[Samba] Recipe/advice for Samba 4.11 on Ubuntu 20.04 as member server joining Windows Server 2019 AD

L.P.H. van Belle belle at bazuin.nl
Tue Jun 30 07:06:21 UTC 2020 

In this case. 

Change the setup. 
 \\proto1\derekwashere 
To
 \\proto1\users\derekwashere

Apply the correct rights on users and for the share.
And you have your security tabback

Ps. And i would use. 

\\FQ.D.N\users\
Because it simply helps in avoiding sudden problems. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Michael Galvon via samba
> Verzonden: dinsdag 30 juni 2020 7:47
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Recipe/advice for Samba 4.11 on Ubuntu 
> 20.04 as member server joining Windows Server 2019 AD
> 
> Thank you Rowland for your rapid response!
> 
> We have made progress, and are hung up on some odd behaviour 
> (at least 
> to us) with the computer management and shares/security tab.
> 
> To be more explicit, looking at the wiki page
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
> ows_ACLs#Setting_Share_Permissions_and_ACLs
> 
> The odd behaviour seems to us that in the "Share Permissions" 
> tab,  the 
> group "Everyone" must have Read access in order for the 
> "Security" tab 
> to be able to show/adjust security access.
> 
> Is this expected behaviour?  It runs counter to 20+ years of 
> experience 
> in setting up windows sharing.
> 
> if we, for example, remove "everyone" from the share permissions tab, 
> and replace it with "Domain Admins" and "Domain Users", both 
> having full 
> control, then we see this message on the Security, tab...
>   Object Name: \\proto1\derekwashere
> 
> You must have Read permissions to view the properties of this object.
> 
>   Click advanced to continue.
> 
> clicking on advanced get us to the expected screen, but any changes 
> (e.g. Owner:  ) results in
> Unable to set new owner on derekwashere (\\proto1)
> Access is denied.
> 
> 
> Kindly advise -- we have a host of troubleshooting information should 
> you need/want it.
> 
> 
> # /etc/samba/smb.conf
> 
> [global]
>      disable spoolss = Yes
>      load printers = No
>      log file = /var/log/samba/%m.log
>      printcap name = /dev/null
>      realm = HO.CLAY.BC.CA
>      security = ADS
>      server string = TEST server
>      template homedir = /0data/smb_shares/home/%U
>      template shell = /bin/bash
>      username map = /etc/samba/user.map
>      winbind enum users = Yes
>      winbind use default domain = Yes
>      workgroup = HO
>      idmap config ho : range = 10000-999999
>      idmap config ho : backend = rid
>      idmap config * : range = 3000-7999
>      idmap config * : backend = tdb
>      map acl inherit = Yes
>      printing = bsd
>      vfs objects = acl_xattr
> 
> 
> [test03]
>      path = /0data/smb_shares/test03/
>      read only = No
> 
> 
> # /etc/samba/user.map
> !root = HO\Administrator HO\administrator administrator
> 
> 
> 
> Thanks in advance,
> 
> mtg
> 
> 
> 
> 
> On 2020-06-24 12:00 a.m., Rowland penny via samba wrote:
> > On 24/06/2020 02:02, Michael Galvon via samba wrote:
> >> Hi,
> >>
> >> Brand new VM's running on ESXi replacing existing Samba 3 
> NT domain.
> >> I am not quite brand new but this is my first time for 
> this combination.
> >> Would like to use Win Ad for authentication and Samba for 20 users 
> >> and company shared data.
> >>
> >> Started with this how-to:
> >> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>
> >> Lost my way on Choose backend for id mapping in winbindd 
> and further 
> >> reading in mapping Unix attributes for users in ADUC.
> >> It appears we must manually edit each users properties?
> >> To my eyes, it appears the article was written to assist 
> in joining 
> >> Samba member servers to join Samba AD
> >
> > It doesn't matter if the DC is a Samba AD DC or a Windows 
> AD DC, you 
> > set the Unix domain members up the same.
> >
> > It boils down to three main winbind backends: rid, ad and 
> autorid. You 
> > only need to add anything to AD if you use the 'ad' 
> backend. The 'rid' 
> > backend calculates the Unix ID from the Windows user or 
> group RID, the 
> > 'autorid' backend does something similar, but is really meant for 
> > multiple domains.
> >
> > The only time you need to add anything to AD is if you use the 'ad' 
> > backend, in which case you must add RFC2307 attributes (uidNumber, 
> > gidNumber, etc), but it does give you the same ID on all your Unix 
> > machines and the ability to set individual home directories 
> and login 
> > shells.
> >
> > Rowland
> >
> >
> >
> >
> 
> -- 
> Michael Galvon
> Red Rhino Technologies Inc.
> C - 250-888-6505
> T - 250.920.4004
> support at redrhino.ca
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list