[Samba] Samba domain name in short format

Sun, Zhongdong zhongdong.sun at yale.edu
Fri May 10 19:02:04 UTC 2024 

Hi Rowland,

Thanks for your advice. I discussed this with my manager and we will plan to upgrade the old system. But this will not be finished with short time.

After reading many old emails in this forum, I made some changes in our Samba settings. First, we turned on winbind and added all necessary packages and setup for winbind. Finally, we can login with the short format, such as YALE\zs24. Thanks a lot for everyone in this forum.

However, I meet with another very strange problem in the Samba. I can map most shares from this server, but some folders cannot be accessed. I compare this with other folders, and find these folders have special permissions. One example is the folder /data1/petfaculty/ which has this permission.
drwxrwx--- 93 hrrt petfaculty 12288 May  7 21:34 /data1/petfaculty/
In other words, it only allows users in petfaculty group access it. I'm sure my account is in this group. Actually, I can access this folder in Linux machine, but cannot access it via Samba. The smb status command shows some error messages like this.
chdir_current_service: vfs_ChDir(/data1/petfaculty) failed: Permission denied. Current token: uid=504, gid=505, 4 groups: 10003 10004 50054 10001
Here, 504 is my uid and 505 is my primary gid in the Linux system. For some reason, Samba cannot understand my other groups.
[root at hecate etc]# id zs24
uid=504(zs24) gid=505(pet) groups=505(pet),3525(CITlab),3505(admins),3528(calendar),3529(data16_private_folder),3527(deepimage),3521(draco),3523(git),3531(hecate),3535(nxtool),3517(orion),3526(pcfh),3524(petchem),3516(petfaculty),3530(pisces),3534(sagitta),3532(scorpio),3520(svn),3522(tech),502(xeons)

I tried to change this line in smb.conf file since someone said winbind didn't like sss. I tried ad, nss, nis, but they had no difference.
    idmap config YALE : backend = sss
Could you or someone else provide more advice on what's going wrong here?

Thanks.
Zhongdong


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Wednesday, May 8, 2024 1:42 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba domain name in short format

On Tue, 7 May 2024 22:19:38 +0000
"Sun, Zhongdong" <zhongdong.sun at yale.edu> wrote:

> Hi Rowland,
>
> You are right. We are running some old software here, such as NIS.
> All these started in 20 years ago when I joined the group and we had
> about 20-30 workstations running Linux. NIS was chosen at that time to
> manage user accounts. Some users were not familiar with Linux, so we
> provided Samba to them so that they could map Linux file systems to
> their computers. I know NIS is old technology and can be replaced with
> others, such as LDAP. But this is clinical research environment and is
> very difficult to change system. We have to live with this system.

Even 20 years ago NIS was dying and I have since found out that NIS has been removed from RHEL 9. I really think you need to seriously consider upgrading your setup.

>
> Fortunately, NIS is only used to manage account. And user
> authentication occurs in AD.

Samba, if used correctly, can manage the account, but you would have to join it to the AD domain and probably use the 'ad' idmap backend with
RFC2307 attributes, that is if the current ID numbers must be used.

> So there is not too much security
> concern here. I'll say it's not easy to manage such a complicated and
> a little outdated system in a production environment, because we
> cannot shut down the system for upgrade or maintenance. For the Samba
> server, I just leave the production server running, and use another
> server to test new version of Samba. If it works, we may switch the
> new server as production system. Otherwise, we have to keep the
> current Samba server running.
>
> For the test Samba server, I followed the instructions to setup Samba,
> but without winbind. In my test, everything works except that it
> cannot recognize the short domain name YALE. If I use the full domain
> name yu.yale.edu, everything works well. But it's difficult to ask all
> users to use the long format. As I think, this seems a DNS issue. But
> I don't know how to tell Samba server to resolve the short name YALE
> as long name yu.yale.edu. I wonder if you or any experts here can
> provide any advice on this.

If you run Samba without winbind, then it cannot be joined to a domain and can only be a standalone server.

When it comes to the domain names, 'yu.yale.edu' looks like it is the AD dns domain (which means the kerberos realm will be 'YU.YALE.EDU'), 'YALE' will be the NetBIOS domain name, which is also known as the workgroup name or 'pre-windows 2000' domain name. So, while 'yu.yale.edu' seems to be working for you, I do not think 'YALE' not working is a dns problem, NetBIOS doesn't use dns.

Here is what I suggest you do, setup a test VM using Debian 12 and I will then talk you through joining that to your AD using Samba. You can then test its capabilities to see if you could use it instead of your present setup. The only 'problem' I can see is the NFS shares, it isn't a good idea to re-share them via Samba to Windows, you would probably be better off getting the Linux machines to use Samba instead. My rule of thumb is:
All Linux machines, use NFS
A mixture of Linux and Windows machines, use Samba.

A side affect of using Samba is that your users will be able to logon using 'username' instead of 'YALE\username' or 'yu.yale.edu\username'
if required.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list