Samba 4.17.3 on Debian 11.6 [global] unix charset = iso8859-15 security = ads realm = COMP.INTRA workgroup = COMP dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U domain master = no local master = no preferred master = no idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config NORAS : range = 10000-20000 idmap config NORAS : backend = rid # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # For ACL support on domain member vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes inherit acls = yes unix extensions = no follow symlinks= yes wide links= yes load printers = no printcap name = /dev/null acl allow execute always = True # Audit settings full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = mkdirat read pread write pwrite renameat unlinkat full_audit:facility = local5 full_audit:priority = notice log level = 1 min domain uid=0 --- (I even noticed that this config was improved in 2019 after some thread in here ;-)) issues: Their external windows admin tries to edit ACLs etc by accessing them from their DC, a Windows 2016 server. And in editing Security Settings he gets something like no connection to AD to access or check claim types (I translated this from the german error text ... not the exact english text) Any hints for me? Yes, we plan to upgrade to 4.17.5 asap as well. thanks, Stefan
Am 10.02.23 um 07:50 schrieb Stefan G. Weichinger via samba:> > Samba 4.17.3 on Debian 11.6 > > [global] > unix charset = iso8859-15 > > security = ads > realm = COMP.INTRA > workgroup = COMP > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind cache time = 10 > winbind use default domain = yes > winbind refresh tickets = Yes > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > domain master = no > local master = no > preferred master = no > > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > idmap config NORAS : range = 10000-20000 > idmap config NORAS : backend = rid > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/samba_usermapping > > # For ACL support on domain member > vfs objects = acl_xattr full_audit > map acl inherit = Yes > store dos attributes = Yes > inherit acls = yes > > unix extensions = no > follow symlinks= yes > wide links= yes > > load printers = no > printcap name = /dev/null > > acl allow execute always = True > > # Audit settings > full_audit:prefix = %u|%I|%m|%S > full_audit:failure = connect > full_audit:success = mkdirat read pread write pwrite renameat unlinkat > full_audit:facility = local5 > full_audit:priority = notice > > log level = 1 > > min domain uid=0 > > --- > > (I even noticed that this config was improved in 2019 after some thread > in here ;-)) > > issues: > > Their external windows admin tries to edit ACLs etc by accessing them > from their DC, a Windows 2016 server. > > And in editing Security Settings he gets something like > > no connection to AD to access or check claim types > > (I translated this from the german error text ... not the exact english > text)Maybe this is the same issue I already had at another customer. The thread was named "editing samba-share ACLs etc from Windows" and it was that "Administrator" vs. "root" issue. - Now I am investigating ... trying not to break things. For sure there is a bit of a mess: some shares are owned by Administrator, some by root (also shares where I get the same error messages).
On 10/02/2023 06:50, Stefan G. Weichinger via samba wrote:> > Samba 4.17.3 on Debian 11.6 > > [global] > unix charset = iso8859-15 > > security = ads > realm = COMP.INTRA > workgroup = COMP > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind cache time = 10 > winbind use default domain = yes > winbind refresh tickets = Yes > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > domain master = no > local master = no > preferred master = no > > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > idmap config NORAS : range = 10000-20000 > idmap config NORAS : backend = rid >Is this bad sanitisation ? your workgroup is 'COMP' and the idmap config lines are using 'NORAS', they should be the same. If that isn't it, try looking at dns, with things like this, it is usually dns. Rowland
On Fri, 2023-02-10 at 07:50 +0100, Stefan G. Weichinger via samba wrote:> Their external windows admin tries to edit ACLs etc by accessing > them > > from their DC, a Windows 2016 server. > > > > And in editing Security Settings he gets something like > > > > no connection to AD to access or check claim types > > > > (I translated this from the german error text ... not the exact > english > > text) > > > > Any hints for me?Claims are a Windows 2012R2 feature (currently being added to Samba's AD DC, but that isn't important for this) that are a new type of ACL element. Unlike translating user SIDs to names, which is done via the file server, I'm assuming from this message that the client is directly connecting to the AD DC over LDAP to get the list of claim types, for the GUI. Perhaps there is a simple connection failure direct to the DC? Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source Solutions