[Samba] Unable to set up home share correctly
udo.willke at freenet.de
Mon Oct 17 15:14:43 UTC 2016
Am 14.10.2016 um 18:18 schrieb Rowland Penny via samba:
> On Fri, 14 Oct 2016 17:52:33 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>> However it is not very specific as to what permissions should
>> actually be configured: "Go to the "Security" tab, click the "Edit"
>> button and configure the desired Windows ACLs".
> What it means is, you need to add/change the users and groups and set
> permissions to meet your requirements.
>>> Also, when you changed the ranges in smb.conf, have you changed th
>>> uidNumber & gidNumber attributes in AD ?
>> Not necessary in my opinion as I only modified the "overkill" range
>> of the * domain (100000 - 2^32 -1) .
>> BTW: There is no range checking in the code. I started with 2^32 =
>> 4294967296 as the upper limit and the mapping didn't work at all.
>> Discovered later in the logs the range was parsed into "range
>> Two questions:
>> 1) Do you agree with the directions given by L.P.H. van Belle: Create
>> new user "Admin" and remove all the already filled in accounts (much
>> like in the screenshot on the
>> <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?
> This is up to you, by doing what Louis is suggesting, is security
> through obscurity. It means that anybody trying to get into your system
> has to know (or obtain by whatever means) not only the password, they
> also have to know the username to go with it.
> As for removing the accounts, you need to decide just who has access
> and how much access they have, this may mean removing, altering or
> adding accounts.
>> 2) Can you elaborate on this?
> i think I just did ;-)
>> I have removed the rfc2307-IDs now. I guess going to the "Unix
>> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
>> --> No, it should show your domain name.
>> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
>> mydomain (in lower case this time) a UID Number is automatically
>> assigned, when I choose <none> the fields are greyed out. So "no
>> uidNumber" and "should show your domain name" don't work at the same
>> time. Or should I choose mydomain and delete the remaining field
> If the windows machine that ADUC is running on is joined to the domain,
> it normally allows you to set the domain on the 'Unix Attributes' tab
> and setting this, fills in all the other boxes (uidNumber etc)
Sorry for asking this twice, I just wanted to see if I understood
So, to summarize the discussion:
System accounts should not have rfc2307 IDs, only (unprivileged) users
should. The Administrator account is the exception. It can be mapped to
root trough the "username map" directive
Today, I followed the wiki page
<https://wiki.samba.org/index.php/User_home_drives> with all the
prerequisites. Unfortunately, the automatic home folder creation still
does not work. So I checked all my logs and I guess I have another
problem with DDNS and DHCP:
Oct 17 16:15:41 addc01 named: samba_dlz: starting transaction on
Oct 17 16:15:41 addc01 named: samba_dlz: spnego update failed
Oct 17 16:15:41 addc01 named: client 127.0.0.1#59487/key rndc-key:
updating zone '6.168.192.in-addr.arpa/NONE': update failed: rejected by
secure update (REFUSED)
Oct 17 16:15:41 addc01 named: samba_dlz: cancelling transaction on
Oct 17 16:15:41 addc01 dhcpd: DHCPREQUEST for 192.168.6.56 from
00:0c:29:3c:4c:bc (Admin-PC) via ens32
Oct 17 16:15:41 addc01 dhcpd: DHCPACK on 192.168.6.56 to
00:0c:29:3c:4c:bc (Admin-PC) via ens32
Oct 17 16:15:41 addc01 dhcpd: Unable to add reverse map from
220.127.116.11.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED
This translates into missing PTR records of my two virtual PCs in the
DNS (configured to get their IPs over DHCP). Can this be related to my
first problem or has this other side effects?
When I run the command
samba_dnsupdate --verbose --all-names
everything looks fine.
Is this an known issue/mistake in the configuration?
More information about the samba