Web lists-archives.com

Re: [Samba] 4.4.14 on solaris, using ads, can't read/write as user




On Thu, 29 Jun 2017 14:06:37 -0300
francis picabia via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thanks for your help.  Here is a sanitized config from our dev system
> where I'm testing the Solaris patch.
> 
> [global]
>    workgroup = MYDOM
>    netbios name = norm
>    security = ADS
>    log file = /var/log/samba/%m.log
>    max log size = 50
>    dns proxy = no
>    loglevel = 3
>    template shell = /usr/bin/bash
>    winbind use default domain = true
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind nested groups = yes
>    encrypt passwords = yes
>    realm = AD.MYDOM.CA
> 
> 
>    idmap config * : range = 16777216-33554431
>    idmap config * : backend = rid
> 
> 
>    nt acl support = no
>    unix extensions = no
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> 
> #============================ Share Definitions
> ==============================
> 
> [homes]
>    comment = Home Directories
>    path = %H
>    browseable = no
>    valid users = MYDOM\%U
>    create mask = 0750
>    directory mask = 0750
>    wide links = Yes
> 
>    guest ok = no
>    read only = no
> 
> [tmp]
>   path = /tmp
>   public = no
>   browseable = no
>   read only = no
> 
> 
> As this is now, I was experimenting with not controlling the access
> to /tmp New files can be copied there by the connected user, and they
> are showing expected ownership.  Reading 700 files owned by the user
> isn't working from smbclient nor Windows.
> 
> The version of AD is under Windows 2012R2
> 

Your problems lie here:

   idmap config * : range = 16777216-33554431
   idmap config * : backend = rid

Why use the range '16777216-33554431' ?
You cannot use 'rid' with the BUILTIN (*) domain, you should use 'tdb'
And the main reason why it isn't working, you need a block for the
'MYDOM' domain, see here for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba