[Samba] Samba 3.0.23b Available for Download
Hansjörg Maurer
Hansjoerg.Maurer at dlr.de
Wed Aug 9 15:36:53 GMT 2006
Hi
I have updated a samba AD memeber server to 3.0.23b in an environment, where
all Usernames are available in the AD and in NIS.
With 3.0.21b if I create a file with windows on a samba share
and open the security dialog, samba shows the DOM\USERNAME
string as owner of the file.
With 3.0.23b only the SID+RID of the user is shown.
The SID is the SID of the Samba-server.
If I add the domain-user USERNAME2 with the security dialog, this user
ist shown as
DOM\USERNAME2 until I reopen the security dialog.
Then I see alos the SID-RID
If I stop winbind and do the same procedure I get
Unix User/USERNAME1 for the owner of the file in the dialog
If I give another user USERNAME2 access to this file
and reopen the security dialog, the entry is not shown.
To make it work with samba-3.0.21b
we had this setting in smb.conf (winbindd running)
With this settings in the Windows file-dialog all
users appear DOM\USERNAME
and in Unix teh ACL's show the correct NIS Unix Users
idmap uid = 10000-10000
idmap gid = 10000-10000
winbind use default domain = Yes
winbind trusted domains only = Yes
Is it possible to make this work again with 3.0.23b?
(I know that the zero uid and gid range might be brain damaged,
but with this settings it works fine on both sides)
Greetings
Hansjörg
Gerald (Jerry) Carter wrote:
> ==============================================================
> "Where does he get those wonders toys?"
> -- The Joker (Batman 1989)
> ==============================================================
> Release Announcements
> =====================
>
> This is the latest stable release of Samba. This is the version
> that production Samba servers should be running for all current
> bug-fixes. Please read the changes in this section and for the
> original 3.0.23 release regarding new features and difference
> in behavior from previous releases.
>
> Common bugs fixed in 3.0.23b include:
>
> o Ambiguity with unqualified names in smb.conf parameters
> such as "force user" and "valid users".
> o Errors in 'net ads join' caused by bad IP address in the list
> of domain controllers.
> o SMB signing errors in the client and server code.
> o Domain join failures when using smbpasswd on a Samba PDC.
>
>
> Member servers, domain accounts, and smb.conf
> =============================================
>
> Since Samba 3.0.8, it has been recommended that all domain
> accounts listed in smb.conf on a member server be fully
> qualified with the domain name. This is now a requirement.
> All unqualified names are assumed to be local to the Unix
> host, either as part of the server's local passdb or in the
> local system list of accounts (e.g. /etc/passwd or /etc/group).
>
> The reason for this change is that smbd has transitioned from
> access checks based on string comparisons to token based
> authorization. All names are resolved to a SID and then
> verified against the logged on user's NT user token. Local
> names will resolve to a local SID, while qualified domain
> names will resolve to the appropriate domain SID.
>
> If the member server is not running winbindd at all, domain
> accounts will be implicitly mapped to local accounts and their
> tokens will be modified appropriately to reflect the local
> SID and group membership.
>
> For example, the following share will restrict access to the
> domain group "Linux Admins" and the local group srvadmin.
>
> [restricted]
> path = /data
> valid users = +"DOMAIN\Linux Admins" +srvadmin
>
> Note that to restrict the [homes] share on a member server to the
> owner of that directory, it is necessary to prefix the %S value
> to "valid users".
>
> [global]
> security = {domain,ads}
> workgroup = DOM
> winbind separator = +
> [homes]
> valid users = DOM+%S
>
More information about the samba
mailing list