Sorry for the spam. My mailserver got an error message after trying to send via
IPV6 four times and then switched back to IPV4. But back to the topic:
The change to rid is our temporary workaround, nevertheless the version with
idmap config DOMAIN:backend = ad gives the problems that I mentioned in my first
post, several users can use the shares and others can't without any clue
why. They have random (old) unix IDs and other users with a uidNumber between
them cannot use the share, loads of logs with loglevel 10 did not give any hint.
So this is the version that does not give all users access to the shares:
idmap config * : backend = tdb
idmap config * : range = 117000-117999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1001-116999
idmap config DOMAIN:unix_nss_info = no
idmap config DOMAIN:unix_primary_group = yes
template shell = /bin/bash
template homedir = /home/%U
kerberos method = secrets and keytab
winbind nss info = template
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
Best Regards
Matthias Mueller
> You do not appear to be using the 'ad' idmap backend, you have
commented
>it out.
> Also, did your finger get stuck, you asked the same question 5 times.
> Rowland
On 14/12/2022 09:14, Balke IT via samba wrote:> Sorry for the spam. My mailserver got an error message after trying to send via IPV6 four times and then switched back to IPV4. But back to the topic: > > The change to rid is our temporary workaround, nevertheless the version with idmap config DOMAIN:backend = ad gives the problems that I mentioned in my first post, several users can use the shares and others can't without any clue why. They have random (old) unix IDs and other users with a uidNumber between them cannot use the share, loads of logs with loglevel 10 did not give any hint. > > So this is the version that does not give all users access to the shares: > > idmap config * : backend = tdb > idmap config * : range = 117000-117999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 1001-116999 > idmap config DOMAIN:unix_nss_info = no > idmap config DOMAIN:unix_primary_group = yes > > template shell = /bin/bash > template homedir = /home/%U > > kerberos method = secrets and keytab > > winbind nss info = template > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > Best Regards > Matthias MuellerLets see if I have got this correct: Your computer is joined to an AD domain. You have users in AD with uidNumber attributes. Domain Users has a gidNumber attribute. All these '*idNumber' attributes hold numbers inside the '1001-116999' range. Is all that correct ? can you also post your entire smb.conf Rowland
Why do you use idmap-backend ad anyway? Is there a reason not to use the backend rid? It's much easier to handle, you don't have to look a GidNumber and UidNumer you only need the RID every user has in an Active Directory. Am 14.12.22 um 10:14 schrieb Balke IT via samba:> Sorry for the spam. My mailserver got an error message after trying to send via IPV6 four times and then switched back to IPV4. But back to the topic: > > The change to rid is our temporary workaround, nevertheless the version with idmap config DOMAIN:backend = ad gives the problems that I mentioned in my first post, several users can use the shares and others can't without any clue why. They have random (old) unix IDs and other users with a uidNumber between them cannot use the share, loads of logs with loglevel 10 did not give any hint. > > So this is the version that does not give all users access to the shares: > > idmap config * : backend = tdb > idmap config * : range = 117000-117999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 1001-116999 > idmap config DOMAIN:unix_nss_info = no > idmap config DOMAIN:unix_primary_group = yes > > template shell = /bin/bash > template homedir = /home/%U > > kerberos method = secrets and keytab > > winbind nss info = template > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > Best Regards > Matthias Mueller > > >> You do not appear to be using the 'ad' idmap backend, you have commented >> it out. > >> Also, did your finger get stuck, you asked the same question 5 times. > >> Rowland >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html