samba - May 2023 - More on sysvol maintenance

On 25/05/2023 20:40, Luis Peromarta via samba wrote:
> root at bwing:~# wbinfo -i Administrator
> MAD\administrator:*:0:10000::/home/MAD/administrator:/bin/false
> On 25 May 2023 at 21:32 +0200, samba at lists.samba.org, wrote:
>>
>> If there is no output (possible if the winbind links are not set up),
>> what is the output of 'wbinfo -i Administrator' ?
Okay, Administrator is mapping to the Unix root user, but I just noticed 
you said 'share permissions', are we talking the 'Share
Permissions' tab
here ? If so, then stop, you only change permissions on the 'Security' 
tab and I can think of no reason to change the sysvol permissions in 
that way.

Rowland

Update:

MAD\Administrator can change permissions on the ?share? tab.
MAD\Luis (a domain admin) can not.

Should this be like so ?

On the other hand, I have built another domain member for testing.

[global]
	apply group policies = Yes
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	log file = /var/log/samba/%m.log
	netbios name = SERVER2
	realm = MAD.MATER.INT
	security = ADS
	server min protocol = SMB2
	server role = member server
	username map = /etc/samba/user.map
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = MAD
	acl_xattr:ignore system acls = yes
	idmap config mad : unix_nss_info = yes
	idmap config mad : range = 10000-999999
	idmap config mad : schema_mode = rfc2307
	idmap config mad : backend = ad
	idmap config * : range = 3000-7999
	idmap config * : backend = tdb
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = yes
	fruit:posix_rename = yes
	fruit:model = RackMac
	fruit:metadata = stream
	fruit:aapl = yes
	delete veto files = Yes
	ea support = Yes
	hosts deny = 0.0.0.0/0
	map acl inherit = Yes
	vfs objects = acl_xattr

[personales]
	hide unreadable = Yes
	path = /data/users/
	read only = No
	acl_xattr:ignore system acls = yes




It has the
username map = /etc/samba/user.map

And contains:
!root = MAD\Administrator

MAD\Administrator has no uidNumber

However

root at server2:~# getent passwd Administrator

root at server2:~# wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator

When MAD\Administrator tries to access the share via \\server2 I get a ?Windows
can not access \\Server2"

On the server :

root at server2:/var/log/samba# tail 192.168.0.9.log
[2023/05/25 17:32:47.622065,??0]
../../source3/auth/auth_util.c:1927(check_account)
??check_account: Failed to convert SID
S-1-5-21-2152908145-95474353-1514027631-500 to a UID
(dom_user[MAD\administrator])

I guess root mapping is not quite right. What am I missing ?

Thanks,



On 25 May 2023 at 21:49 +0200, samba at lists.samba.org,
wrote:
>
> Okay, Administrator is mapping to the Unix root user, but I just noticed
> you said 'share permissions', are we talking the 'Share
Permissions' tab
> here ? If so, then stop, you only change permissions on the
'Security'
> tab and I can think of no reason to change the sysvol permissions in
> that way.
>
> Rowland