Re: [Samba] Samba 4.5: trying to setup an omnios system as a DC member
- Date: Wed, 20 Jun 2018 09:15:19 +0200
- From: Andrea Cucciarrè via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba 4.5: trying to setup an omnios system as a DC member
thanks, configuring the uidNumber and gidNumber on the AD fixed the
issue, now getent passwd works.
I just have one remaining issue, it seems the ACL doesn't work.
As an example when I set ACL with full permission for user andrea:
# /usr/bin/ls -ldV /cache/testsamba/
d---------+ 3 root root 5 Jun 19 19:40 /cache/testsamba/
the user andrea can't mount the share.
I have added the following entry in smb.conf for ACL:
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
and the directory is shared as follow:
available = yes
browsable = yes
path = /cache/testsamba
read only = no
am I missing something?
Thanks in advance
Il 6/19/2018 5:52 PM, Rowland Penny via samba ha scritto:
On Tue, 19 Jun 2018 16:10:33 +0200
Andrea Cucciarrè via samba <samba@xxxxxxxxxxxxxxx> wrote:
I'm trying to setup an omnios system as a Samba DC member, and I need
AD backend for consistent IDs on all Samba clients.
The AD join is successful, the wbinfo shows the AD users
# /opt/samba/bin/wbinfo -n andrea
S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1)
however, " getent passwd ..." returns nothing for the user (all the
I have enabled debugging and I can see the following relevant error:
[2018/06/19 15:53:54.302030, 5, pid=638, effective(0, 0), real(0,
Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies
[2018/06/19 15:53:54.302082, 5, pid=638, effective(0, 0), real(0,
resolve_alias_to_username: backend query returned
[2018/06/19 15:53:54.309621, 5, pid=638, effective(0, 0), real(0,
Could not convert sid
Also the command wbinfo fails to convert the SID to UID
# /opt/samba/bin/wbinfo -S
S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call
wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid
S-1-5-21-2680195940-2267646359-3814218302-1109 to uid
This is the relevant smb.conf:
log file = /opt/samba/log/%m.log
log level = 10
workgroup = HYPERFILE
security = ADS
realm = HYPERFILE.NET
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Data %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 1000000-2000000
idmap config * : schema_mode = rfc2307
Hmm, the range is slightly excessive. The '*' domain is for the 'Well
Known SIDs' (and there are less than 200 of these) and anything outside
the domain, do you really expect around '999,800' users & groups from
outside the domain to connect to the domain ?
You also do not use 'idmap config * : schema_mode = rfc2307' with the
idmap config HYPERFILE:backend = ad
idmap config HYPERFILE:schema_mode = rfc2307
idmap config HYPERFILE:range = 1000-9999
idmap config HYPERFILE:unix_primary_group = yes
Have you really only have 8,999 users ?
Do they have a uidNumber inside the '1000-9999' range
Does 'Domain Users' have a gidNumber inside the same range ?
Neither the uidNumber or gidNumber attributes are added automatically,
you must add them manually.
And on the subject of the '1000-9999' range, do you not have any Unix
users other than the system users ?
Gestione problematica Andrea Cucciarrè
Technical Support Engineer | EMEA
To unsubscribe from this list go to the following URL and read the