[Samba] Linux Work Station USER ID PROBLEM
Rowland Penny
rpenny at samba.org
Wed Aug 24 21:24:06 UTC 2016
On Wed, 24 Aug 2016 20:42:35 +0300
barış tombul <bbtombul at gmail.com> wrote:
> centos workstation: smb.conf >>
>
> [global]
> workgroup = LAB
> realm = LAB.LOCAL
> security = ads
> idmap config * : range = 16777216-33554431
> template homedir = /home/LAB/%U
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
>
>
> Samba Domain Server : smb.conf>>
>
> [global]
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap config LAB : range = 2000000-9999999
> idmap config LAB : default = yes
> idmap config LAB : backend = ad
> idmap config LAB : readonly = no
> idmap config LAB : schema_mode = rfc2307
> idmap config LAB : cache time = 3600
> idmap config * : default = yes
> idmap config * : readonly = no
> idmap config * : schema_mode = rfc2307
> idmap config * : backend = tdb
> idmap config * : range = 2000000-9999999
> idmap_ldb:use rfc2307 = yes
> idmap config all : readonly = yes
> idmap config all : default = yes
> idmap config all : backend = tdb
> ntlm auth = Yes
> lanman auth = Yes
> raw NTLMv2 auth = Yes
> client NTLMv2 auth = Yes
> client lanman auth = Yes
> server max protocol = SMB3
> server min protocol = LANMAN1
> server multi channel support = No
> client max protocol = default
> client min protocol = CORE
> restrict anonymous = 0
> security = USER
> bind interfaces only = Yes
> interfaces = lo ens192
> auth methods =
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, remote, dnsserver
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> winbind max clients = 500
> winbindd:use external pipes = true
> winbind cache time = 300
> winbind reconnect delay = 30
> winbind request timeout = 60
> winbind max domain connections = 1
> winbindd socket directory = /usr/local/samba/var/run/winbindd
> winbindd privileged socket directory =
> /usr/local/samba/var/lib/winbindd_privileged
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 10
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> winbind normalize names = Yes
> winbind sealed pipes = Yes
> winbind rpc only = Yes
> wins proxy = Yes
> wins support = Yes
> obey pam restrictions = No
> ldap server require strong auth = no
> dos charset = CP850
> unix charset = UTF-8
> workgroup = LAB
> realm = LAB.LOCAL
> netbios name = LAB
> netbios scope =
> server string = LAB Samba Server
> hosts allow = ALL 127.0.0.1
> guest ok = No
> server role = active directory domain controller
> server role check:inhibit = yes
> log level = 3 passdb:3 auth:10 winbind:2
> log file = /var/log/samba/log.%m
> rndc command = /usr/sbin/rndc
> max log size = 0
> set primary group script =
> logging = file
> allow dns updates = nonsecure and secure
> dns update command = /usr/local/samba/sbin/samba_dnsupdate
> pam password change = Yes
> smb ports = 445 139
> nbt port = 137
> kpasswd port = 464
> krb5 port = 88
> web port = 901
> nbt port = 137
> dgram port = 138
> cldap port = 389
> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
> domain logons = Yes
> os level = 255
> preferred master = Yes
> local master = Yes
> domain master = Yes
> load printers = No
> use client driver = No
> show add printer wizard = Yes
> printcap cache time = 0
> printcap name = cups
> cups encrypt = No
> cups connection timeout = 60
> disable spoolss = No
> min print space = 0
> max reported print jobs = 0
> max print jobs = 1000
> print notify backchannel = No
> printing = cups
> cups options = raw
> default devmode = Yes
> force printername = Yes
> printjob username = %U
> lpq cache time = 30
> spoolss: architecture = Windows x64
> debug timestamp = Yes
> debug prefix timestamp = No
> debug hires timestamp = Yes
> debug pid = No
> debug uid = No
> debug class = No
> timestamp logs = Yes
> require strong key = Yes
> allow dcerpc auth level connect = No
> client ipc signing = default
> client ipc max protocol = default
> client ipc min protocol = default
> nsupdate command = /usr/bin/nsupdate -g
> dns proxy = No
> allow trusted domains = Yes
> guest account = nobody
> map to guest = Bad User
> guest only = No
> config backend = file
> encrypt passwords = Yes
> smb passwd file = /usr/local/samba/private/smbpasswd
> private dir = /usr/local/samba/private
> algorithmic rid base = 1000
> passdb expand explicit = No
> passdb backend = tdbsam
> passwd chat debug = No
> passwd chat timeout = 2
> passwd program = /usr/local/samba/bin/smbpasswd %u
> passwd chat = *New*password* %n\n *ReType*new*password*
> %n\n*passwd:*all*authentication*tokens*updated*successfully*
> password server = LAB.LAB.local
> old password allowed period = 120
> unix password sync = Yes
> client plaintext auth = No
> map untrusted to domain = Yes
> enable core files = Yes
> large readwrite = Yes
> unicode = Yes
> read raw = Yes
> write raw = Yes
> disable netbios = No
> reset on zero vc = No
> log writeable files on exit = No
> defer sharing violations = Yes
> nt pipe support = Yes
> nt status support = Yes
> max mux = 50
> max xmit = 32768
> name resolve order = lmhosts wins host bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> min receivefile size = 16384
> time server = Yes
> time server = No
> unix extensions = Yes
> server signing = mandatory
> client signing = mandatory
> client schannel = Auto
> server schannel = Auto
> client use spnego = Yes
> client ldap sasl wrapping = sign
> enable asu support = No
> rpc big endian = No
> deadtime = 0
> getwd cache = Yes
> keepalive = 300
> smbd profiling level = off
> spotlight = No
> max smbd processes = 0
> max disk size = 0
> max open files = 65535
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 3600
> clustering = No
> ctdb timeout = 0
> ctdb locktime warn threshold = 0
> smb2 max read = 8388608
> smb2 max write = 8388608
> smb2 max trans = 8388608
> smb2 max credits = 8192
> mangling method = hash2
> mangle prefix = 1
> max stat cache size = 256
> stat cache = Yes
> machine password timeout = 604800
> username map cache time = 0
> username level = 0
> init logon delay = 100
> lm announce = Auto
> lm interval = 60
> browse list = Yes
> enhanced browsing = Yes
> smb2 leases = Yes
> ldap admin dn =
> ldap connection timeout = 2
> ldap delete dn = No
> ldap deref = auto
> ldap follow referral = Auto
> ldap group suffix =
> ldap idmap suffix =
> ldap machine suffix =
> ldap page size = 1000
> ldap passwd sync = no
> ldap replication sleep = 1000
> ldap server require strong auth = No
> ldap ssl = start tls
> ldap ssl ads = No
> ldap suffix =
> ldap timeout = 15
> ldap user suffix =
> ldap debug level = 0
> ldap debug threshold = 10
> lock directory = /usr/local/samba/var/lock
> state directory = /usr/local/samba/var/locks
> cache directory = /usr/local/samba/var/cache
> pid directory = /usr/local/samba/var/run
> ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
> utmp = No
> nmbd bind explicit broadcast = Yes
> homedir map = auto.home
> afs token lifetime = 604800
> afs share = No
> NIS homedir = No
> registry shares = No
> usershare allow guests = No
> usershare max shares = 0
> usershare owner only = Yes
> usershare path = /usr/local/samba/var/locks/usershares
> async smb echo handler = No
> template homedir = /home/%D/%U
> template shell = /bin/bash
> create krb5 conf = Yes
> ncalrpc dir = /usr/local/samba/var/run/ncalrpc
> neutralize nt4 emulation = No
> reject md5 servers = No
> reject md5 clients = No
> set quota command =
> multicast dns register = Yes
> samba kcc command = /usr/local/samba/sbin/samba_kcc
> spn update command = /usr/local/samba/sbin/samba_spnupdate
> share backend = classic
> allow nt4 crypto = No
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> tls crlfile =
> tls dh params file =
> tls verify peer = as_strict_as_possible
> tls priority = NORMAL:-VERS-SSL3.0
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = fork
> rpc_server:default = external
> rpc_server:spoolss = external
> rpc_server:svcctl = embedded
> rpc_server:srvsvc = embedded
> rpc_server:eventlog = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:winreg = embedded
> spoolssd:prefork_child_min_life = 60
> spoolssd:prefork_max_allowed_clients = 200
> spoolssd:prefork_spawn_rate = 5
> spoolssd:prefork_max_children = 75#
> spoolssd:prefork_min_children = 5
> acl group control = No
> acl map full control = Yes
> acl allow execute always = No
> force unknown acl user = No
> inherit permissions = No
> inherit acls = No
> inherit owner = No
> map acl inherit = No
> nt acl support = Yes
> profile acls = No
> administrative share = No
> allocation roundup size = 1048576
> aio read size = 16384
> aio write size = 16384
> aio max threads = 100
> ea support = No
> smb encrypt = default
> durable handles = Yes
> block size = 1024
> change notify = Yes
> directory name cache size = 100
> kernel change notify = Yes
> max connections = 0
> strict allocate = No
> strict rename = No
> strict sync = No
> sync always = No
> use sendfile = No
> write cache size = 0
> default case = lower
> case sensitive = Auto
> preserve case = Yes
> short preserve case = Yes
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> map archive = No
> map hidden = No
> map system = No
> map readonly = No
> mangled names = Yes
> mangling char = ~
> store dos attributes = Yes
> dmapi support = No
> browseable = Yes
> access based share enum = No
> blocking locks = Yes
> csc policy = manual
> lock spin time = 200
> oplock break wait time = 0
> fake oplocks = No
> kernel oplocks = No
> kernel share modes = Yes
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = Auto
> dfree cache time = 0
> preexec close = No
> root preexec close = No
> available = Yes
> fstype = NTFS
> wide links = No
> allow insecure wide links = No
> follow symlinks = Yes
> delete readonly = No
> dos filemode = No
> dos filetimes = Yes
> dos filetime resolution = No
> fake directory create times = No
> host msdfs = Yes
> msdfs root = No
> msdfs shuffle referrals = No
> ntvfs handler = unixuid, default
> vfs objects = dfs_samba4 acl_xattr full_audit
> full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
> full_audit:failure = connect disconnect
> full_audit:success = connect disconnect opendir mkdir rmdir
> closedir open close read pread write pwrite sendfile rename unlink
> chmod fchmod chown fchown chdir ftruncate lock symlink readlink link
> mknod full_audit:LAB = local5
> full_audit:priority = notice
> [homes]
> comment = Home Directories
> path = /mnt/storage/homes/%U
> browseable = No
> hide files = /Recycle Bin/
> veto files = /*.encrypted/*.ecc/*.ccc/
> admin users = "@Domain Admins"
> create mask = 0644
> force create mode = 0660
> force directory mode = 0770
> read only = No
> valid users = "@Domain Users"
> vfs objects = acl_xattr full_audit recycle
> recycle:repository = Recycle Bin
> recycle:keeptree = yes
> recycle:minsize = 0
> recycle:maxsize = 0
> recycle:touch = yes
> recycle:touch_mtime = yes
> recycle:versions = yes
> recycle:exclude =
> *.tmp|*.temp|*.o|*.obj|~$*|*.??|*.log|*.trace|*.TMP|*.ASV|*.$$$|*.asv
> recycle:excludedir = /Recycle Bin
> recycle:noversions = *.tmp|*.temp|*.dat|*.ini
> recycle:mode = KEEP_DIRECTORIES|VERSION|TOUCH
> [profiles]
> comment = Network Profiles Share
> path = /mnt/storage/profiles
> profile acls = Yes
> browseable = No
> create mask = 0644
> force create mode = 0660
> force directory mode = 0770
> read only = No
> [netlogon]
> comment = Network Netlogon Share
> path = /usr/local/samba/var/locks/sysvol/LAB.local/scripts
> browseable = No
> read only = No
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> browseable = No
> read only = No
>
>
>
>
> 2016-08-24 16:49 GMT+03:00 Rowland Penny via samba
> <samba at lists.samba.org>:
>
> > On Wed, 24 Aug 2016 16:03:05 +0300
> > barış tombul <bbtombul at gmail.com> wrote:
> >
> >
> > > > Strange, have you given 'FACILITY\btombul' the ID number
> > > > '16777216' ?
> > > >
> > > > Can you post the smb.conf from the Samba AD DC and the Centos
> > > > machine (please post what is actually there, not the output of
> > > > 'samba-tool testparm -v')
> > > >
> > > > Rowland
> > > >
> > > >
> > > >
> > > >
> >
> >
> > So I said 'not the output of 'samba-tool testparm -v'
> > and what do I get LOL
> >
> > In English, putting 'not' in front of something, means 'do not do
> > this'
> >
> > Please post the output of 'cat /path/to/smb.conf' from BOTH
> > machines.
> >
> > Replacing '/path/to/smb.conf' with the path to your smb.conf
> > i.e. /etc/samba/smb.conf
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
OK, first question, why is the smb.conf on the DC so big ?
second question, why do you expect them both to operate in the wrong way
i.e. the DC has the 'idmap config' lines that should only be on a domain
member, yet the domain member doesn't have these lines
can I suggest you set the global part the DC smb.conf to this:
[global]
workgroup = LAB
realm = LAB.LOCAL
netbios name = LAB
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server string = LAB Samba Server
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
ldap server require strong auth = No
winbind max clients = 500
winbind enum users = Yes
winbind enum groups = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
bind interfaces only = Yes
interfaces = lo ens192
allow dns updates = nonsecure and secure
log level = 3 passdb:3 auth:10 winbind:2
log file = /var/log/samba/log.%m
printcap cache time = 0
printcap name = cups
force printername = Yes
cups connection timeout = 60
cups options = raw
name cache timeout = 3600
disable spoolss = No
spoolss: architecture = Windows x64
rpc_daemon:spoolssd = fork
spoolssd:prefork_child_min_life = 60
spoolssd:prefork_max_allowed_clients = 200
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_children = 75
spoolssd:prefork_min_children = 5
map to guest = Bad User
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *New*password* %n\n *ReType*new*password* %n\n*passwd:*all*authentication*tokens*updated*successfully*
old password allowed period = 120
max xmit = 32768
max open files = 65535
min receivefile size = 16384
homedir map = auto.home
template shell = /bin/bash
vfs objects = dfs_samba4 acl_xattr full_audit
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:failure = connect disconnect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod
full_audit:LAB = local5
full_audit:priority = notice
aio read size = 16384
aio write size = 16384
This is yours without all the default and wrong lines, I would also
point out that you could probably still remove a lot of the above
lines.
Go and browse the Samba wiki, this will explain how to set up the
shares correctly.
For the Centos domain member, see here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
At the moment, you are mixing ALL the windows users and groups
(builtin, domain admins and normal) in one range, you need two '*' &
'LAB', you have these on the DC, only problem, those lines have no
affect on a DC.
Rowland
More information about the samba
mailing list