[Samba] using Windows AD unwanted Group rights get applied to new Files
Rowland Penny
rpenny at samba.org
Tue Aug 7 12:38:24 UTC 2018
On Tue, 7 Aug 2018 11:52:31 +0000
VELARTIS Philipp Dürhammer <p.duerhammer at velartis.at> wrote:
> HI,
>
> Ubuntu 16.04 newest Updates. Windows 2016 Server RD and
> Domaincontroller. When we set the rights through windows everything
> is fine. But creating Files on Windows Share adds allways the primary
> group "Domänen-Benutzer" to the file. And every user is in this
> group. This just breaks permissions...
Can I suggest you remove these lines:
idmap uid = 10000-100000000
idmap gid = 10000-100000000
password server = dc1.vhh.local, dc2.vhh.local
wins server 10.0.118.2 10.0.118.3
encrypt passwords = true
client use spnego = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = true
winbind offline logon = false
dns forwarder = 10.0.118.2
idmap_ldb:use rfc2307 = yes
They are either default settings, deprecated or just plain shouldn't be
in a Unix domain members smb.conf
You also have in the [sc1_main] share:
writeable = yes
read only = no
You only need one, I am sure if you look hard enough at those lines,
you will realise they mean the same thing ;-)
We now come to your real problem, where did you get this from ?
idmap backend = idmap_rid:VHH=10000-100000000
I would have expected something like this:
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config VHH : backend = rid
idmap config VHH : range = 10000-999999
Not that it would help you with your problem with 'Domain Users'.
By default, every AD user is a member of 'Domain Users' and so, when
you use the 'rid' backend every Unix user gets the group as their
primary group.
The only way to change this is by using a version of Samba >= 4.6.0 and
use the 'ad' backend and idmap config lines similar to these:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config VHH : backend = ad
idmap config VHH : schema_mode = rfc2307
idmap config VHH : unix_nss_info = yes
idmap config VHH : unix_primary_group = yes
idmap config VHH : range = 10000-999999
You would then need to give all your users a unique uidNumber attribute
containing a number inside the range you set in smb.conf, you would
also need to give the user a gidNumber attribute containing the
gidNumber of the required group to use instead of 'Domain Users'.
Rowland
More information about the samba
mailing list