On 2023-04-01 07:01, Rowland Penny via samba wrote:>
>
> On 31/03/2023 22:38, Gary Dale via samba wrote:
>> Actually, I was probably a little optimistic in assessment. My
>> network shares are problematic. I tried using
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> to get the shares working but that let me down a rabbithole
>>
>> The basic problem is my Linux computers use NSF to connect to network
>> shares, If I set up the shares as described in the wiki, my Linux
>> computers lose access - there doesn't appear to be a mapping
between,
>> for example, "Domain Users" and users.
>
>
> Hmm, this is one of the problems of using a DC as a fileserver with
> the 'ad' idmap backend.
>
> On a standard Samba DC using the idmap backend (the default), if you
> look in idmap.ldb, you should find something ike this:
>
> dn: CN=S-1-5-21-627072207-2265849604-124128874-513
> cn: S-1-5-21-627072207-2265849604-124128874-513
> objectClass: sidMap
> objectSid: S-1-5-21-627072207-2265849604-124128874-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513
>
> Which clearly shows that Domain Users (the RID 513) is mapped to the
> Unix ID (xidNumber) 100
>
> If you check /etc/group on the DC you will find this:
>
> grep '100' /etc/group
> users:x:100:<LIST_OF_LOCAL_USERS>
>
> So, as standard, Domain Users is mapped to the Unix group users.
> If you give Domain Users a gidNumber attribute (you have to, to get
> the 'ad' idmap backend to work on Unix domain members), whatever
> number you use will override the '100' and break the mapping. You
> might think that you could use '100' for the gidNumber and yes you
> could, but this would mean that the idmap config range for the domain
> would have to start at 100 and that isn't really a good idea.
>
I was trying to follow the advice at
https://wiki.samba.org/index.php/Idmap_config_ad but testparm keeps
returning the error "ERROR: The idmap range for the domain * (tdb)
overlaps with the range of HOME (ad)!">
>> If I don't set up all the file ownerships to use "Domain
Users", my
>> Windows users can't use them (except for the domain Administrator).
>>
>> And even going into the security tab on files or folders properties
>> usually crashes the window - even when I'm logged in as the domain
>> Administrator.
>
> That should not happen, though there was a known bug, which I though
> had been fixed.
>
>>
>> My first attempt to fix this was to upgrade to the backports version
>> of Samba since you indicated it might be necessary for an up-to-date
>> Windows 10 machine. The upgrade had no impact - the problems remain
>> the same.
>>
>> In the past this was resolvable by manually mapping the Windows
>> groups to the Linux ones - and this was working on my server until
>> recently. However I gather that some change to either Windows or
>> Samba caused that to stop working.
>
> The problem is, you shouldn't really have Linux groups per se, you
> should have Windows groups that are also Linux groups i.e. everything
> is in AD.
That's not a great idea. It would mean I'd have to modify every Linux
system. And can Linux groups even have a domain let alone spaces in
their names (e.g. home\Domain Users")? Mapping seems like a far more
practical solution.
>
>>
>> Any advice on how to proceed?
>
> Can we start with the smb.conf you are using now.
Here's the part without the share definitions:
# Global parameters
[global]
??????? dns forwarder = 192.168.1.1
??????? netbios name = THELIBRARIAN
??????? realm = HOME.RAHIM-DALE.ORG
??????? server role = active directory domain controller
??????? workgroup = HOME
??????? idmap_ldb:use rfc2307 = yes
??????? idmap config * : backend = tdb
??????? idmap config * : range = 3000-7999
??????? idmap config HOME:backend = ad
??????? idmap config HOME:schema_mode = rfc2307
??????? idmap config HOME:range = 10000-999999
??????? idmap config HOME:unix_nss_info = yes
??????? idmap config HOME:unix_primary_group = yes
??????? vfs objects = acl_xattr
??????? map acl inherit = yes
??????? store dos attributes = yes
[sysvol]
??????? path = /var/lib/samba/sysvol
??????? read only = No
[netlogon]
??????? path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts
??????? read only = No
[Profiles]
??????? path = /home/samba/profiles
??????? read only = No
??????? create mask = 0777
??????? directory mask = 0777
??????? guest ok = Yes
??????? browseable = No
[homes]
??????? comment = Home Directories
??????? valid users = %S
??????? create mask = 0700
??????? directory mask = 0700
??????? browseable = No
>
> What version of NFS are you using 3 or 4 ?
nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports
(e.g. /home/shares??? 192.168.1.0/24(rw,sync) ). I haven't set up
anything that takes advantage of any v4 features. I note that there are
options for using Kerberos in v4, which I'm guessing is where you are
going...