Web lists-archives.com

Re: [Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.




Cheers, that fixed it! :O) So, if I may summarise what we have just discussed.

1) All newly created samba users need to have the uidNumber attribute set to a unique value (within the range specified in smb.conf for SAMDOM) when using ad backend with RFC2307.

2) All new groups need to have the gidNumber set to a unique value (within the range specified in smb.conf for SAMDOM) when using ad backend with RFC2307.

3) Don't delete group Everyone - even though the Windows UI will let you do this it will actually break your file permissions :(



Could I possibly ask you a couple of further related questions about this uidnumber and gidnumber issue please?

1) Previously I found I could access the share I created as SAMDOM/Administrator. However when I checked using Windows RSAT ADUC there is apparently no uidNumber set for this Administrator account by default. Is that what you would expect to see, presumably I do not need to supply uidNumbers for built-in default accounts?


2) I originally created SAMDOM/stephenellwood at the the DC command-line like so:

sudo samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@xxxxxxxxxxx --login-shell=/bin/bash

The Samba docs here https://wiki.samba.org/index.php/Idmap_config_ad appear to suggest that the syntax I have used for my account creation command above is essentially incomplete given that I have also specified winbind nss info = rfc2307 in my smb.conf.

I am pretty sure that I need to add some extra command-line switches to my example above specify UID, home directory path, and primary group at account creation time as per the docs. Unfortunately though man samba-tool does not provide a full list of supported samba-tool user create command-line switches. What syntax would you recommend that I use for creating new users in my situation with samba-tool user create Rowland?

I do realise creating users in this fashion means having to track the last-used uidNumber manually somehow and thus might not be regarded as best practice.


3) Related to point two, had I instead created user SAMDOM/stephenellwood using the Windows RSAT ADUC tools would sensible uidNumber and gidNumber values have been chosen automatically potentially avoiding this entire problem? The Samba docs here (https://wiki.samba.org/index.php/Idmap_config_ad) are a little unclear about this point. They say "When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group."

The problem is I am unsure if userID == uidNumber, and likewise groupID = gidNumber or if these are actually different parameters.

Thanks
Stephen Ellwood



On 01/04/2019 15:26, Rowland Penny via samba wrote:
On Mon, 1 Apr 2019 15:12:21 +0100
Stephen via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi Rowland, thanks for your suggestions. I have read and re-read the
Samba docs to try and understand where I went wrong here.

I added the uidNumber and gidNumber exactly as per your comments and
that seems to improve the situation markedly. I can now at least see
that the share exists from SAMDOM\stephenellwood which wasn't
possible before. File access is now possible from
SAMDOM/stephenellwood when I configure NTFS security permissions to
allow read and write access for group Everyone.

I am still seeing issues with fileshare access from custom AD groups
though. For example, I removed the NTFS security permissions access
to group Everyone on my share.
Put 'Everyone' back, you need it ;-)

I then created a group OgdenFilesUsers
using the ADUC RSAT tool and added SAMDOM/stephenellwood to this.
Even when security permissions are set for OgdenFilesUsers to allow
read and write permissions it still won't seem to allow access. For
good measure I then went and set the gidNumber attribute for my newly
created OgdenFilesUsers group to 10001 but that didn't make any
difference.

Try reading this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba