[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
Rowland Penny
rpenny at samba.org
Tue Dec 4 13:34:27 UTC 2018
On Tue, 4 Dec 2018 12:37:23 +0000 (UTC)
barani tharan <aru_barani at yahoo.com> wrote:
> Dear Team
> 1. I get same error in domain controller when try to set acl in
> share the file
>
> [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
> setfacl: Option -m: Invalid argument near character 7
Never try to use 'Administrator' on a Unix machine, use 'root' instead
>
> [root at samba4dc ~]# id EIPL\administrator
> id: EIPLadministrator: no such user
You have hit a Unix problem there a single '\' is a Unix 'escape'
character, you need to use two:
root at dc4:~# id SAMDOM\\Administrator
uid=0(root) gid=0(root) groups=0(root)
That also shows one of the reasons why you shouldn't use the WINDOWS
user 'Administrator' on UNIX.
>
>
>
> 3. When view the ACL in that share folder. I view the user id only
> not user name [root at samba4dc ~]# getfacl /Share
> getfacl: Removing leading '/' from absolute path names
> # file: Share
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::r-x
> group:root:r-x
> group:3000000:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:3000000:rwx
> default:mask::rwx
> default:other::r-x
I am prepared to lay money on '3000000' being the group
'Administrators' and not the user 'Administrator'
>
>
> 4. when use the samba-tool to view users it show the users name
>
> [root at samba4dc ~]# samba-tool user list
> Administrator
> Ramkumar
> dns-samba4dc
> rhevadmin
> krbtgt
> Guest
Samba-tool works in a similar manner to 'wbinfo -u', that is they both
show all AD users, but those users are not necessarily known to UNix.
> 5. [root at samba4dc ~]# samba -V
> Version 4.7.11
>
>
> I don't know how to solve this problem. One more thing i view
> the link Identity Mapping Back Ends - SambaWiki and Setting up
> RFC2307 in AD - SambaWiki 6. In this links it says that like
>1. ID mapping back ends are not supported in the smb.conf file on a Samba
> AD DC
They never have been and they used to be totally ignored, but an update
meant they started to interfere with Samba, but they still didn't work.
>2. On a AD DC there should not be more than the sysvol and
> netlogon share, so the usage of unified RFC2307 idmappings is not
> really important.
No, it says it isn't recommended, but you can have shares if you really
must.
>If you want to enable RFC2307 ID mappings on the
> DC for whatever reason, the you would have to verify on the Samba DC,
> that the idmap_ldb:use rfc2307
>
> 7. In other link Updating Samba - SambaWiki
> In that link i view like this option so please guide me solve
> this issue i am really in confusion Failure To Access Shares on
> Domain Controllers If idmap config Parameters Set in the smb.conf File
Very simple, do not add any 'idmap config' lines to an AD DC smb.conf
>
> 4.4.6 or later
>
> The winbindd service on a Samba Active Directory (AD) domain
> controller (DC) automatically uses the IDs set in the Active
> Directory uidNumber and gidNumber attributes of user accounts and
> groups. If the attributes are not set, Samba generates IDs locally on
> the DC and stores them in the idmap.ldb database. Thus, on a Samba AD
> DC, idmap config parameters set in the smb.conf file were ignored.
> Due to a bug in Samba 4.4.6 and later, the parameters are no longer
> ignored and clients fail to connect to shares on the DC. To fix the
> problem:
> - Remove all idmap config parameters in the smb.conf file on DCs.
> - Restart the samba service.
> - Restart the clients.
> As a result, clients now correctly connect to shares on the DC
>
It is actually the other way around, by default, the 'xidNumbers' in
idmap.ldb are used, but if 'uidNumber' & 'gidNumber' attributes are
added to AD, these will be used instead. Everything else is correct.
Rowland
More information about the samba
mailing list