[Samba] Permission issue

Praveen Ghimire PGhimire at sundata.com.au
Fri Feb 8 12:12:34 UTC 2019


Hi Rowland,

The user's ID range would have been below 3600, the current max rid is 3506

The links have been setup following this link, then restarted the samba-ad-dc service

https://wiki.samba.org/index.php/Libnss_winbind_Links


I followed the following to configure the winbindd stuff,

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC


template shell = /bin/bash
template homedir = /home/%U

9833 pts/0    S+     0:00                      \_ grep --color=auto winbind
17196 ?        Ss     0:00  |   \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
17199 ?        S      0:01  |       \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground



Regards,

Praveen


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Friday, 8 February 2019 8:01 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Permission issue

On Fri, 8 Feb 2019 06:22:05 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the server 
> DC5 also host shares. Post the migration we are seeing some permission 
> issues.
> 
> When trying to give permission to a domain group/user to folder/file 
> we get the following
> 
> chown "LIN\\myadmin:LIN\\adgroup" adtest/
> chown: invalid user: 'LIN\\myadmin:LIN\\adgroup'
> 
> wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc connection 
> to "dc5.LIN.group" succeeded
> 
> The getent group comes up with no results getent group "LIN\\adgroup"
> getent passwd "LIN\\mygroup"
> 
> 
> Here is the smb.conf
> 
>         workgroup = LIN
>         realm = LIN.GROUP
>         netbios name = dc5
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 1
> 
>         winbind nss info = rfc2307
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config LIN:backend = ad
>         idmap config LIN:schema_mode = rfc2307
>         idmap config LIN:range = 10000-999999

OK, you classicupgraded your NT4-style PDC to an AD DC, did your users have ID's in the '10000-999999' range before the upgrade ?

Have you set up the libnss-winbind links ?
 
Rowland

> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> 
>         # Template settings for login shell and home directory
>         template shell = /bin/bash
>         template homedir = /home/%U
> 
> 
> here is nsswitch.conf
> passwd:         files winbind
> group:          files winbind
> shadow:         compat
> 
> 
> If the group in question exist in /etc/group it works, because it is 
> local. But if the group is new or if the group has been removed from 
> /etc/group and AD it doesn't.
> 
> We have added the SeDiskOperatorPrivilege to the user making the chown 
> calls.
> 
> Any suggestions?
> 
> 
> Regards,
> Praveen Ghimire
> 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________


More information about the samba mailing list