Re: [Samba] problems with share permissions
- Date: Wed, 13 Dec 2017 08:29:49 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] problems with share permissions
On Tue, 12 Dec 2017 14:18:24 -0800
Jerry Lowry <jlowry@xxxxxxx> wrote:
> On a previous post I received this reply.
> B) You totally missed this: '# - Adding just this is not enough' when
> you cut and pasted it from the Samba wiki, you need to use the winbind
> 'rid' or 'ad' backend.
> My backend had been set to 'tdb'. I changed it to 'ad' as you
> suggested and the users were able to access the shares.
> this system is a file server, it is NOT a domain controller.
> I will read your pointer.
Jerry, please be honest here, you don't understand the wiki page I
pointed you to, do you ?
I have tried to make it as obvious as possible that you need to go to
another page for the DOMAIN setup, but it doesn't seem to be working,
not just for you, but others as well.
You must use 'tdb' for the '*' domain, but you also need 'idmap config'
lines for the 'Accounting' domain
If you don't want to add anything to AD, use the 'rid' backend, see
If you do want to add to AD and have the same IDs everywhere, use the
'ad' backend, see here:
> Jerold Lowry
> Principal Network/Systems Engineer
> Engineering Design Team (EDT), Inc. a HEICO company
> 3423 NW John Olsen Pl
> Hillsboro, Oregon 97124 (U.S.A.)
> Phone: 503-690-1234 / 800-435-4320
> Fax: 503-690-1243
> Web: _www.edt.com <http://www.edt.com/>_
> On 12/12/2017 2:09 PM, Rowland Penny via samba wrote:
> > On Tue, 12 Dec 2017 14:01:03 -0800
> > Jerry Lowry <jlowry@xxxxxxx> wrote:
> >> Sorry didn't scroll up far enough :)
> >> samba version : 4.4.4-14.el7_3
> >> also forgot that pictures don't transfer....it has been a tough
> >> week, this is Friday right?
> >> thanks
> >> Here is the global section:
> >> [global]
> >> workgroup = Accounting
> >> security = ADS
> >> realm = Accounting.edt.local
> >> log file = /var/log/samba/%m.log
> >> log level = 1
> >> # Default ID mapping configuration for local BUILTIN
> >> accounts # and groups on a domain member. The default (*) domain:
> >> # - must not overlap with any domain ID mapping
> >> configuration! # - must use a read-write-enabled back end, such as
> >> tdb. # - Adding just this is not enough
> >> # - You must set a DOMAIN backend configuration, see below
> >> idmap config * : backend = ad
> >> idmap config * : range = 1000000-2000000
> >> #
> > This is wrong, you cannot use the 'ad' backend for the default
> > domain, it should be 'tdb'.
> > You should also have 'idmap config' lines for the 'ACCOUNTING'
> > domain, can I suggest you go and read this wikipage again:
> > https://url.emailprotection.link/?a4H7AFc7q_vw3zlnkaZIenb4Cy2vfiz5ymNljCJltTIhZMpxcHixlZJzzZC2iUoV9esCNFjTEPhhyPl5MqJ5-YgvQsNby3NCGKY2xd1seGYzLifSreMbfxzK4Gzvd1Ebd
> > Just a thought, have you given your users a unique number inside the
> > '1000000-2000000' range and Domain Users a gidNumber inside the same
> > range, these attributes are not added automatically.
> > Rowland
To unsubscribe from this list go to the following URL and read the