[Samba] moved DM config to new server : gids different etc

Stefan G. Weichinger lists at xunil.at
Tue Nov 26 16:00:34 UTC 2019 

Last week the mobo in a DM server died, so we had to set up a fallback
machine and reinstall Debian 10.2 including Samba

I had smb.conf but not /var/lib/samba in backups.

Restored krb5.conf and smb.conf, rejoined.

Things work mostly ...

but for example I get gid 10006 for "domain users" instead of 10513 before.

and getent group doesn't show the AD groups, btw

-

I have:

# /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

---

# cat /etc/samba/smb.conf
# Samba config file
# from sgw 2018/jun/15
# with help from Rowland

[global]
unix charset = iso8859-15

security = ads
realm = XYZ.INTRA
workgroup = XYZ

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

netbios aliases = u1XYZ
server string = U1XYZ

winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes

template homedir = /mnt/MSA2040/smb/Homes/%D/%U

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
		uucp
obey pam restrictions = yes

interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config XYZ : range = 10000-20000
idmap config XYZ : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
inherit acls = yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:facility = local5
full_audit:priority = notice

---

wbinfo -u and -g work afaik

But permissions and ACLs are screwed up.

I might be missing some package to install ... or what ever ...

pls advise, Stefan

More information about the samba mailing list