[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
barani tharan
aru_barani at yahoo.com
Tue Dec 4 12:37:23 UTC 2018
Dear Team
1. I get same error in domain controller when try to set acl in share the file
[root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
setfacl: Option -m: Invalid argument near character 7
[root at samba4dc ~]# id EIPL\administrator
id: EIPLadministrator: no such user
2. My smb.conf file
[root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = SAMBA4DC
realm = EIPL.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = EIPL
idmap_ldb:use rfc2307 = yes
# idmap config EIPL:backend = ad
# idmap config EIPL:schema_mode = rfc2307
# idmap config EIPL:range = 10000-999999
# tls enabled = yes
# tls keyfile = tls/Domainkey.pem
# tls certfile = tls/Mydomain.pem
[netlogon]
path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Comon]
path = /Share
read Only = No
~
3. When view the ACL in that share folder. I view the user id only not user name
[root at samba4dc ~]# getfacl /Share
getfacl: Removing leading '/' from absolute path names
# file: Share
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
user:3000000:rwx
group::r-x
group:root:r-x
group:3000000:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::r-x
default:group:root:r-x
default:group:3000000:rwx
default:mask::rwx
default:other::r-x
4. when use the samba-tool to view users it show the users name
[root at samba4dc ~]# samba-tool user list
Administrator
Ramkumar
dns-samba4dc
rhevadmin
krbtgt
Guest
5. [root at samba4dc ~]# samba -V
Version 4.7.11
I don't know how to solve this problem. One more thing i view the link Identity Mapping Back Ends - SambaWiki and Setting up RFC2307 in AD - SambaWiki
6. In this links it says that like
1. ID mapping back ends are not supported in the smb.conf file on a Samba AD DC 2. On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the idmap_ldb:use rfc2307
7. In other link Updating Samba - SambaWiki
In that link i view like this option so please guide me solve this issue i am really in confusion
Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File
4.4.6 or later
The winbindd service on a Samba Active Directory (AD) domain controller (DC) automatically uses the IDs set in the Active Directory uidNumber and gidNumber attributes of user accounts and groups. If the attributes are not set, Samba generates IDs locally on the DC and stores them in the idmap.ldb database. Thus, on a Samba AD DC, idmap config parameters set in the smb.conf file were ignored. Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and clients fail to connect to shares on the DC. To fix the problem:
- Remove all idmap config parameters in the smb.conf file on DCs.
- Restart the samba service.
- Restart the clients.
As a result, clients now correctly connect to shares on the DC
|
|
| |
Updating Samba - SambaWiki
|
|
|
|
|
| |
Setting up RFC2307 in AD - SambaWiki
|
|
|
|
|
| |
Identity Mapping Back Ends - SambaWiki
|
|
|
RegardsBaranitharan
On Friday, 30 November, 2018, 2:57:36 PM IST, Rowland Penny via samba <samba at lists.samba.org> wrote:
On Fri, 30 Nov 2018 09:06:34 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC)
> barani tharan <aru_barani at yahoo.com> wrote:
>
> > Dear Rowland Penny
> > I follow your mentioned step still i am face the same problem
> > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba
> > Share and backup [backupserver]
> >
> > 1.when try view the ACL rights is backup server i can able view the
> > domain user name [root at backupserver Rishinox]#
> > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute
> > path names # file: ADHDD/Rishinox/
>
> > [root at backupserver Rishinox]# vi /etc/samba/smb.conf
> >
> > [global]
>
> >
> > workgroup = RISHI
>
> Lets start with the obvious question, why do you think it is a good
> idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on the Unix
> domain member ?
>
> All domain members need to use the same workgroup.
And now I am fully awake, you can ignore the above, you are using the
same workgroup OOPs
Rowland
>
> > password server = sambadc.rishi.com
> > realm = RISHI.COM
> > security = ads
> > idmap config * : range = 16777216-33554431
> > template shell = /bin/bash
> > kerberos method = secrets only
> > winbind use default domain = yes
> > winbind offline logon = true
> >
>
> Why are you using that range ?
> Are you also using sssd on that machine ?
> I ask the last question because your smb.conf isn't set up correctly
> for winbind and you used red-hat tools to set up smb.conf
> Stop trying to use 'Administrator' as a user on Unix domain members,
> that user is a Windows user and should be mapped to the Unix user
> 'root'
>
> Rowland
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list