[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command

barani tharan aru_barani at yahoo.com
Tue Dec 4 12:37:23 UTC 2018

 Dear Team
1.  I get same error in domain controller when try to set acl in  share the file

[root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
setfacl: Option -m: Invalid argument near character 7

[root at samba4dc ~]# id EIPL\administrator
id: EIPLadministrator: no such user
2.  My smb.conf file    
  [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf
# Global parameters
        netbios name = SAMBA4DC
        realm = EIPL.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = EIPL
        idmap_ldb:use rfc2307 = yes

#       idmap config EIPL:backend = ad
#       idmap config EIPL:schema_mode = rfc2307
#       idmap config EIPL:range = 10000-999999
#       tls enabled = yes
#       tls keyfile = tls/Domainkey.pem
#       tls certfile = tls/Mydomain.pem

        path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No

        path = /Share
        read Only = No

3. When view the ACL in that share folder. I view the user id only not user name
[root at samba4dc ~]# getfacl /Share
getfacl: Removing leading '/' from absolute path names
# file: Share
# owner: root
# group: root
# flags: -s-

4. when use the samba-tool to view users it show the users name

    [root at samba4dc ~]# samba-tool user list
5. [root at samba4dc ~]# samba -V
Version 4.7.11

        I don't know how to solve this problem. One more thing i view the link Identity Mapping Back Ends - SambaWiki and Setting up RFC2307 in AD - SambaWiki
6.  In this links it says that like
  1. ID mapping back ends are not supported in the smb.conf file on a Samba AD DC  2. On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to    enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the idmap_ldb:use rfc2307

7.  In other link Updating Samba - SambaWiki
       In that link i view like this option so please guide me solve this issue i am really in  confusion 
Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File

4.4.6 or later

The winbindd service on a Samba Active Directory (AD) domain controller (DC) automatically uses the IDs set in the Active Directory uidNumber and gidNumber attributes of user accounts and groups. If the attributes are not set, Samba generates IDs locally on the DC and stores them in the idmap.ldb database. Thus, on a Samba AD DC, idmap config parameters set in the smb.conf file were ignored. Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and clients fail to connect to shares on the DC. To fix the problem:
   -  Remove all idmap config parameters in the smb.conf file on DCs.
   -  Restart the samba service.
   -  Restart the clients.
As a result, clients now correctly connect to shares on the DC

|  | 
Updating Samba - SambaWiki




|  | 
Setting up RFC2307 in AD - SambaWiki




|  | 
Identity Mapping Back Ends - SambaWiki





    On Friday, 30 November, 2018, 2:57:36 PM IST, Rowland Penny via samba <samba at lists.samba.org> wrote:  
 On Fri, 30 Nov 2018 09:06:34 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC)
> barani tharan <aru_barani at yahoo.com> wrote:
> >  Dear Rowland Penny
> >  I follow your mentioned step still i am face the same problem
> > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba
> > Share and backup [backupserver]
> > 
> > 1.when try view the ACL rights is backup server i can able view the
> > domain user name [root at backupserver Rishinox]#
> > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute
> > path names # file: ADHDD/Rishinox/
> > [root at backupserver Rishinox]# vi /etc/samba/smb.conf
> > 
> > [global]
> > 
> >    workgroup = RISHI
> Lets start with the obvious question, why do you think it is a good
> idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on the Unix
> domain member ?
> All domain members need to use the same workgroup.

And now I am fully awake, you can ignore the above, you are using the
same workgroup OOPs

> >    password server = sambadc.rishi.com
> >    realm = RISHI.COM
> >    security = ads
> >    idmap config * : range = 16777216-33554431
> >    template shell = /bin/bash
> >    kerberos method = secrets only
> >    winbind use default domain = yes
> >    winbind offline logon = true
> > 
> Why are you using that range ?
> Are you also using sssd on that machine ?
> I ask the last question because your smb.conf isn't set up correctly
> for winbind and you used red-hat tools to set up smb.conf
> Stop trying to use 'Administrator' as a user on Unix domain members,
> that user is a Windows user and should be mapped to the Unix user
> 'root'
> Rowland

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba  

More information about the samba mailing list