similar to: Cannot browse mode 0700 directories from Windows with security=ads

On Fri, Apr 15, 2016 at 04:06:53PM +0100, you wrote: > Having got that out of the way, can you post your smb.conf ? This is slightly redacted so apologise if some essential info was missing. Also there are lots of shares but the 0700 access problem happens on the [homes] share so here's that one: [global] workgroup = ... realm = ... server string = Samba Server

On 15/04/16 15:20, Ian Collier wrote: > We've had a samba server running for ages on CentOS 6 with samba 3.6.23. > (We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime > we'd like to keep this one working.) > > The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows > domain (AD) with identical usernames, and we are running

On Mon, Apr 18, 2016 at 06:56:48PM +0100, Rowland penny wrote: > >nslcd is running, in fact. However, the AD server does not have uidNumber > >and gidNumber attributes for the users in question. Maybe this is part > >of the problem? > nslcd relies on uidNumber & gidNumber attributes, so if they don't exist, as > far as Unix is concerned the user or group

rpenny at samba.org writes: > OK, you have a Samba domain member that is joined to an AD domain and you > also say you are running winbindd, but there doesn't seem to be any winbind > or 'idmap config' lines in your smb.conf, are you also running sssd ? The server has "passwd: files ldap" in nsswitch.conf and sssd is not running, but "getent passwd

rpenny at samba.org writes: > If your computer is joined to an AD domain, is running Samba with 'security > = ADS' and winbindd is running, the line in /etc/nsswitch should be 'passwd: > files winbind' (the group line should be 'group: files winbind') > Your users should not be in /etc/passwd, they should only be in AD (as > should your groups) Sorry but we

On 15/04/16 16:21, Ian Collier wrote: > On Fri, Apr 15, 2016 at 04:06:53PM +0100, you wrote: >> Having got that out of the way, can you post your smb.conf ? > This is slightly redacted so apologise if some essential info > was missing. Also there are lots of shares but the 0700 access > problem happens on the [homes] share so here's that one: > > [global] >

On 15/04/16 22:09, Ian Collier wrote: > rpenny at samba.org writes: >> If your computer is joined to an AD domain, is running Samba with 'security >> = ADS' and winbindd is running, the line in /etc/nsswitch should be 'passwd: >> files winbind' (the group line should be 'group: files winbind') >> Your users should not be in /etc/passwd, they

On Fri, Apr 15, 2016 at 11:43:03PM +0100, Rowland penny wrote: > Lets see if I can describe how it is supposed to work: > You run smbd, this gives you fileserving capabilities but you need users & > groups. The users & groups in /etc/passwd and /etc/group are unknown to > Samba, so you need to make them known to Samba. You can do this in few ways, > but when you use

On 15/04/16 18:18, Ian Collier wrote: > rpenny at samba.org writes: >> OK, you have a Samba domain member that is joined to an AD domain and you >> also say you are running winbindd, but there doesn't seem to be any winbind >> or 'idmap config' lines in your smb.conf, are you also running sssd ? > The server has "passwd: files ldap" in nsswitch.conf

On 18/04/16 17:48, Ian Collier wrote: > On Fri, Apr 15, 2016 at 11:43:03PM +0100, Rowland penny wrote: >> Lets see if I can describe how it is supposed to work: >> You run smbd, this gives you fileserving capabilities but you need users & >> groups. The users & groups in /etc/passwd and /etc/group are unknown to >> Samba, so you need to make them known to Samba.

Rowland, no domain user can authenticate on any system and running sysvolreset followed by sysvolcheck results in a crash. If the sysvol permissions are correct, sysvolcheck does not crash. If I attempt to join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID. Researching these symptoms turns up a thread about a corrupt idmap.ldb where a group SID and user SID may be the same or

Rowland, Thank you for the quick response. I have just run net cache flush no change in problem. I have dumped the idmap.ldp using ldbsearch -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some sorting, that is how I found the duplicates. On 1/13/2017 11:09 AM, Rowland Penny via samba wrote: > samba-tool ntacl > >sysvolreset

Hai Rowland, > > No, you haven't done anything wrong and yes the provision > does set Domain Users to '100' in idmap.ldb. > Ow.. This i did not know, only wondering why its not BUILTIN\users ( how it is in windows ). Do you know as of which version this is? Of as of start, i really never noticed this. > > Do not remove Domain Users, but you are correct,

On 1/13/2017 3:30 PM, Rowland Penny wrote: > On Fri, 13 Jan 2017 15:20:52 -0500 > Bob Thomas <bthomas at cybernetics.com> wrote: > >> On 1/13/2017 1:45 PM, Rowland Penny wrote: >>> On Fri, 13 Jan 2017 13:30:14 -0500 >>> Bob Thomas <bthomas at cybernetics.com> wrote: >>> >>>> Rowland, >>>>>> Thank you for the quick

On Fri, Nov 3, 2017 at 2:43 PM, Rowland Penny <rpenny at samba.org> wrote: > On Fri, 3 Nov 2017 13:53:22 -0600 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > >> just get objectsid and use this >> >> https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253 > > Why ??? > So that when someone on a linux machine writes to disk

> > If you run getent passwd administrator on a DC, you should get > something like this: > root at dc1:~# getent passwd administrator > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash On my DC getent passwd administrator show nothing. :( Is it necessary to map the root user to ADDC as well? There is however a gotcha, on any domain > joined windows machine there

Hi, It is time I migrate from Samba 3.6 to Samba 4. But the classicupdate fails because there is no group defined for my LDAP users. Well, users have a group, but it is a Unix only group. I never bothered to do any group mapping between Unix and Samba 3, I never needed it. I found out, a long long time ago that the relationship between UID and SID is SID=2*UID+1000. I am not sure of what I

:-| ls -lnd /opt/samba/var/locks/sysvol drwxrwx---+ 3 0 3000000 4096 Jun 16 13:56 /opt/samba/var/locks/sysvol Em 16-06-2017 13:38, Rowland Penny via samba escreveu: > On Fri, 16 Jun 2017 13:15:19 -0300 > "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote: > >> OK, sorry, uncomment a line :-D >> >> Yes exist! >> >> ls -ld

On 1/13/2017 4:58 PM, Rowland Penny via samba wrote: > On Fri, 13 Jan 2017 16:43:39 -0500 > Bob Thomas via samba <samba at lists.samba.org> wrote: > >> On 1/13/2017 3:30 PM, Rowland Penny wrote: >> >>> On Fri, 13 Jan 2017 15:20:52 -0500 >>> Bob Thomas <bthomas at cybernetics.com> wrote: >>> >>>> On 1/13/2017 1:45 PM, Rowland

I have to confess here, that on trying again, to get the error... I restarted everything to ensure there were no errant messages, and now installing libpam-krb5 does not cause a problem... the users are assigned a kerberos ticket when logging in which is nice too... I must thank you and Rowland both, since I have learned a lot about how Kerberos works in this process, and debugged some issues