[Samba] Samba domain name in short format

Rowland Penny rpenny at samba.org
Fri May 10 20:07:20 UTC 2024 

On Fri, 10 May 2024 19:02:04 +0000
"Sun, Zhongdong" <zhongdong.sun at yale.edu> wrote:

> Hi Rowland,
> 
> Thanks for your advice. I discussed this with my manager and we will
> plan to upgrade the old system. But this will not be finished with
> short time.
> 
> After reading many old emails in this forum, I made some changes in
> our Samba settings. First, we turned on winbind and added all
> necessary packages and setup for winbind. Finally, we can login with
> the short format, such as YALE\zs24. Thanks a lot for everyone in
> this forum.
> 
> However, I meet with another very strange problem in the Samba. I can
> map most shares from this server, but some folders cannot be
> accessed. I compare this with other folders, and find these folders
> have special permissions. One example is the folder
> /data1/petfaculty/ which has this permission. drwxrwx--- 93 hrrt
> petfaculty 12288 May  7 21:34 /data1/petfaculty/ In other words, it
> only allows users in petfaculty group access it. I'm sure my account
> is in this group. Actually, I can access this folder in Linux
> machine, but cannot access it via Samba. The smb status command shows
> some error messages like this. chdir_current_service:
> vfs_ChDir(/data1/petfaculty) failed: Permission denied. Current
> token: uid=504, gid=505, 4 groups: 10003 10004 50054 10001 Here, 504
> is my uid and 505 is my primary gid in the Linux system. For some
> reason, Samba cannot understand my other groups. [root at hecate etc]#
> id zs24 uid=504(zs24) gid=505(pet)
> groups=505(pet),3525(CITlab),3505(admins),3528(calendar),3529(data16_private_folder),3527(deepimage),3521(draco),3523(git),3531(hecate),3535(nxtool),3517(orion),3526(pcfh),3524(petchem),3516(petfaculty),3530(pisces),3534(sagitta),3532(scorpio),3520(svn),3522(tech),502(xeons)

I suggest you read the relevant mampages: man idmap_*
Where '*' is one of 'rid', 'autorid', 'ad', 'nss'
There isn't a 'nis' idmap backend.

The 'rid' and 'autorid' both use the AD user or group RID and the DOMAIN low range you set in the smb.conf file.
The 'rid' backend uses this formula:
 
ID = RID - BASE_RID + LOW_RANGE_ID

The 'BASE_RID' defaults to '0', it is really:

ID = RID + LOW_RANGE_ID

'autorid' uses a similar formula.

The 'ad' backend relies on RFC2307 attributes being added to AD, they are not there by default.

The 'nss' backend requires both an AD user or group and a Unix user or group, both with the same name. 

There is also a parameter 'min domain uid' which defaults to '1000', try setting 'min domain uid = 500' in smb.conf

> 
> I tried to change this line in smb.conf file since someone said
> winbind didn't like sss. I tried ad, nss, nis, but they had no
> difference. idmap config YALE : backend = sss Could you or someone
> else provide more advice on what's going wrong here?

It isn't that the sss idmap backend isn't liked by winbind, it is that
it's only really used by sssd and if you are using winbind with Samba
(and if you set 'security = ADS' or 'server role = member server', you
must), then you do not need sssd, in fact, in my opinion, you will
better off without it. 

Rowland

More information about the samba mailing list