samba - Dec 2022 - R: winbindd no access console with root

I compiled by my self and it's a domain member's role ?

[global]
        client min protocol = NT1
        log file = /var/log/samba/message.log
        max log size = 1000
        ntlm auth = ntlmv1-permitted
        os level = 250
        realm = LXCERRUTI.COM
        security = ADS
        server min protocol = NT1
        server role = member server
        server string = Samba Member - Versione %v
        winbind offline logon = Yes
        winbind use default domain = Yes
        workgroup = LXCERRUTI
        idmap config * : range = 100000-107999
        idmap config lxcerruti : backend = ad
        idmap config lxcerruti : range = 0-99999
        idmap config lxcerruti : unix_nss_info = yes
        idmap config * : backend = tdb
        acl allow execute always = Yes


[Vol1]
        admin users = @g_admin
        comment = Home Directory per ogni User
        create mask = 0777
        directory mask = 0777
        hide unreadable = Yes
        path = /Cerruti
        read only = No
        vfs objects = recycle
        recycle:maxsize = 500000000
        recycle:exclude = *.tmp *.ldb *.temp ~$* *.LCK *.dmp
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:touch = yes
        recycle:repository = .recycle/%U


thanks

-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: gioved? 22 dicembre 2022 11:11
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] winbindd no access console with root



On 22/12/2022 10:00, Corrado Ravinetto via samba wrote:
> Hi
> Samba 4.17.3 compiled on Centos 8 Stream like domain member
What do you mean by 'compiled like domain member' ?
> after i start winbindd i can't access in console anymore with
root's
> account or via ssh for permission denied if i stop winbindd i can
> connect and so on
Please post your smb.conf file.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Lanificio F.lli CERRUTI]


Corrado Ravinetto
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at
lanificiocerruti.com>
T: +39 015 3591283
[Lanificio F.lli CERRUTI]
Lanificio F.lli Cerruti S.p.A.
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>

[Twitter] <https://twitter.com/Lan_Cerruti> [Facebook] 
<https://www.facebook.com/LanificioCerruti> [Instagram] 
<https://www.instagram.com/lanificiocerruti/>

Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary

[Unesco]

On 22/12/2022 10:18, Corrado Ravinetto via samba wrote:
> I compiled by my self and it's a domain member's role ?
No, I was trying to find out if you had compiled without the DC 
components, but it sounds like you just ran:

./configure
make
make install

and everything ended up in /usr/local/samba/
> 
> [global]
>          client min protocol = NT1
>          log file = /var/log/samba/message.log
>          max log size = 1000
>          ntlm auth = ntlmv1-permitted
>          os level = 250
>          realm = LXCERRUTI.COM
>          security = ADS
>          server min protocol = NT1
>          server role = member server
>          server string = Samba Member - Versione %v
>          winbind offline logon = Yes
>          winbind use default domain = Yes
>          workgroup = LXCERRUTI
>          idmap config * : range = 100000-107999
>          idmap config lxcerruti : backend = ad
>          idmap config lxcerruti : range = 0-99999
>          idmap config lxcerruti : unix_nss_info = yes
>          idmap config * : backend = tdb
>          acl allow execute always = Yes
> 
> 
> [Vol1]
>          admin users = @g_admin
>          comment = Home Directory per ogni User
>          create mask = 0777
>          directory mask = 0777
>          hide unreadable = Yes
>          path = /Cerruti
>          read only = No
>          vfs objects = recycle
>          recycle:maxsize = 500000000
>          recycle:exclude = *.tmp *.ldb *.temp ~$* *.LCK *.dmp
>          recycle:versions = yes
>          recycle:keeptree = yes
>          recycle:touch = yes
>          recycle:repository = .recycle/%U
> 
It looks like you upgraded from an NT4-style domain and are still 
thinking in NT4-style ways.

There is an obvious reason why 'root' isn't working, perhaps you
will
understand why after reading this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

Do you still have any pre-vista Windows machines in your domain ?
If not, you can remove all the SMBv1 lines.

I would also suggest you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

And then set the share permissions from Windows, this will you much 
finer access control.

Rowland