[Samba] Permission issue

Rowland Penny rpenny at samba.org
Fri Feb 8 10:00:36 UTC 2019


On Fri, 8 Feb 2019 06:22:05 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the
> server DC5 also host shares. Post the migration we are seeing some
> permission issues.
> 
> When trying to give permission to a domain group/user to folder/file
> we get the following
> 
> chown "LIN\\myadmin:LIN\\adgroup" adtest/
> chown: invalid user: 'LIN\\myadmin:LIN\\adgroup'
> 
> wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc
> connection to "dc5.LIN.group" succeeded
> 
> The getent group comes up with no results
> getent group "LIN\\adgroup"
> getent passwd "LIN\\mygroup"
> 
> 
> Here is the smb.conf
> 
>         workgroup = LIN
>         realm = LIN.GROUP
>         netbios name = dc5
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 1
> 
>         winbind nss info = rfc2307
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config LIN:backend = ad
>         idmap config LIN:schema_mode = rfc2307
>         idmap config LIN:range = 10000-999999

OK, you classicupgraded your NT4-style PDC to an AD DC, did your users
have ID's in the '10000-999999' range before the upgrade ?

Have you set up the libnss-winbind links ?
 
Rowland

> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> 
>         # Template settings for login shell and home directory
>         template shell = /bin/bash
>         template homedir = /home/%U
> 
> 
> here is nsswitch.conf
> passwd:         files winbind
> group:          files winbind
> shadow:         compat
> 
> 
> If the group in question exist in /etc/group it works, because it is
> local. But if the group is new or if the group has been removed
> from /etc/group and AD it doesn't.
> 
> We have added the SeDiskOperatorPrivilege to the user making the
> chown calls.
> 
> Any suggestions?
> 
> 
> Regards,
> Praveen Ghimire
> 




More information about the samba mailing list