[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
stephen at ogdenradar.com
Mon Apr 1 15:03:59 UTC 2019
Cheers, that fixed it! :O) So, if I may summarise what we have just
1) All newly created samba users need to have the uidNumber attribute
set to a unique value (within the range specified in smb.conf for
SAMDOM) when using ad backend with RFC2307.
2) All new groups need to have the gidNumber set to a unique value
(within the range specified in smb.conf for SAMDOM) when using ad
backend with RFC2307.
3) Don't delete group Everyone - even though the Windows UI will let you
do this it will actually break your file permissions :(
Could I possibly ask you a couple of further related questions about
this uidnumber and gidnumber issue please?
1) Previously I found I could access the share I created as
SAMDOM/Administrator. However when I checked using Windows RSAT ADUC
there is apparently no uidNumber set for this Administrator account by
default. Is that what you would expect to see, presumably I do not need
to supply uidNumbers for built-in default accounts?
2) I originally created SAMDOM/stephenellwood at the the DC command-line
sudo samba-tool user add your_domain_user --given-name=your_name
--surname=your_username --mail-address=your_domain_user at tecmint.lan
The Samba docs here https://wiki.samba.org/index.php/Idmap_config_ad
appear to suggest that the syntax I have used for my account creation
command above is essentially incomplete given that I have also specified
winbind nss info = rfc2307 in my smb.conf.
I am pretty sure that I need to add some extra command-line switches to
my example above specify UID, home directory path, and primary group at
account creation time as per the docs. Unfortunately though man
samba-tool does not provide a full list of supported samba-tool user
create command-line switches. What syntax would you recommend that I use
for creating new users in my situation with samba-tool user create Rowland?
I do realise creating users in this fashion means having to track the
last-used uidNumber manually somehow and thus might not be regarded as
3) Related to point two, had I instead created user
SAMDOM/stephenellwood using the Windows RSAT ADUC tools would sensible
uidNumber and gidNumber values have been chosen automatically
potentially avoiding this entire problem?
The Samba docs here (https://wiki.samba.org/index.php/Idmap_config_ad)
are a little unclear about this point. They say "When using the ADUC
utility, the user and group IDs are automatically tracked inside AD and
incremented when creating a new user or group."
The problem is I am unsure if userID == uidNumber, and likewise groupID
= gidNumber or if these are actually different parameters.
On 01/04/2019 15:26, Rowland Penny via samba wrote:
> On Mon, 1 Apr 2019 15:12:21 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>> Hi Rowland, thanks for your suggestions. I have read and re-read the
>> Samba docs to try and understand where I went wrong here.
>> I added the uidNumber and gidNumber exactly as per your comments and
>> that seems to improve the situation markedly. I can now at least see
>> that the share exists from SAMDOM\stephenellwood which wasn't
>> possible before. File access is now possible from
>> SAMDOM/stephenellwood when I configure NTFS security permissions to
>> allow read and write access for group Everyone.
>> I am still seeing issues with fileshare access from custom AD groups
>> though. For example, I removed the NTFS security permissions access
>> to group Everyone on my share.
> Put 'Everyone' back, you need it ;-)
>> I then created a group OgdenFilesUsers
>> using the ADUC RSAT tool and added SAMDOM/stephenellwood to this.
>> Even when security permissions are set for OgdenFilesUsers to allow
>> read and write permissions it still won't seem to allow access. For
>> good measure I then went and set the gidNumber attribute for my newly
>> created OgdenFilesUsers group to 10001 but that didn't make any
> Try reading this:
More information about the samba