[Samba] Why is Samba4 not recommended as a file server?
Data Control Systems - Mike Elkevizth
mike at datacontrolsystems.com
Thu Jul 28 15:14:41 UTC 2016
Just to throw in my two cents, I too would love to see winbind on a DC
"act" the same as it does on a non-DC. I use my DCs as file servers, but
have had to use a number of workarounds because of how winbind acts
differently on a DC. I've not only had trouble with the idmappings, but
the fact that it doesn't honor all of the rfc2307 attributes. For
instance, I have a couple of users that use a file synchronization script
to keep files between the server and their laptops in sync. This script
requires them to logon to the file server (which is also a DC). Because
winbind on the DC doesn't honor my rfc2307 shell settings, I have to revert
to using the "template shell =" setting in smb.conf which means now that
all of my users can logon to the DC even if I don't want them to all have
access to that. I really don't understand why they don't act the same.?
Mike E.
On Thu, Jul 28, 2016 at 9:30 AM Rowland penny <rpenny at samba.org> wrote:
> On 28/07/16 13:59, Jim Seymour wrote:
> > On Thu, 28 Jul 2016 13:15:43 +0100
> > Rowland penny <rpenny at samba.org> wrote:
> >
> > [snip]
> >> Yes it does sound strange, but, on windows, groups can and do own
> >> directories & files. An xidNumber is just that, a number, it is the
> >> context in how that number is used that is important. If you give
> >> Domain Admins a gidNumber attribute, then Domain Admins becomes just
> >> a group, ...
> > [snip]
> >
> > Hmmm...
> >
> > ----------------------------------------------------------------------
> > $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins'
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=Groups,dc=example,dc=com> with scope subtree
> > # filter: cn=Domain Admins
> > # requesting: ALL
> > #
> >
> > # Domain Admins, Groups, example.com
> > dn: cn=Domain Admins,ou=Groups,dc=example,dc=com
> > objectClass: top
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > cn: Domain Admins
> > gidNumber: 512
> > memberUid: root
> > description: Netbios Domain Administrators
> > sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512
> > sambaGroupType: 2
> > displayName: Domain Admins
> >
> > # search result
> > search: 3
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com'
> > Enter LDAP Password:
> > dn: cn=Domain Users,ou=Groups,dc=example,dc=com
> > changetype: modify
> > delete: gidNumber
> > modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com"
> > ^D
> > ldap_modify: Object class violation (65)
> > additional info: object class 'posixGroup' requires attribute
> > 'gidNumber'
> >
> > ----------------------------------------------------------------------
> >
> > To me this implies that "posixGroup"s and an AD are incompatible?
> >
> > (N.B.: I'm only posting this to satisfy my curiousity, not for any
> > practical reason.)
> >
> > Regards,
> > Jim
>
> Two things here, I was talking AD and your ldif is from an NT4-style
> ldap domain and in AD you don't need to explicitly set the posixGroup
> objectClass.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list