On 2023-04-01 07:01, Rowland Penny via samba wrote:> > > On 31/03/2023 22:38, Gary Dale via samba wrote: >> Actually, I was probably a little optimistic in assessment. My >> network shares are problematic. I tried using >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> to get the shares working but that let me down a rabbithole >> >> The basic problem is my Linux computers use NSF to connect to network >> shares, If I set up the shares as described in the wiki, my Linux >> computers lose access - there doesn't appear to be a mapping between, >> for example, "Domain Users" and users. > > > Hmm, this is one of the problems of using a DC as a fileserver with > the 'ad' idmap backend. > > On a standard Samba DC using the idmap backend (the default), if you > look in idmap.ldb, you should find something ike this: > > dn: CN=S-1-5-21-627072207-2265849604-124128874-513 > cn: S-1-5-21-627072207-2265849604-124128874-513 > objectClass: sidMap > objectSid: S-1-5-21-627072207-2265849604-124128874-513 > type: ID_TYPE_GID > xidNumber: 100 > distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513 > > Which clearly shows that Domain Users (the RID 513) is mapped to the > Unix ID (xidNumber) 100 > > If you check /etc/group on the DC you will find this: > > grep '100' /etc/group > users:x:100:<LIST_OF_LOCAL_USERS> > > So, as standard, Domain Users is mapped to the Unix group users. > If you give Domain Users a gidNumber attribute (you have to, to get > the 'ad' idmap backend to work on Unix domain members), whatever > number you use will override the '100' and break the mapping. You > might think that you could use '100' for the gidNumber and yes you > could, but this would mean that the idmap config range for the domain > would have to start at 100 and that isn't really a good idea. >I was trying to follow the advice at https://wiki.samba.org/index.php/Idmap_config_ad but testparm keeps returning the error "ERROR: The idmap range for the domain * (tdb) overlaps with the range of HOME (ad)!"> >> If I don't set up all the file ownerships to use "Domain Users", my >> Windows users can't use them (except for the domain Administrator). >> >> And even going into the security tab on files or folders properties >> usually crashes the window - even when I'm logged in as the domain >> Administrator. > > That should not happen, though there was a known bug, which I though > had been fixed. > >> >> My first attempt to fix this was to upgrade to the backports version >> of Samba since you indicated it might be necessary for an up-to-date >> Windows 10 machine. The upgrade had no impact - the problems remain >> the same. >> >> In the past this was resolvable by manually mapping the Windows >> groups to the Linux ones - and this was working on my server until >> recently. However I gather that some change to either Windows or >> Samba caused that to stop working. > > The problem is, you shouldn't really have Linux groups per se, you > should have Windows groups that are also Linux groups i.e. everything > is in AD.That's not a great idea. It would mean I'd have to modify every Linux system. And can Linux groups even have a domain let alone spaces in their names (e.g. home\Domain Users")? Mapping seems like a far more practical solution.> >> >> Any advice on how to proceed? > > Can we start with the smb.conf you are using now.Here's the part without the share definitions: # Global parameters [global] ??????? dns forwarder = 192.168.1.1 ??????? netbios name = THELIBRARIAN ??????? realm = HOME.RAHIM-DALE.ORG ??????? server role = active directory domain controller ??????? workgroup = HOME ??????? idmap_ldb:use rfc2307 = yes ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-7999 ??????? idmap config HOME:backend = ad ??????? idmap config HOME:schema_mode = rfc2307 ??????? idmap config HOME:range = 10000-999999 ??????? idmap config HOME:unix_nss_info = yes ??????? idmap config HOME:unix_primary_group = yes ??????? vfs objects = acl_xattr ??????? map acl inherit = yes ??????? store dos attributes = yes [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No [netlogon] ??????? path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts ??????? read only = No [Profiles] ??????? path = /home/samba/profiles ??????? read only = No ??????? create mask = 0777 ??????? directory mask = 0777 ??????? guest ok = Yes ??????? browseable = No [homes] ??????? comment = Home Directories ??????? valid users = %S ??????? create mask = 0700 ??????? directory mask = 0700 ??????? browseable = No> > What version of NFS are you using 3 or 4 ?nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports (e.g. /home/shares??? 192.168.1.0/24(rw,sync) ). I haven't set up anything that takes advantage of any v4 features. I note that there are options for using Kerberos in v4, which I'm guessing is where you are going...
On 01/04/2023 16:15, Gary Dale via samba wrote:>> >> The problem is, you shouldn't really have Linux groups per se, you >> should have Windows groups that are also Linux groups i.e. everything >> is in AD. > > That's not a great idea. It would mean I'd have to modify every Linux > system.Possibly> And can Linux groups even have a domain let alone spaces in > their names (e.g. home\Domain Users")?Yes: rowland at devstation:~$ getent group Domain\ Users domain users:x:10513:krbtgt,dhcpduser,test,user1,backupuser,user2,fred,rowland,administrator Mapping seems like a far more> practical solution.No it isn't and it sort of misses one of the points of AD, a single point of authority.> > >> >>> >>> Any advice on how to proceed? >> >> Can we start with the smb.conf you are using now. > > Here's the part without the share definitions: > > # Global parameters > [global] > ??????? dns forwarder = 192.168.1.1 > ??????? netbios name = THELIBRARIAN > ??????? realm = HOME.RAHIM-DALE.ORG > ??????? server role = active directory domain controller > ??????? workgroup = HOME > ??????? idmap_ldb:use rfc2307 = yesSee below about the following lines:> ??????? idmap config * : backend = tdb > ??????? idmap config * : range = 3000-7999 > ??????? idmap config HOME:backend = ad > ??????? idmap config HOME:schema_mode = rfc2307 > ??????? idmap config HOME:range = 10000-999999 > ??????? idmap config HOME:unix_nss_info = yes > ??????? idmap config HOME:unix_primary_group = yesI will say this yet again, do not add 'idmap config' to a Samba AD DC's smb.conf , they will do absolutely nothing.> ??????? vfs objects = acl_xattrNow that is a really, really big mistake. Whilst 'acl_xattr' is one of the vfs objects used by a DC, you have just turned off the main one ' dfs_samba4'> ??????? map acl inherit = yes > ??????? store dos attributes = yes > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > [netlogon] > ??????? path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts > ??????? read only = No > > [Profiles] > ??????? path = /home/samba/profiles > ??????? read only = No > ??????? create mask = 0777 > ??????? directory mask = 0777 > ??????? guest ok = Yes > ??????? browseable = No > > [homes] > ??????? comment = Home Directories > ??????? valid users = %S > ??????? create mask = 0700 > ??????? directory mask = 0700 > ??????? browseable = No > >> >> What version of NFS are you using 3 or 4 ? > > nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports > (e.g. /home/shares??? 192.168.1.0/24(rw,sync) ). I haven't set up > anything that takes advantage of any v4 features. I note that there are > options for using Kerberos in v4, which I'm guessing is where you are > going... >Yep, you really should be using NFSv4, I wish Louis was still around, he knew more about NFS than I do. What I will say is this, you know all that knowledge you know about Samba PDC's and the like, well, you should forget most of it, AD is nothing like an NT4-style domain. Once you get your head around this and start to use AD as it is meant to be used, you will realise just how much easier it is to use. Just one point of maintenance, user, group and computer wise. Rowland