[Samba] Allow user without uidNumber to access to a Samba member file server

Wed Mar 15 12:23:23 UTC 2017

Hi everybody,

I have a samba server member for file sharing configured like below. 
Domains controllers are on samba too. 
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.

Now I think rfc2307 was a bad idea...

My problem is that I'd like to allow users and computers to access to
the file server even if uidNumber is not set.
If I create an user without uidNumber, he is able to access to sysvol
(by exemple) on all DC without problems. But if he try to access to the
file server (from a Windows 10 client), he get an "Access refused".
I understand that the problem come from uidNumber not set. And I think
that the solution is in relation with idmap, winbind and rfc2307.

So I'm completely lost with those features : How can I disable
idmapping for get the same behavior on the file server than the Domain
controller ?
And if I do that, is the MacOS users will have problems to access to
the shares with afp protocol (netatalk).

I'd like this behavior to permit computers to access to shares for
installing application with GPO set on DC and applied to computers
instead of users section in the GPO.

Thanks

Below my smb.conf on the file server :

=========================================================
[global]
       netbios name = FS1
       security = ADS
       workgroup = IFPOAD
       realm = IFPOAD.IFPORIENT.ORG

       log file = /var/log/samba/%m.log
       log level = 1

       interfaces=lo eth0
       bind interfaces only=yes

       server string = %h samba server
       wins support = yes

       # Default idmap config used for BUILTIN and local
accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       idmap config IFPOAD:backend = ad
       idmap config IFPOAD:schema_mode = rfc2307
       idmap config IFPOAD:range = 10000-99999

       winbind nss info = rfc2307
       winbind enum users = yes
       winbind enum groups = yes
       winbind trusted domains only = no
       winbind use default domain = yes

       # Activation des attributs Etendus Windows
       vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes

       # For Mac OS compatibility ?
        unix extensions = no

	# Spool d'impression
	rpc_server:spoolss = external
	rpc_daemon:spoolssd = fork
	spoolss: architecture = Windows x64

	veto files = /._*/.DS_Store/~*/
	delete veto files = yes

[Shares]
       path = /srv/samba/shares
       read only = no

[home]
       path = /home/samba
       read only = no

[profile$]
       path = /srv/samba/Profiles
       read only = no

[deploy$]
       path = /srv/samba/deploy
       read only = no

[BkShares]
       path = /srv/Backups/bkIFPO/shares
       read only = no

[printers]
       path = /var/spool/samba/
       printable = yes
       printing = CUPS
==========================================================

-- 

Arnaud Cruzel
Administrateur Système et Réseau
Institut français du Proche-Orient (Ifpo)

المعهد الفرنسي للشرق الأدنى

UMIFRE 6 - MAEDI - CNRS - USR 3135
Tél. Liban : +961 76 596 131
Tél. France : +33 6 67 51 68 50
a.cruzel at ifporient.org 