[Samba] User mapping?
simon.matthews at bluepearlsoftware.com
Fri Aug 7 21:44:41 UTC 2020
On 8/7/20 1:57 PM, Simon Matthews wrote:
> On 8/7/20 12:58 PM, Rowland penny via samba wrote:
>> On 07/08/2020 20:12, Simon Matthews wrote:
>>> The client is running CentOS 7:
>>> # cat /etc/redhat-release
>>> CentOS Linux release 7.8.2003 (Core)
>>> After another attempt, I have successfully joined the linux client to
>>> the domain:
>>> # net rpc join MEMBER -S raidserver -U root%<password>
>>> Using short domain name -- BLUE
>>> Joined 'TURQUOISE' to domain 'BLUE'
>>> Note that the hostname of the Linux client is actually "H2". Turquoise
>>> is a hold over from what it was earlier. "turquoise" resolves on the
>>> $ ping turquoise
>>> PING h2.sj.bps (192.168.254.105) 56(84) bytes of data.
>>> 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64
>>> time=0.264 ms
>> I would suggest you stop it resolving if it has gone away.
>>> Client config:
>>> workgroup = BLUE
>>> password server = raidserver
>>> security = domain
>>> idmap config * : range = 16777216-33554431
>> This is where your problems start, you do not have enough lines, I
>> would expect something like this:
>> idmap config * : backend = tdb
>> idmap config * : range = 100000-9999999
>> idmap config BLUE : backend = rid
>> idmap config BLUE : range = 500-99999
>>> template shell = /bin/false
>>> kerberos method = secrets only
>> You do not use kerberos with a PDC
>>> winbind use default domain = false
>> If you want to remove the domain name 'BLUE\' from users and groups,
>> change 'false' to 'yes'
>>> winbind offline logon = true
>>> username map = /etc/samba/usermap.txt # This file is empty.
>>> server string = Samba Server Version %v
>>> netbios name = TURQUOISE
>> If the clients name isn't 'turquoise' remove the above line and let
>> Samba set it for you.
>>> # client ntlmv2 auth = yes
>>> # ntlm auth = no
>>> interfaces = lo eth1
>>> local master = no
>>> os level = 20
>>> preferred master = no
>>> wins support = no
>> Might be an idea to replace the above line with 'wins server = <PDC IP>'
>> Add this line:
>> client max protocol = NT1
>>> Config on PDC (raidserver):
>> Not a lot wrong with the PDC smb.conf
>> Again, can I stress that it would be a very good idea to upgrade to AD,
> Yes, but I have limited resources for IT and the upgrade to AD is
> somewhat intrusive to the network (I am thinking of the impact to DNS).
> The changes you suggested have worked. Thank you very much.
No, I was wrong about this. The name mapping is correct but the numeric
IDs are different, so I still have permission issues:
# ls -al
drwxrwxrwx. 4 <user> blue 4096 Aug 7 14:40 .
drwxr-xr-x. 12 <user> blue 4096 Aug 6 13:06 ..
drwxr-xr-x. 2 <user> blue 4096 Aug 7 14:40 New folder
"New folder" is an empty folder I created from the Windows machine after
setting the directory perms to 777. However, when we look at the actual
# ls -aln
drwxrwxrwx. 4 2002 441 4096 Aug 7 14:40 .
drwxr-xr-x. 12 2002 441 4096 Aug 6 13:06 ..
drwxr-xr-x. 2 16777216 16777222 4096 Aug 7 14:40 New folder
Blue Pearl Software, Inc. will collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal information, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to the relevant sections of our Privacy note at www.bluepearlsoftware.com/privacypolicy.
More information about the samba