Rowland Penny
2024-Nov-14 16:35 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On Thu, 14 Nov 2024 11:17:11 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> On 11/14/24 10:48, Rowland Penny via samba wrote: > > The only things that a Samba AD DC pulls from AD is the uidNumber > > and gidNumber attributes (if they are set) and only then if > > 'idmap_ldb:use rfc2307 = yes' is set in the DCs smb.conf. > > > > What are you expecting ? > > > > Rowland > > Oh. Well, I was expecting that the home directory and the shell > attributes would be retrieved from ADNot on a DC, but you can do this on a Unix domain member, though I am beginning to think there isn't much point to it.> --or else constructed from > the 'template homedir' and 'template shell' lines in smb.conf. The > values I set there were: > > ???? template shell = /bin/bash > ???? template homedir = /home/%U >That should work.> but the getent is returning > > HOME\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false > > which appear to be the defaults for those two as opposed to what's > specified in either smb.conf or AD.Yes, they are the defaults, as is the '100' for 'users' which is mapped to Domain Users. I suggest you set a gidNumber on Domain Users, just in case you decide to run a Unix domain member in future with the 'ad' idmap backend. If all else fails, try rebooting the DC and see if that fixes it. This is from one of my DCs with 'template shell = /bin/bash' set: adminuser at tmpdc1:~ $ getent passwd rowland SAMDOM\rowland:*:3000020:100:Rowland Penny:/home/SAMDOM/rowland:/bin/bash You are running into one of the many reasons why it isn't recommended to use a Samba AD DC as a fileserver. Rowland
John R. Graham
2024-Nov-14 16:45 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On 11/14/24 11:35, Rowland Penny via samba wrote:> Not on a DC, but you can do this on a Unix domain member, though I am > beginning to think there isn't much point to it. > > Yes, they are the defaults, as is the '100' for 'users' which is mapped > to Domain Users. I suggest you set a gidNumber on Domain Users, just in > case you decide to run a Unix domain member in future with the 'ad' > idmap backend. > > If all else fails, try rebooting the DC and see if that fixes it. > > This is from one of my DCs with 'template shell = /bin/bash' set: > > adminuser at tmpdc1:~ $ getent passwd rowland > SAMDOM\rowland:*:3000020:100:Rowland > Penny:/home/SAMDOM/rowland:/bin/bash > > You are running into one of the many reasons why it isn't recommended > to use a Samba AD DC as a fileserver.Understood. I'm going to stand up an independent file server Real Soon Now(tm) and evict that functionality from the AD DC. Promise. Will try the reboot. - John
John R. Graham
2024-Nov-15 00:54 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On 11/14/24 11:35, Rowland Penny via samba wrote:> On Thu, 14 Nov 2024 11:17:11 -0500 > "John R. Graham via samba" <samba at lists.samba.org> wrote: >> but the getent is returning >> >> HOME\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false >> >> which appear to be the defaults for those two as opposed to what's >> specified in either smb.conf or AD. > ... > If all else fails, try rebooting the DC and see if that fixes it. > > This is from one of my DCs with 'template shell = /bin/bash' set: > > adminuser at tmpdc1:~ $ getent passwd rowland > SAMDOM\rowland:*:3000020:100:Rowland > Penny:/home/SAMDOM/rowland:/bin/bash > ...Rebooting resolved all remaining issues (I /had/ restarted the Samba service before, but...). Thanks again. - John
John R. Graham
2024-Nov-15 15:18 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On 11/14/24 11:35, Rowland Penny via samba wrote:> ... I suggest you set a gidNumber on Domain Users, just in > case you decide to run a Unix domain member in future with the 'ad' > idmap backend. > > This is from one of my DCs with 'template shell = /bin/bash' set: > > adminuser at tmpdc1:~ $ getent passwd rowland > SAMDOM\rowland:*:3000020:100:Rowland > Penny:/home/SAMDOM/rowland:/bin/bashDoes this mean that you do not have a GID=100 group in your tmpdc1 /etc/groups file, thus it can be used as the "Domain Users" GID? Is it correct to use ???? ldbedit -H /var/lib/samba/private/sam.ldb '(sAMAccountName=Domain Users)' to add the gidNumber? - John
Apparently Analagous Threads
- Very strange: Samba is unable to access one of its own files
- Very strange: Samba is unable to access one of its own files
- Very strange: Samba is unable to access one of its own files
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges