[Samba] Users can't mount shares on a domain member file server
MAS Jean-Louis
jean-louis.mas at imag.fr
Wed Dec 16 15:58:33 UTC 2020
Le 15/12/2020 à 18:29, Rowland penny via samba a écrit :
Thanks a lot for your advices
We changed our conf files /etc/nsswitch.conf and smb.conf (see below)
Now our Linux users can't connect as their gid and $HOME are totally
wrong, they seems to be generated by winbind in the 400000 range.
What we've got using windbind, with my account for example:
$ id jlmas
uid=20025(jlmas) gid=400005(misi)
groupes=400005(misi),400004(lig),400010(wikimisi),400001(domain
users),400003(BUILTIN\users)
$ getent passwd jlmas
jlmas:*:20025:400005:MAS Jean-Louis:/home/LIGLAB/jlmas:/bin/false
What it should be
$ id jlmas
uid=20025(jlmas) gid=20000(misi)
groupes=20000(misi),20001(wikimisi),513(Domain Users),29000(labolig)
$ getent passwd jlmas
jlmas:*:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash
>> smbd:backgroundqueue = no
> Where did you get the line above from ?
It came from our old Centos 6 conf, back from 2013. I delete it in our
new smb.conf
>> idmap config example : schema_mode = rfc2307 idmap config example
>> : range = 500-400000
> Why start at 500 ? do you have normal users & groups in AD with
> uidNumbers & gidNumbers that start so low ? Not counting the ones
> that ones that start with 'Domain' e.g. 'Domain Users'
Unfortunately, we have some very very old users accounts id, lowest as
115 (but not used anymore), but some above 500 are still in use today on
a broad number of servers. That's why we can't use the recommanded
'3000-7999' range for the '*' domain.
Our new files
# /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files ldap
aliases: files nisplus
# /etc/smb/smb.conf
# Global parameters
[global]
allow trusted domains = No
disable spoolss = Yes
domain master = No
kerberos method = system keytab
load printers = No
local master = No
log file = /var/log/samba/samba.log
ntlm auth = ntlmv1-permitted
preferred master = No
printcap cache time = 0
printcap name = /dev/null
realm = EXAMPLE.COM
restrict anonymous = 2
security = ADS
server role = member server
server string = Samba Server Version %v
winbind use default domain = Yes
workgroup = EXAMPLE
idmap config * : range = 400001-410000
idmap config * : backend = tdb
idmap config example : range = 500-400000
idmap config example : schema_mode = rfc2307
idmap config example : backend = ad
rpc_daemon:spoolssd = off
printing = bsd
use sendfile = Yes
[profiles]
browseable = No
path = /var/lib/samba/profiles
read only = No
[homes]
browseable = No
comment = Home Directory
read only = No
[team1]
comment = Equipe TEAM1
force group = +team1
path = /home/team1
read only = No
valid users = +team1
Any clues on the id numbers and home given by winbind ?
Regards
--
Jean Louis Mas
More information about the samba
mailing list