[Samba] winbind problems

Rowland Penny rowlandpenny241155 at gmail.com
Fri Nov 13 14:57:52 UTC 2015 

On 13/11/15 14:41, Dale Schroeder wrote:
> On 11/13/2015 2:20 AM, Rowland Penny wrote:
>> On 12/11/15 21:37, Dale Schroeder wrote:
>>> On 11/12/2015 2:59 PM, Rowland Penny wrote:
>>>> On 12/11/15 20:31, Dale Schroeder wrote:
>>>>> OK, try this smb.conf, don't add anything else until you have 
>>>>> getent working:
>>>>>>
>>>>>> [global]
>>>>>>     workgroup = DOMAIN
>>>>>>     security = ADS
>>>>>>     realm = DOMAIN.COM
>>>>>>     dedicated keytab file = /etc/krb5.keytab
>>>>>>     kerberos method = secrets and keytab
>>>>>>     idmap config * : range = 1000000-2000000
>>>>>>     idmap config * : backend = tdb
>>>>>>     idmap config DOMAIN : range = 1000-2000
>>>>>>     idmap config DOMAIN : backend = rid
>>>>>>     winbind nss info = template
>>>>>>     winbind trusted domains only = no
>>>>>>     winbind use default domain = yes
>>>>>>     winbind enum users = Yes
>>>>>>     winbind enum groups = Yes
>>>>>>     winbind refresh tickets = Yes
>>>>>>     winbind offline logon = Yes
>>>>>>     username map = /etc/samba/users.map
>>>>>>     template homedir = /data/users/%U
>>>>>>     template shell = /bin/bash
>>>>>>     vfs objects = acl_xattr
>>>>>>     map acl inherit = yes
>>>>>>     store dos attributes = yes
>>>>>>
>>>>>> The above should work against an AD DC
>>>>>>
>>>>>> Your users.map should be:
>>>>>>
>>>>>> !root = DOMAIN\Administrator DOMAIN\administrator
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> Thanks, Rowland.  I've gotten it working for the most part. There 
>>>>> are some permissions issues with vfs recycle, but I'll have to 
>>>>> work those out later.
>>>>>
>>>>> Just to satisfy my curiosity more than anything, I'd like to 
>>>>> clarify a few things.
>>>>>
>>>>> 1.  What is the benefit of using 'secrets and keytab'? All of my 
>>>>> other member servers seem to function OK with the default 'secrets 
>>>>> only'.
>>>>
>>>> It tries to use the secrets.tdb first for kerberos verification and 
>>>> if it cannot do this, it uses the system keytab, bit of a belt & 
>>>> braces situation really.
>>>>
>>>>> 2.  What does the syntax of the users.map file that you have 
>>>>> presented mean, or maybe it would be better stated as what does it 
>>>>> do?  That is nothing at all like the mapping files I have used for 
>>>>> the past 12 years.  I have seen this before, but have never seen 
>>>>> an explanation of it.
>>>>
>>>> Fairly simple, it maps the windows domain Administrator to the 
>>>> local Unix 'root' user, you can then change file permissions on 
>>>> samba Unix shares from windows.
>>> Then ! is not being interpreted as "not", which is how I interpreted 
>>> it. :-D   To me, it looks like it's saying the users on the right 
>>> side of the equal sign are "not root". Like I said, it's hard to 
>>> wrap my head around the syntax.  It looks like the inverse of what 
>>> it actually is.
>>>>
>>>>>
>>>>> 3.  Some time back, you mentioned the name of the file in Debian 
>>>>> that listed the default mount options.  Would you please state it 
>>>>> again?  I can't seem to locate that particular email in the archives.
>>>>
>>>> Well I would if could, but what do you mean by 'default mount 
>>>> options' ? autofs ? cifs ? ???
>>> Actually, I was thinking of the ext4 defaults for mount options in 
>>> fstab.  At least, that's how I'm remembering it. Then again, my 
>>> memory is not what it used to be. ;-)
>>>
>>
>> Ah, those mount options in fstab, if you are using ext4, then it is 
>> simple, you do not need to add any. All the ones that various 
>> websites tell you to add, are already part of the default settings.
>>
>> see: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt
>>
>> Rowland
>>
>>
> There is a lot of information in that document, but I did not find the 
> definitive answer to "defaults equals what?".  I did finally find a 
> Linux Mint article dated 11/12/14 
> (http://community.linuxmint.com/tutorial/view/1513) that states the 
> following:
>
> *defaults *- Use default settings. Equivalent to rw, suid, dev, exec, 
> auto, nouser, async.
>
> There is no mention of acl, user_xattr, or journal_checksum - options 
> that I routinely use.  Basically, I'm trying to find out if anything 
> has changed since that time (Debian specific), and, up until now, such 
> documentation has been extremely hard to find. Anything else that you 
> can provide will be greatly appreciated.
>
> Thanks again.
>
> Dale
>

Well, I would have thought that a link to www.kernel.org would beat a 
link to a distro.

If you look on the link that I posted, you will find ' barrier=<0|1(*)', 
'nouser_xattr' and 'noacl' . These are what you have to *add* to fstab 
to turn off barrier (in this case it would have to be 'barrier=0'), 
user_xattr and acl.

As for 'journal_checksum' , this is not something I use and would seem 
to be something you would have to add.

Rowland

More information about the samba mailing list