On Wed, Jan 18, 2023 at 11:53 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 18/01/2023 16:38, Greg Dickie via samba wrote:
> > Hi,
> >
> > Running samba 4.10.16 on CentOS7. It's a fileserver but with a
split
> > personality. For everything UNIX authentication is NIS (I know ;-) but
> for
> > samba we authenticate to AD and all users have the same uidNumber
&
> > gidNumber as they do in NIS.
>
> The problem is, you shouldn't have any local users if you are running
> the computer as a domain member, Samba should be 'mapping' the AD
users
> to Unix users.
>
Agree but this was a standalone server that we are now transitioning into
the domain and as long as the UIDs and GIDs match everything should be ok
no?
>
> Is it possible to see your smb.conf used on the Unix machines ?
>
O=Sure
[global]
workgroup = TOTO
server string = Samba on SRVLXFS2
realm = TOTO.CA
security = ads
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
idmap config * : range = 16777216-33554431
idmap config ULTRATCS : schema mode = rfc2307
idmap config ULTRATCS : backend = ad
idmap config ULTRATCS : range = 500-10000
idmap config ULTRATCS : unix_primary_group = yes
idmap config ULTRATCS : unix_nss_info = yes
idmap_ldb:use rfc2307 = yes
template homedir = /home/%U
min domain uid = 0
unix extensions = no
wide links = yes
printing = cups
printcap name = cups
load printers = no
cups options = raw
log file = /var/log/samba/log.%m.%U
log level = 0
max log size = 50M
#syslog = 0
[homes]
comment = Home Directories
browseable = no
writable = yes
# create mask = 0664
# directory mask = 0775
force create mode = 0775
force directory mode = 0775
# force security mode = 664
# force directory security mode = 775
map archive = no
>
> This has been working fine but now I have some
> > users who suddenly lose write access to their files, sometimes. One
user
> > has 2 workstations (1 works always, the other exhibits this issue so
> maybe
> > a patch on the workstation?). When this happens IF I give their files
> group
> > write permission they are good again. Does this ring a bell? I have a
> level
> > 10 debug of an ACCESS_DENIED test but nothing in there looks obviously
> > wrong until the ACCESS_DENIED so I can't see why.
>
> Are they supposed to have 'user' permissions or just
'group'
> permissions, also are you using extended ACL's ?
>
user permissions, all the users on this system have the same primary group
of 1000, No ACLs, or at least not supposed to be.
>
> >
> > Tried to rebuild a newer samba version but CentOS seems to not like
it.
>
> I noticed :-D
>
> >
> > Any thoughts?
>
> What on ? Life, the universe and everything ? If so the answer is
'42'
>
Too easy! Please tell me what I'm doing wrong. The fact that it's not
consistent kills me, I am unable to reproduce on my own.
Thanks Rowland!
Greg
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Greg Dickie
just a guy
514-983-5400