Web lists-archives.com

Re: [Samba] Access to sharing by hostname but not by its IP

On Tue, 25 Jul 2017 17:07:58 +0200
Marc-Henri Pamiseux via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Rowland,
> Thank you for letting me know that the '*' used in the idmap
> configuration concerns the well known Identifiers. I did not know. In
> fact, I thought it was to characterize the identifiers that do not
> belong to the domain cited, a kind of identifier by default. On closer
> inspection, that is how it is used.
> I did not plan to use local Linux identifiers other than system
> identifiers (<1000). This is a Samba migration so there are already
> accounts with identifiers between 1001 and 1072 then between 3000059
> and 3000087. I would like my shares to work before re-uniformizing
> these identifiers and then review the ACLs of the files involved in
> these changes .
> I have remove "password server", "encrypt passwords" and "vfs objects
> = dfs_samba4" from /etc/samba/smb.conf;
> default idmap config range is now from 850 to 999.
> As Louis van Belle explain, "If the Kerberos protocol is not
> negotiated for some reason, Active Directory uses LM, NTLM, or NTLM
> version 2 (NTLMv2). And in this case, windows fals back to NTLM and
> then you accessing the server as user guest".
> The proposed GPO (Network security: LAN Manager Authentication Level
> setting to Send NTLMv2 responses only) was already setup.
> By the way, i was ignoring this process. Cool :)
> Since I switched to winbind, I no longer get the value of the ids
> stored in Active Directory.
> The getent command no longer add the domain's short name as a prefixe
> for user accounts. What were the options for this display?
> On the RHEA file server, I stopped winbind, smbd and nmbd and then
> deleted the files:
> /var/lib/samba/{winbindd_cache.tdb,winbindd_idmap.tdb}.
> I have restart all these services. nothing better.
> An idea ?

If you use the winbind 'ad' backend, then any user you want to be
visible to Unix, must have a uidNumber attribute containing a number
inside the 'DOMAIN' range set in smb.conf. 

The users Unix primary group must also have a gidNumber attribute
containing a number inside the same range. 

Before Samba 4.6.0 this meant that 'Domain Users' must have a
gidNumber, From 4.6.0 this changes. You now need to give your users a
gidNumber containing the Unix ID number of a group and the group would
have to have a gidNumber attribute containing the same number. 

For instance, if you have a group in AD called 'unixgroup' and this
group has a gidnumber attribute containing the ID '10000', then to make
this group your users Unix primary group, you would add 'gidNumber:
10000' to the users AD objects. You would also need to add a line to

idmap config SAMDOM:unix_primary_group = yes

If you do not have the above line in smb.conf, then, as far as I
understand, it still works in the same way as earlier versions i.e.
Domain Users needs a gidNumber.

If everything else is setup correctly, 'getent passwd username' should
show the users info and until it does, your user is unknown to Unix.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba