[Samba] Recipe/advice for Samba 4.11 on Ubuntu 20.04 as member server joining Windows Server 2019 AD

Tue Jun 30 05:46:50 UTC 2020

Thank you Rowland for your rapid response!

We have made progress, and are hung up on some odd behaviour (at least 
to us) with the computer management and shares/security tab.

To be more explicit, looking at the wiki page
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs

The odd behaviour seems to us that in the "Share Permissions" tab,  the 
group "Everyone" must have Read access in order for the "Security" tab 
to be able to show/adjust security access.

Is this expected behaviour?  It runs counter to 20+ years of experience 
in setting up windows sharing.

if we, for example, remove "everyone" from the share permissions tab, 
and replace it with "Domain Admins" and "Domain Users", both having full 
control, then we see this message on the Security, tab...
  Object Name: \\proto1\derekwashere

You must have Read permissions to view the properties of this object.

  Click advanced to continue.

clicking on advanced get us to the expected screen, but any changes 
(e.g. Owner:  ) results in
Unable to set new owner on derekwashere (\\proto1)
Access is denied.

Kindly advise -- we have a host of troubleshooting information should 
you need/want it.

# /etc/samba/smb.conf

[global]
     disable spoolss = Yes
     load printers = No
     log file = /var/log/samba/%m.log
     printcap name = /dev/null
     realm = HO.CLAY.BC.CA
     security = ADS
     server string = TEST server
     template homedir = /0data/smb_shares/home/%U
     template shell = /bin/bash
     username map = /etc/samba/user.map
     winbind enum users = Yes
     winbind use default domain = Yes
     workgroup = HO
     idmap config ho : range = 10000-999999
     idmap config ho : backend = rid
     idmap config * : range = 3000-7999
     idmap config * : backend = tdb
     map acl inherit = Yes
     printing = bsd
     vfs objects = acl_xattr

[test03]
     path = /0data/smb_shares/test03/
     read only = No

# /etc/samba/user.map
!root = HO\Administrator HO\administrator administrator

Thanks in advance,

mtg

On 2020-06-24 12:00 a.m., Rowland penny via samba wrote:
> On 24/06/2020 02:02, Michael Galvon via samba wrote:
>> Hi,
>>
>> Brand new VM's running on ESXi replacing existing Samba 3 NT domain.
>> I am not quite brand new but this is my first time for this combination.
>> Would like to use Win Ad for authentication and Samba for 20 users 
>> and company shared data.
>>
>> Started with this how-to:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> Lost my way on Choose backend for id mapping in winbindd and further 
>> reading in mapping Unix attributes for users in ADUC.
>> It appears we must manually edit each users properties?
>> To my eyes, it appears the article was written to assist in joining 
>> Samba member servers to join Samba AD
>
> It doesn't matter if the DC is a Samba AD DC or a Windows AD DC, you 
> set the Unix domain members up the same.
>
> It boils down to three main winbind backends: rid, ad and autorid. You 
> only need to add anything to AD if you use the 'ad' backend. The 'rid' 
> backend calculates the Unix ID from the Windows user or group RID, the 
> 'autorid' backend does something similar, but is really meant for 
> multiple domains.
>
> The only time you need to add anything to AD is if you use the 'ad' 
> backend, in which case you must add RFC2307 attributes (uidNumber, 
> gidNumber, etc), but it does give you the same ID on all your Unix 
> machines and the ability to set individual home directories and login 
> shells.
>
> Rowland
>
>
>
>

-- 
Michael Galvon
Red Rhino Technologies Inc.
C - 250-888-6505
T - 250.920.4004
support at redrhino.ca