things needs to be changed here. And it looks like DC mode is significantly different from other modes, where many parameters described in the man page work differently, does not work at all, or just break other things. All these little discrepancies, while not bad when is faced independently, when happens all together, makes samba to look like very unreliable thing. /mjt
Rowland Penny
2022-Nov-21 07:25 UTC
[Samba] samba crashes windows explorer (while trying to view file permissions)
On 21/11/2022 06:26, Michael Tokarev via samba wrote:> 19.11.2022 18:57, Michael Tokarev via samba wrote: > .. >> I *think* this is "winbind nss info = rfc2307" setting.?? With this one, >> I *have* to configure gidNumbers for every group in the AD.? But these >> groups are *not* propagated into winbindd even after multiple >> reload-config and >> net cache flush, some *time* have to pass... > > So, the problem was with winbind nss info = rfc2307.? And commenting it out > in smb.conf and doing 'smbcontrol all reload-config' does not change > things, > this is why it took so long to find out.? After restarting whole thing, the > changes do take effect and becomes visible. > > It looks like quite some things needs to be changed here. > > And it looks like DC mode is significantly different from other modes, > where > many parameters described in the man page work differently, does not > work at > all, or just break other things. > > All these little discrepancies, while not bad when is faced > independently, when > happens all together, makes samba to look like very unreliable thing. > > /mjt >There are numerous problems with using a Samba AD DC as a fileserver, one of which is that it uses a totally different idmapping system than any other Samba machine. This means that you cannot use any of the parameters that you would use on a Unix domain member. I have seen users attempt to use the 'idmap config' lines, but they usually have no effect, I cannot remember the use of 'winbind nss info' before, but again, the winbind lines mostly have no effect. The top and bottom of it is, do not use a Samba AD DC as a fileserver, but if you do, do not attempt to set it up like a Unix domain member. I suggest you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_.28Optional.29 Rowland