[Samba] Linux Work Station USER ID PROBLEM
barış tombul
bbtombul at gmail.com
Thu Aug 25 11:28:58 UTC 2016
I tried using the code you sent but I could not get it working. If possible
could you send a smb.conf (both for client and server) file that you know
that is working?
2016-08-25 0:24 GMT+03:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Wed, 24 Aug 2016 20:42:35 +0300
> barış tombul <bbtombul at gmail.com> wrote:
>
> > centos workstation: smb.conf >>
> >
> > [global]
> > workgroup = LAB
> > realm = LAB.LOCAL
> > security = ads
> > idmap config * : range = 16777216-33554431
> > template homedir = /home/LAB/%U
> > template shell = /bin/bash
> > winbind use default domain = true
> > winbind offline logon = false
> >
> >
> > Samba Domain Server : smb.conf>>
> >
> > [global]
> > idmap cache time = 604800
> > idmap negative cache time = 120
> > idmap config LAB : range = 2000000-9999999
> > idmap config LAB : default = yes
> > idmap config LAB : backend = ad
> > idmap config LAB : readonly = no
> > idmap config LAB : schema_mode = rfc2307
> > idmap config LAB : cache time = 3600
> > idmap config * : default = yes
> > idmap config * : readonly = no
> > idmap config * : schema_mode = rfc2307
> > idmap config * : backend = tdb
> > idmap config * : range = 2000000-9999999
> > idmap_ldb:use rfc2307 = yes
> > idmap config all : readonly = yes
> > idmap config all : default = yes
> > idmap config all : backend = tdb
> > ntlm auth = Yes
> > lanman auth = Yes
> > raw NTLMv2 auth = Yes
> > client NTLMv2 auth = Yes
> > client lanman auth = Yes
> > server max protocol = SMB3
> > server min protocol = LANMAN1
> > server multi channel support = No
> > client max protocol = default
> > client min protocol = CORE
> > restrict anonymous = 0
> > security = USER
> > bind interfaces only = Yes
> > interfaces = lo ens192
> > auth methods =
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> > netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
> > backupkey, remote, dnsserver
> > kerberos method = secrets and keytab
> > dedicated keytab file = /etc/krb5.keytab
> > winbind max clients = 500
> > winbindd:use external pipes = true
> > winbind cache time = 300
> > winbind reconnect delay = 30
> > winbind request timeout = 60
> > winbind max domain connections = 1
> > winbindd socket directory = /usr/local/samba/var/run/winbindd
> > winbindd privileged socket directory =
> > /usr/local/samba/var/lib/winbindd_privileged
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind trusted domains only = No
> > winbind nested groups = Yes
> > winbind expand groups = 10
> > winbind nss info = rfc2307
> > winbind refresh tickets = Yes
> > winbind offline logon = Yes
> > winbind normalize names = Yes
> > winbind sealed pipes = Yes
> > winbind rpc only = Yes
> > wins proxy = Yes
> > wins support = Yes
> > obey pam restrictions = No
> > ldap server require strong auth = no
> > dos charset = CP850
> > unix charset = UTF-8
> > workgroup = LAB
> > realm = LAB.LOCAL
> > netbios name = LAB
> > netbios scope =
> > server string = LAB Samba Server
> > hosts allow = ALL 127.0.0.1
> > guest ok = No
> > server role = active directory domain controller
> > server role check:inhibit = yes
> > log level = 3 passdb:3 auth:10 winbind:2
> > log file = /var/log/samba/log.%m
> > rndc command = /usr/sbin/rndc
> > max log size = 0
> > set primary group script =
> > logging = file
> > allow dns updates = nonsecure and secure
> > dns update command = /usr/local/samba/sbin/samba_dnsupdate
> > pam password change = Yes
> > smb ports = 445 139
> > nbt port = 137
> > kpasswd port = 464
> > krb5 port = 88
> > web port = 901
> > nbt port = 137
> > dgram port = 138
> > cldap port = 389
> > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
> > domain logons = Yes
> > os level = 255
> > preferred master = Yes
> > local master = Yes
> > domain master = Yes
> > load printers = No
> > use client driver = No
> > show add printer wizard = Yes
> > printcap cache time = 0
> > printcap name = cups
> > cups encrypt = No
> > cups connection timeout = 60
> > disable spoolss = No
> > min print space = 0
> > max reported print jobs = 0
> > max print jobs = 1000
> > print notify backchannel = No
> > printing = cups
> > cups options = raw
> > default devmode = Yes
> > force printername = Yes
> > printjob username = %U
> > lpq cache time = 30
> > spoolss: architecture = Windows x64
> > debug timestamp = Yes
> > debug prefix timestamp = No
> > debug hires timestamp = Yes
> > debug pid = No
> > debug uid = No
> > debug class = No
> > timestamp logs = Yes
> > require strong key = Yes
> > allow dcerpc auth level connect = No
> > client ipc signing = default
> > client ipc max protocol = default
> > client ipc min protocol = default
> > nsupdate command = /usr/bin/nsupdate -g
> > dns proxy = No
> > allow trusted domains = Yes
> > guest account = nobody
> > map to guest = Bad User
> > guest only = No
> > config backend = file
> > encrypt passwords = Yes
> > smb passwd file = /usr/local/samba/private/smbpasswd
> > private dir = /usr/local/samba/private
> > algorithmic rid base = 1000
> > passdb expand explicit = No
> > passdb backend = tdbsam
> > passwd chat debug = No
> > passwd chat timeout = 2
> > passwd program = /usr/local/samba/bin/smbpasswd %u
> > passwd chat = *New*password* %n\n *ReType*new*password*
> > %n\n*passwd:*all*authentication*tokens*updated*successfully*
> > password server = LAB.LAB.local
> > old password allowed period = 120
> > unix password sync = Yes
> > client plaintext auth = No
> > map untrusted to domain = Yes
> > enable core files = Yes
> > large readwrite = Yes
> > unicode = Yes
> > read raw = Yes
> > write raw = Yes
> > disable netbios = No
> > reset on zero vc = No
> > log writeable files on exit = No
> > defer sharing violations = Yes
> > nt pipe support = Yes
> > nt status support = Yes
> > max mux = 50
> > max xmit = 32768
> > name resolve order = lmhosts wins host bcast
> > max ttl = 259200
> > max wins ttl = 518400
> > min wins ttl = 21600
> > min receivefile size = 16384
> > time server = Yes
> > time server = No
> > unix extensions = Yes
> > server signing = mandatory
> > client signing = mandatory
> > client schannel = Auto
> > server schannel = Auto
> > client use spnego = Yes
> > client ldap sasl wrapping = sign
> > enable asu support = No
> > rpc big endian = No
> > deadtime = 0
> > getwd cache = Yes
> > keepalive = 300
> > smbd profiling level = off
> > spotlight = No
> > max smbd processes = 0
> > max disk size = 0
> > max open files = 65535
> > use mmap = Yes
> > hostname lookups = No
> > name cache timeout = 3600
> > clustering = No
> > ctdb timeout = 0
> > ctdb locktime warn threshold = 0
> > smb2 max read = 8388608
> > smb2 max write = 8388608
> > smb2 max trans = 8388608
> > smb2 max credits = 8192
> > mangling method = hash2
> > mangle prefix = 1
> > max stat cache size = 256
> > stat cache = Yes
> > machine password timeout = 604800
> > username map cache time = 0
> > username level = 0
> > init logon delay = 100
> > lm announce = Auto
> > lm interval = 60
> > browse list = Yes
> > enhanced browsing = Yes
> > smb2 leases = Yes
> > ldap admin dn =
> > ldap connection timeout = 2
> > ldap delete dn = No
> > ldap deref = auto
> > ldap follow referral = Auto
> > ldap group suffix =
> > ldap idmap suffix =
> > ldap machine suffix =
> > ldap page size = 1000
> > ldap passwd sync = no
> > ldap replication sleep = 1000
> > ldap server require strong auth = No
> > ldap ssl = start tls
> > ldap ssl ads = No
> > ldap suffix =
> > ldap timeout = 15
> > ldap user suffix =
> > ldap debug level = 0
> > ldap debug threshold = 10
> > lock directory = /usr/local/samba/var/lock
> > state directory = /usr/local/samba/var/locks
> > cache directory = /usr/local/samba/var/cache
> > pid directory = /usr/local/samba/var/run
> > ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
> > utmp = No
> > nmbd bind explicit broadcast = Yes
> > homedir map = auto.home
> > afs token lifetime = 604800
> > afs share = No
> > NIS homedir = No
> > registry shares = No
> > usershare allow guests = No
> > usershare max shares = 0
> > usershare owner only = Yes
> > usershare path = /usr/local/samba/var/locks/usershares
> > async smb echo handler = No
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > create krb5 conf = Yes
> > ncalrpc dir = /usr/local/samba/var/run/ncalrpc
> > neutralize nt4 emulation = No
> > reject md5 servers = No
> > reject md5 clients = No
> > set quota command =
> > multicast dns register = Yes
> > samba kcc command = /usr/local/samba/sbin/samba_kcc
> > spn update command = /usr/local/samba/sbin/samba_spnupdate
> > share backend = classic
> > allow nt4 crypto = No
> > tls enabled = Yes
> > tls keyfile = tls/key.pem
> > tls certfile = tls/cert.pem
> > tls cafile = tls/ca.pem
> > tls crlfile =
> > tls dh params file =
> > tls verify peer = as_strict_as_possible
> > tls priority = NORMAL:-VERS-SSL3.0
> > rpc_server:tcpip = no
> > rpc_daemon:spoolssd = fork
> > rpc_server:default = external
> > rpc_server:spoolss = external
> > rpc_server:svcctl = embedded
> > rpc_server:srvsvc = embedded
> > rpc_server:eventlog = embedded
> > rpc_server:ntsvcs = embedded
> > rpc_server:winreg = embedded
> > spoolssd:prefork_child_min_life = 60
> > spoolssd:prefork_max_allowed_clients = 200
> > spoolssd:prefork_spawn_rate = 5
> > spoolssd:prefork_max_children = 75#
> > spoolssd:prefork_min_children = 5
> > acl group control = No
> > acl map full control = Yes
> > acl allow execute always = No
> > force unknown acl user = No
> > inherit permissions = No
> > inherit acls = No
> > inherit owner = No
> > map acl inherit = No
> > nt acl support = Yes
> > profile acls = No
> > administrative share = No
> > allocation roundup size = 1048576
> > aio read size = 16384
> > aio write size = 16384
> > aio max threads = 100
> > ea support = No
> > smb encrypt = default
> > durable handles = Yes
> > block size = 1024
> > change notify = Yes
> > directory name cache size = 100
> > kernel change notify = Yes
> > max connections = 0
> > strict allocate = No
> > strict rename = No
> > strict sync = No
> > sync always = No
> > use sendfile = No
> > write cache size = 0
> > default case = lower
> > case sensitive = Auto
> > preserve case = Yes
> > short preserve case = Yes
> > mangling char = ~
> > hide dot files = Yes
> > hide special files = No
> > hide unreadable = No
> > hide unwriteable files = No
> > delete veto files = No
> > map archive = No
> > map hidden = No
> > map system = No
> > map readonly = No
> > mangled names = Yes
> > mangling char = ~
> > store dos attributes = Yes
> > dmapi support = No
> > browseable = Yes
> > access based share enum = No
> > blocking locks = Yes
> > csc policy = manual
> > lock spin time = 200
> > oplock break wait time = 0
> > fake oplocks = No
> > kernel oplocks = No
> > kernel share modes = Yes
> > locking = Yes
> > oplocks = Yes
> > level2 oplocks = Yes
> > oplock contention limit = 2
> > posix locking = Yes
> > strict locking = Auto
> > dfree cache time = 0
> > preexec close = No
> > root preexec close = No
> > available = Yes
> > fstype = NTFS
> > wide links = No
> > allow insecure wide links = No
> > follow symlinks = Yes
> > delete readonly = No
> > dos filemode = No
> > dos filetimes = Yes
> > dos filetime resolution = No
> > fake directory create times = No
> > host msdfs = Yes
> > msdfs root = No
> > msdfs shuffle referrals = No
> > ntvfs handler = unixuid, default
> > vfs objects = dfs_samba4 acl_xattr full_audit
> > full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
> > full_audit:failure = connect disconnect
> > full_audit:success = connect disconnect opendir mkdir rmdir
> > closedir open close read pread write pwrite sendfile rename unlink
> > chmod fchmod chown fchown chdir ftruncate lock symlink readlink link
> > mknod full_audit:LAB = local5
> > full_audit:priority = notice
> > [homes]
> > comment = Home Directories
> > path = /mnt/storage/homes/%U
> > browseable = No
> > hide files = /Recycle Bin/
> > veto files = /*.encrypted/*.ecc/*.ccc/
> > admin users = "@Domain Admins"
> > create mask = 0644
> > force create mode = 0660
> > force directory mode = 0770
> > read only = No
> > valid users = "@Domain Users"
> > vfs objects = acl_xattr full_audit recycle
> > recycle:repository = Recycle Bin
> > recycle:keeptree = yes
> > recycle:minsize = 0
> > recycle:maxsize = 0
> > recycle:touch = yes
> > recycle:touch_mtime = yes
> > recycle:versions = yes
> > recycle:exclude =
> > *.tmp|*.temp|*.o|*.obj|~$*|*.??|*.log|*.trace|*.TMP|*.ASV|*.$$$|*.asv
> > recycle:excludedir = /Recycle Bin
> > recycle:noversions = *.tmp|*.temp|*.dat|*.ini
> > recycle:mode = KEEP_DIRECTORIES|VERSION|TOUCH
> > [profiles]
> > comment = Network Profiles Share
> > path = /mnt/storage/profiles
> > profile acls = Yes
> > browseable = No
> > create mask = 0644
> > force create mode = 0660
> > force directory mode = 0770
> > read only = No
> > [netlogon]
> > comment = Network Netlogon Share
> > path = /usr/local/samba/var/locks/sysvol/LAB.local/scripts
> > browseable = No
> > read only = No
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > browseable = No
> > read only = No
> >
> >
> >
> >
> > 2016-08-24 16:49 GMT+03:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Wed, 24 Aug 2016 16:03:05 +0300
> > > barış tombul <bbtombul at gmail.com> wrote:
> > >
> > >
> > > > > Strange, have you given 'FACILITY\btombul' the ID number
> > > > > '16777216' ?
> > > > >
> > > > > Can you post the smb.conf from the Samba AD DC and the Centos
> > > > > machine (please post what is actually there, not the output of
> > > > > 'samba-tool testparm -v')
> > > > >
> > > > > Rowland
> > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > > So I said 'not the output of 'samba-tool testparm -v'
> > > and what do I get LOL
> > >
> > > In English, putting 'not' in front of something, means 'do not do
> > > this'
> > >
> > > Please post the output of 'cat /path/to/smb.conf' from BOTH
> > > machines.
> > >
> > > Replacing '/path/to/smb.conf' with the path to your smb.conf
> > > i.e. /etc/samba/smb.conf
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
>
>
> OK, first question, why is the smb.conf on the DC so big ?
> second question, why do you expect them both to operate in the wrong way
> i.e. the DC has the 'idmap config' lines that should only be on a domain
> member, yet the domain member doesn't have these lines
>
> can I suggest you set the global part the DC smb.conf to this:
>
> [global]
> workgroup = LAB
> realm = LAB.LOCAL
> netbios name = LAB
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> server string = LAB Samba Server
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> ldap server require strong auth = No
> winbind max clients = 500
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> bind interfaces only = Yes
> interfaces = lo ens192
> allow dns updates = nonsecure and secure
> log level = 3 passdb:3 auth:10 winbind:2
> log file = /var/log/samba/log.%m
> printcap cache time = 0
> printcap name = cups
> force printername = Yes
> cups connection timeout = 60
> cups options = raw
> name cache timeout = 3600
> disable spoolss = No
> spoolss: architecture = Windows x64
> rpc_daemon:spoolssd = fork
> spoolssd:prefork_child_min_life = 60
> spoolssd:prefork_max_allowed_clients = 200
> spoolssd:prefork_spawn_rate = 5
> spoolssd:prefork_max_children = 75
> spoolssd:prefork_min_children = 5
> map to guest = Bad User
> passwd program = /usr/local/samba/bin/smbpasswd %u
> passwd chat = *New*password* %n\n *ReType*new*password*
> %n\n*passwd:*all*authentication*tokens*updated*successfully*
> old password allowed period = 120
> max xmit = 32768
> max open files = 65535
> min receivefile size = 16384
> homedir map = auto.home
> template shell = /bin/bash
> vfs objects = dfs_samba4 acl_xattr full_audit
> full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
> full_audit:failure = connect disconnect
> full_audit:success = connect disconnect opendir mkdir rmdir closedir
> open close read pread write pwrite sendfile rename unlink chmod fchmod
> chown fchown chdir ftruncate lock symlink readlink link mknod
> full_audit:LAB = local5
> full_audit:priority = notice
> aio read size = 16384
> aio write size = 16384
>
> This is yours without all the default and wrong lines, I would also
> point out that you could probably still remove a lot of the above
> lines.
>
> Go and browse the Samba wiki, this will explain how to set up the
> shares correctly.
> For the Centos domain member, see here:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> At the moment, you are mixing ALL the windows users and groups
> (builtin, domain admins and normal) in one range, you need two '*' &
> 'LAB', you have these on the DC, only problem, those lines have no
> affect on a DC.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list