similar to: Samba, ACLs and 'primary group'...

On 05/02/2020 11:39, Marco Gaiarin via samba wrote: > My previous email on this topic get no answer, i try to explain me > better. > > > The problem. > > Simply i was (ab)used, in my previous samba NT-mode domains, to have > file created with the group-owner as the UNIX primary group; now, in > AD, files get created group-owned by Windows primary group, eg 'Domain

Mandi! Rowland penny via samba In chel di` si favelave... > > And my Windows client works happily! > If you only had Unix clients, then you could stick with this way of doing > things, but you have Windows clients, so you need to work the Windows way > and make your Unix clients work the same way. No. In these years i've worked with 'POSIX ACLs', setting up scripts

Mandi! Rowland penny via samba In chel di` si favelave... > Do you have ANY Windows clients ? Sure! Most of my clients are windows. > If the answer is yes, then you need to follow the 'Setting up a share using > windows ACLs' page and make your Linux clients work with this. > If the answer is no, then you can follow the POSIX ACLs page. > Do not try to mix the two.

Probably this email is connected with my previous one, about folder redirection. Looking at: https://wiki.samba.org/index.php/User_Home_Folders for AD there's three method to set home folder. ADUC and ldbedit is the same, simply using different interfaces. But setting a folder mapping via GPO, AFAI've understood, it is not exactly the same as setting home folder. Or better, setting a

I've a script 'infrastructure' that manage password propagation between some domains/password sources. When, in my AD domains, i ''consume'' a passord caming from another domain, i run: samba-tool user setpassword ${USER} --option="check password script"="" --newpassword="$mypassword" and the script exit with status 0 and print

Samba 4.8 (Louis debian repo), DM. Today i've had to recovery a deleted file in that share, that use 'vfs_recycle' modules: [Work] comment = Spazio di Lavoro Utente map acl inherit = Yes path = /srv/work read only = No store dos attributes = Yes vfs objects = acl_xattr recycle full_audit volume = Work full_audit:failure = none full_audit:success = mkdir rmdir read pread

Samba 4.5 in AD mode, domain in ''beta'' stage. ;-) I've created homes for users following: https://wiki.samba.org/index.php/User_Home_Folders using 'POSIX' mode, eg using: [users] comment = Home Directories path = /home browseable = No veto files = /.mail/.inbox/.ssh/ root preexec = /etc/samba/createhome "%U" force create mode = 0600 force

Mandi! Rowland Penny via samba In chel di` si favelave... > Is this on a DC ? No, is a DM. > If it isn't, Try setting it up exactly like it is shown on the > wikipage, note that you only need the 'vfs objects' line if it isn't > set in [global] Wikipage say only: Create a new share. For details, see Setting up a Share Using Windows ACLs. and

Caming from Samba in NT mode with OpenLDAP backend i've created a bunch of ''things'' (apps, web tools, ...; but also printers and so on) that rely on reading ''public'' data in LDAP. With OpenLDAP ''public'' was a easy concept: anonymous access was the default, and ACL protect more sensitive data (mostly, passwords). Now i've to redo some

I'm starting to upgrade my domain members to debian stretch/samba 4.8, using louis packages. Domain controllers still on jessie/samba45. Upgrade went smooth, but after upgrade seems that the DM was not able anymore to retrieve rfc2307 data, eg: root at vdmsv2:~# getent passwd gaio gaio:*:10000:10513:Marco Gaiarin:/home/LNFFVG/gaio:/bin/false root at vdmsv2:~# ldbsearch -H

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > idmap config LNFFVG: unix_primary_group = yes It is needed? AFAI've understood it means that users will have UNIX primary group the windows group and not 'domain users', but reeally i don't need that... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''

Mandi! Rowland penny via samba In chel di` si favelave... > you MUST use Windows ACLs on a DC Sure! Never doubted about that! > and you MUST use acl_xattr on > a Unix domain member if you have Windows clients, which means you MUST use > Windows ACLs. Why you say 'MUST'? You MUST use acl_xattr on a Unix domain member to have ACLs on Windows Clients behave exactly as in

Mandi! Andrew Bartlett via samba In chel di` si favelave... > There is a limitation for containers regarding xattrs as I understand > it, so you may need to go to a full DC. ...googling around seems to me that are ''old limitation'', now gone. I've also hitted: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html so seems that

I've created a folder for roaming profiles: [profiles] comment = Network Profiles Share path = /srv/samba/profiles browseable = No store dos attributes = Yes csc policy = disable map acl inherit = Yes read only = No vfs objects = acl_xattr Share permission and folder permission seems right, exactly as in: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles I've

Mandi! Rowland Penny via samba In chel di` si favelave... > The error you are getting is usually caused by adding GPOs to the first > DC and then NOT copying them to the second DC before running > 'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD > to find where the GPOs are supposed to be, but if it cannot find any, > it errors out.

OK, now i've to start to move the big part of my users from my old NT-like domains to my new AD domain. I've setup roaming profile in the new domain following the wiki (https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles, 'using windows ACL') and for new profiles works like a charm. But i've tried to move/copy old profile to the new domain, and seems work, with

Mandi! Rowland Penny via samba In chel di` si favelave... > I am not disputing what you say, I am just asking for concrete proof > that a computer account MUST have a uidNumber account. Rowland, it is not (only) a matter of authentication, it is a matter of 'act' with machine account. I've digged a bit but found nothing than (i use WPKG as deployment system, it is only an

Mandi! Rowland Penny via samba In chel di` si favelave... > > Samba 4.5 in AD mode, domain in ''beta'' stage. ;-) > Yes, but what 'AD mode' ?? > Is it a DC or Unix domain member ? Uh, oh. Sorry. Domain Member. > it is 'RECYCLE.BIN' not 'RECICLE.BIN' Ahem, ops, sorry. > Have you read 'man vfs_recycle' ? I use (in other

[ I don't think it is a samba trouble, but indeed some clue... ] A user of mine have a rather complex Thunderbird local folder email archive, in a network folder (P:\Mail), with CSC enabled (it is a portable system). Rather frequently (at least once a week) in the share a 'disk folder' (a directory) with the same name of the 'file' of the email folder get created. Because

To reduce the space occupied by Thunderbird IMAP Cache, i've found this: https://bugzilla.mozilla.org/show_bug.cgi?id=517425#c49 and seems works as expencted. I've a bit extended to link also global-messages-db.sqlite (eg, global search index). But after that, i don't find in roaming profile (server side) the link created with mklink. Link are not supported by samba? Thanks. --