Web lists-archives.com

Re: [Samba] samba 4 ad member - idmap = ad for machine accounts




I posted already, but here it is again (it's everythign except it has not 1 but ~10 SOMESHARE, all with exact same config)

Full entry from smb.conf:

[global]
       netbios name = VS-FILES
       security = ADS
       workgroup = MYDOMAIN
       realm = MYDOMAIN.COM

       log file = /var/log/samba/%m.log
       log level = 1


       idmap config *:backend = tdb
       idmap config *:range = 100-2000

       # idmap config for domain MYDOMAIN
       idmap config MYDOMAIN:backend = ad
       idmap config MYDOMAIN:schema_mode = rfc2307
       idmap config MYDOMAIN:range = 4000-99999
#I'm gonna remove enum users/groups as recommended
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind expand groups = 5
#i'm gonna remove this one too to avoid confusion
        winbind use default domain = yes
        winbind nss info = rfc2307
        vfs objects = acl_xattr
        map acl inherit = yes
        admin users = "@MYDOMAIN\Domain Admins","@MYDOMAIN\Enterprise Admins"
        store dos attributes = yes

[SOMESHARE1]
        path = /home/shares/SOMESHARE1/
        read only = no

[SOMESHARE2]
        path = /home/shares/SOMESHARE2/
        read only = no
......
[SOMESHARE10]
        path = /home/shares/SOMESHARE10/
        read only = no


.............
Correct me please if I'm wrong, but:
idmap = AD
means that winbind on the samba 4 domain member, when idmapping domain users looks at:
gidNumber
uidNumber
attributes set in AD for this users when mapping windows - to - unix users? At least these values i'm getting from samba 4 domain member when using getent for domain users and these values can be viewed when looking at files from unix perspective. At first I thought, that setting those values for machine accounts, as long as they're in range of the MYDOMAIN:range should be enough, but I was unable to make it work, I'm getting access denied.

Since changing from idmap = ad to idmap = rid fixes everything it leads me to believe some other attribute is checked by winbindd when doing domain-to-local user mappings.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba