[Samba] Recipe/advice for Samba 4.11 on Ubuntu 20.04 as member server joining Windows Server 2019 AD
Michael Galvon
red at redrhino.ca
Tue Jun 30 05:46:50 UTC 2020
Thank you Rowland for your rapid response!
We have made progress, and are hung up on some odd behaviour (at least
to us) with the computer management and shares/security tab.
To be more explicit, looking at the wiki page
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs
The odd behaviour seems to us that in the "Share Permissions" tab, the
group "Everyone" must have Read access in order for the "Security" tab
to be able to show/adjust security access.
Is this expected behaviour? It runs counter to 20+ years of experience
in setting up windows sharing.
if we, for example, remove "everyone" from the share permissions tab,
and replace it with "Domain Admins" and "Domain Users", both having full
control, then we see this message on the Security, tab...
Object Name: \\proto1\derekwashere
You must have Read permissions to view the properties of this object.
Click advanced to continue.
clicking on advanced get us to the expected screen, but any changes
(e.g. Owner: ) results in
Unable to set new owner on derekwashere (\\proto1)
Access is denied.
Kindly advise -- we have a host of troubleshooting information should
you need/want it.
# /etc/samba/smb.conf
[global]
disable spoolss = Yes
load printers = No
log file = /var/log/samba/%m.log
printcap name = /dev/null
realm = HO.CLAY.BC.CA
security = ADS
server string = TEST server
template homedir = /0data/smb_shares/home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
winbind enum users = Yes
winbind use default domain = Yes
workgroup = HO
idmap config ho : range = 10000-999999
idmap config ho : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
[test03]
path = /0data/smb_shares/test03/
read only = No
# /etc/samba/user.map
!root = HO\Administrator HO\administrator administrator
Thanks in advance,
mtg
On 2020-06-24 12:00 a.m., Rowland penny via samba wrote:
> On 24/06/2020 02:02, Michael Galvon via samba wrote:
>> Hi,
>>
>> Brand new VM's running on ESXi replacing existing Samba 3 NT domain.
>> I am not quite brand new but this is my first time for this combination.
>> Would like to use Win Ad for authentication and Samba for 20 users
>> and company shared data.
>>
>> Started with this how-to:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> Lost my way on Choose backend for id mapping in winbindd and further
>> reading in mapping Unix attributes for users in ADUC.
>> It appears we must manually edit each users properties?
>> To my eyes, it appears the article was written to assist in joining
>> Samba member servers to join Samba AD
>
> It doesn't matter if the DC is a Samba AD DC or a Windows AD DC, you
> set the Unix domain members up the same.
>
> It boils down to three main winbind backends: rid, ad and autorid. You
> only need to add anything to AD if you use the 'ad' backend. The 'rid'
> backend calculates the Unix ID from the Windows user or group RID, the
> 'autorid' backend does something similar, but is really meant for
> multiple domains.
>
> The only time you need to add anything to AD is if you use the 'ad'
> backend, in which case you must add RFC2307 attributes (uidNumber,
> gidNumber, etc), but it does give you the same ID on all your Unix
> machines and the ability to set individual home directories and login
> shells.
>
> Rowland
>
>
>
>
--
Michael Galvon
Red Rhino Technologies Inc.
C - 250-888-6505
T - 250.920.4004
support at redrhino.ca
More information about the samba
mailing list