On 2023-04-01 15:13, Kees van Vloten via samba wrote:>
> On 01-04-2023 20:38, Rowland Penny via samba wrote:
>>
>>
>> On 01/04/2023 19:10, Gary Dale via samba wrote:
>>
>>> https://wiki.samba.org/index.php/Idmap_config_ad in the Configuring
>>> the ad Back End section.
>>
>> Yes, but right at the top there is a warning box that says:
>>
>> ID mapping back ends are not supported in the smb.conf file on a
>> Samba Active Directory (AD) domain controller (DC).
>> For details, see Failure To Access Shares on Domain Controllers If
>> idmap config Parameters Set in the smb.conf File.
>>
>> I will update that say, do not add anything on this page to a Samba
>> AD DC smb.conf.
>>
>>>
>>> Which shows that the documentation is fragmented and contradictory
>>> (not to mention obfuscated). If something is OK to set in one
>>> instance but not another, shouldn't that be highlighted? We
have
>>> hyperlinks these days.
>>>
>>
>> It isn't as easy as that on the Samba wiki, I wish it was. I know
>> that the Samba wiki isn't the best in the world, but I cannot
change
>> the wiki software.
>>
>>> Not according to a lot of the recent documentation. It's
telling me
>>> to use the Windows tools, which are a nightmare, to do things that
>>> I'd prefer to do through the Linux tools.
>>>
>>
>> The Samba wiki mentions ADUC a lot, but this isn't as easy to use
as
>> it once was and samba-tool has got a lot better.
>>
>>>
>>> How would that stop my Windows 10 VM from accessing shares? I
recall
>>> some registry settings being needed to get Windows 7 to work with
>>> Samba but that's ancient history...
>>
>> The lack of SMBv1 shouldn't stop Win10 access a share, it would
stop
>> Network Browsing though. If Win10 cannot access a Samba share, then
>> there should be something in the Windows event log and or the logs of
>> the Samba server. There are two things to note, Win10 may require the
>> latest Heimdal and if you are trying to connect to a guest Samba
>> share, you should check if Windows doesn't have guest access turned
off.
>>
>>> Haven't tried it since pre-pandemic - certainly not with a
Bullseye
>>> server - so it is not going to be interesting to look at. It
>>> definitely predates the backports version of Samba.
>>>
>>> That's why I'm looking for something more recent so I can
retry.
>>
>> The actual way you setup a smb.conf hasn't changed much for quite a
>> few years, so it should be valid.
>>
>>> I tried using Samba once rather than NFS but that broke things. I
>>> keep my mail on the server and Thunderbird didn't work
properly.
>>> Reverting to NFS fixed that. Also, Samba shares seemed slower and
>>> less reliable. NFS just works.
>>
>> I use Thunderbird on a Unix domain member and apart from an annoying
>> Thunderbird bug, everything works okay.
>>
>> As for speed, there isn't much difference between the two now, but
>> you can use NFS with Samba authentication, I just wouldn't share an
>> NFS export.
> Indeed share the same directory over SMB and over NFS is a bad idea.
> Hosting a Samba share on an NFS share is a similar bad idea.
It would be normally, but not in this case. The only people using the
shares aren't accessing the same files. My setup is almost 100% NFS with
just the occasional bit of Samba to read or (rarely) write to a file.
Samba is there because I need to support Windows access - these days
mostly for tax software that I can't get to run under Wine.
>>
>> There are probably users out there using NFS with AD authentication,
>> I hope one of them will help here.
>
> For NFS the most important thing is to have a single source for UIDs
> and GIDs, winbind + Samba-ADDC does a great job get this done.
I only have one user (me) and no additional groups. The only reason I'm
even looking at this is because Windows seems to have broken my older
setup. Rowland has been pushing Samba accounts as the way to fix
it.>
> Next you decide if you are good with unencrypted shares authorized by
> client-machine-IP, if so the simplest form of NFS4 (very similar to
> the setup of NFS3) will do. If not you have to setup Kerberized NFS
> which has user-authentication (due to kerberos) and allows shares
> encrypted on the wire just as SMB has in recent versions.
Yes. My NFS4 setup is basically NFS3 with newer server
software.>
> At the moment I am still using NFS4 for my Linux clients because Samba
> does not offer the Unix-extensions with SMB3 yet. Unfortunately I
> noticed that did not make it into 4.18.
>
I have no real desire to switch from NFS. I'm just trying to get things
working the way they used to.