[Samba] Recipe/advice for Samba 4.11 on Ubuntu 20.04 as member server joining Windows Server 2019 AD
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 30 07:06:21 UTC 2020
In this case.
Change the setup.
\\proto1\derekwashere
To
\\proto1\users\derekwashere
Apply the correct rights on users and for the share.
And you have your security tabback
Ps. And i would use.
\\FQ.D.N\users\
Because it simply helps in avoiding sudden problems.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Michael Galvon via samba
> Verzonden: dinsdag 30 juni 2020 7:47
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Recipe/advice for Samba 4.11 on Ubuntu
> 20.04 as member server joining Windows Server 2019 AD
>
> Thank you Rowland for your rapid response!
>
> We have made progress, and are hung up on some odd behaviour
> (at least
> to us) with the computer management and shares/security tab.
>
> To be more explicit, looking at the wiki page
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
> ows_ACLs#Setting_Share_Permissions_and_ACLs
>
> The odd behaviour seems to us that in the "Share Permissions"
> tab, the
> group "Everyone" must have Read access in order for the
> "Security" tab
> to be able to show/adjust security access.
>
> Is this expected behaviour? It runs counter to 20+ years of
> experience
> in setting up windows sharing.
>
> if we, for example, remove "everyone" from the share permissions tab,
> and replace it with "Domain Admins" and "Domain Users", both
> having full
> control, then we see this message on the Security, tab...
> Object Name: \\proto1\derekwashere
>
> You must have Read permissions to view the properties of this object.
>
> Click advanced to continue.
>
> clicking on advanced get us to the expected screen, but any changes
> (e.g. Owner: ) results in
> Unable to set new owner on derekwashere (\\proto1)
> Access is denied.
>
>
> Kindly advise -- we have a host of troubleshooting information should
> you need/want it.
>
>
> # /etc/samba/smb.conf
>
> [global]
> disable spoolss = Yes
> load printers = No
> log file = /var/log/samba/%m.log
> printcap name = /dev/null
> realm = HO.CLAY.BC.CA
> security = ADS
> server string = TEST server
> template homedir = /0data/smb_shares/home/%U
> template shell = /bin/bash
> username map = /etc/samba/user.map
> winbind enum users = Yes
> winbind use default domain = Yes
> workgroup = HO
> idmap config ho : range = 10000-999999
> idmap config ho : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
>
> [test03]
> path = /0data/smb_shares/test03/
> read only = No
>
>
> # /etc/samba/user.map
> !root = HO\Administrator HO\administrator administrator
>
>
>
> Thanks in advance,
>
> mtg
>
>
>
>
> On 2020-06-24 12:00 a.m., Rowland penny via samba wrote:
> > On 24/06/2020 02:02, Michael Galvon via samba wrote:
> >> Hi,
> >>
> >> Brand new VM's running on ESXi replacing existing Samba 3
> NT domain.
> >> I am not quite brand new but this is my first time for
> this combination.
> >> Would like to use Win Ad for authentication and Samba for 20 users
> >> and company shared data.
> >>
> >> Started with this how-to:
> >>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>
> >> Lost my way on Choose backend for id mapping in winbindd
> and further
> >> reading in mapping Unix attributes for users in ADUC.
> >> It appears we must manually edit each users properties?
> >> To my eyes, it appears the article was written to assist
> in joining
> >> Samba member servers to join Samba AD
> >
> > It doesn't matter if the DC is a Samba AD DC or a Windows
> AD DC, you
> > set the Unix domain members up the same.
> >
> > It boils down to three main winbind backends: rid, ad and
> autorid. You
> > only need to add anything to AD if you use the 'ad'
> backend. The 'rid'
> > backend calculates the Unix ID from the Windows user or
> group RID, the
> > 'autorid' backend does something similar, but is really meant for
> > multiple domains.
> >
> > The only time you need to add anything to AD is if you use the 'ad'
> > backend, in which case you must add RFC2307 attributes (uidNumber,
> > gidNumber, etc), but it does give you the same ID on all your Unix
> > machines and the ability to set individual home directories
> and login
> > shells.
> >
> > Rowland
> >
> >
> >
> >
>
> --
> Michael Galvon
> Red Rhino Technologies Inc.
> C - 250-888-6505
> T - 250.920.4004
> support at redrhino.ca
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list