[Samba] winbind problems
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Nov 13 14:57:52 UTC 2015
On 13/11/15 14:41, Dale Schroeder wrote:
> On 11/13/2015 2:20 AM, Rowland Penny wrote:
>> On 12/11/15 21:37, Dale Schroeder wrote:
>>> On 11/12/2015 2:59 PM, Rowland Penny wrote:
>>>> On 12/11/15 20:31, Dale Schroeder wrote:
>>>>> OK, try this smb.conf, don't add anything else until you have
>>>>> getent working:
>>>>>>
>>>>>> [global]
>>>>>> workgroup = DOMAIN
>>>>>> security = ADS
>>>>>> realm = DOMAIN.COM
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> idmap config * : range = 1000000-2000000
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config DOMAIN : range = 1000-2000
>>>>>> idmap config DOMAIN : backend = rid
>>>>>> winbind nss info = template
>>>>>> winbind trusted domains only = no
>>>>>> winbind use default domain = yes
>>>>>> winbind enum users = Yes
>>>>>> winbind enum groups = Yes
>>>>>> winbind refresh tickets = Yes
>>>>>> winbind offline logon = Yes
>>>>>> username map = /etc/samba/users.map
>>>>>> template homedir = /data/users/%U
>>>>>> template shell = /bin/bash
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = yes
>>>>>> store dos attributes = yes
>>>>>>
>>>>>> The above should work against an AD DC
>>>>>>
>>>>>> Your users.map should be:
>>>>>>
>>>>>> !root = DOMAIN\Administrator DOMAIN\administrator
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> Thanks, Rowland. I've gotten it working for the most part. There
>>>>> are some permissions issues with vfs recycle, but I'll have to
>>>>> work those out later.
>>>>>
>>>>> Just to satisfy my curiosity more than anything, I'd like to
>>>>> clarify a few things.
>>>>>
>>>>> 1. What is the benefit of using 'secrets and keytab'? All of my
>>>>> other member servers seem to function OK with the default 'secrets
>>>>> only'.
>>>>
>>>> It tries to use the secrets.tdb first for kerberos verification and
>>>> if it cannot do this, it uses the system keytab, bit of a belt &
>>>> braces situation really.
>>>>
>>>>> 2. What does the syntax of the users.map file that you have
>>>>> presented mean, or maybe it would be better stated as what does it
>>>>> do? That is nothing at all like the mapping files I have used for
>>>>> the past 12 years. I have seen this before, but have never seen
>>>>> an explanation of it.
>>>>
>>>> Fairly simple, it maps the windows domain Administrator to the
>>>> local Unix 'root' user, you can then change file permissions on
>>>> samba Unix shares from windows.
>>> Then ! is not being interpreted as "not", which is how I interpreted
>>> it. :-D To me, it looks like it's saying the users on the right
>>> side of the equal sign are "not root". Like I said, it's hard to
>>> wrap my head around the syntax. It looks like the inverse of what
>>> it actually is.
>>>>
>>>>>
>>>>> 3. Some time back, you mentioned the name of the file in Debian
>>>>> that listed the default mount options. Would you please state it
>>>>> again? I can't seem to locate that particular email in the archives.
>>>>
>>>> Well I would if could, but what do you mean by 'default mount
>>>> options' ? autofs ? cifs ? ???
>>> Actually, I was thinking of the ext4 defaults for mount options in
>>> fstab. At least, that's how I'm remembering it. Then again, my
>>> memory is not what it used to be. ;-)
>>>
>>
>> Ah, those mount options in fstab, if you are using ext4, then it is
>> simple, you do not need to add any. All the ones that various
>> websites tell you to add, are already part of the default settings.
>>
>> see: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt
>>
>> Rowland
>>
>>
> There is a lot of information in that document, but I did not find the
> definitive answer to "defaults equals what?". I did finally find a
> Linux Mint article dated 11/12/14
> (http://community.linuxmint.com/tutorial/view/1513) that states the
> following:
>
> *defaults *- Use default settings. Equivalent to rw, suid, dev, exec,
> auto, nouser, async.
>
> There is no mention of acl, user_xattr, or journal_checksum - options
> that I routinely use. Basically, I'm trying to find out if anything
> has changed since that time (Debian specific), and, up until now, such
> documentation has been extremely hard to find. Anything else that you
> can provide will be greatly appreciated.
>
> Thanks again.
>
> Dale
>
Well, I would have thought that a link to www.kernel.org would beat a
link to a distro.
If you look on the link that I posted, you will find ' barrier=<0|1(*)',
'nouser_xattr' and 'noacl' . These are what you have to *add* to fstab
to turn off barrier (in this case it would have to be 'barrier=0'),
user_xattr and acl.
As for 'journal_checksum' , this is not something I use and would seem
to be something you would have to add.
Rowland
More information about the samba
mailing list