[Samba] Errors for shares since 4.12.0
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Mar 10 11:54:30 UTC 2020
Thanks, I will give that a try.
But I need the 'winbind separator = +'. We use some expensive commercial
software (e.g. ANSYS, ABAQUS, ...), which uses shell scripts to start
their software under linux. These scripts are not able to handle a
backslash in the user name. The only solution was to switch to a "+"
character. We reported these issues two years ago.
Regards,
Andreas
Am 10.03.20 um 10:23 schrieb Rowland penny via samba:
> On 10/03/2020 08:03, Andreas Hauffe via samba wrote:
>> We have a kerberized NFS4 running on that machine, too.
> I do hope that you are not resharing the NFS share(s) via Samba, that
> way lies madness ;-)
>
> Try this smb.conf:
>
> [global]
> workgroup = SUBDOM
> realm = SUBDOM.DOM.EXAMPLE.COM
> security = ADS
>
> bind interfaces only = Yes
> interfaces = lo enp1s0f0
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = Yes
> idmap config SUBDOM : range = 3000-9999
> idmap config SUBDOM : backend = rid
> idmap config * : range = 2000-2999
> idmap config * : backend = tdb
> template homedir = /home/users/linux/%U
> template shell = /bin/bash
> map acl inherit = Yes
> vfs objects = acl_xattr
> smb encrypt = desired
>
> recycle:exclude_dir = tmp | temp | cache
> recycle:exclude = *.TMP | *.tmp | ~$*.doc
> recycle:noversions = *.ini | *.dat
> recycle:versions = Yes
> recycle:maxsize = 536870912
> recycle:touch = Yes
> recycle:keeptree = Yes
> recycle:directory_mode = 0700
> recycle:repository = %H/.Papierkorb/%S
>
> [share1]
> comment = Share 1
> create mask = 0740
> directory mask = 0750
> force create mode = 0660
> force directory mode = 0660
> force group = SUBDOM\worker
> inherit permissions = Yes
> path = PATHNAME
> read only = No
> root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
> valid users = SUBDOM\worker
> vfs objects = acl_xattr recycle crossrename
>
> [share2]
> comment = Share 2
> inherit acls = Yes
> path = PATHNAME
> read only = No
> valid users = SUBDOM\worker SUBDOM\user
> acl_xattr:ignore system acls = yes
>
> [share3]
> comment = Share 3
> create mask = 0660
> directory mask = 0770
> force create mode = 0660
> force directory mode = 0770
> force group = SUBDOM\group2
> path = PATHNAME
> read only = No
> root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
> valid users = SUBDOM\group2
> vfs objects = acl_xattr recycle crossrename
>
> [share4]
> comment = Share 4
> path = PATHNAME
> valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4
>
> You will notice a few things:
>
> 'dom' has gone, whilst allowing it as a trusted domain, you were not
> allowing the 'dom' users to actually do anything.
>
> 'winbind separator = +' has gone, there is no real point to it and
> 'testparm' throws a warning.
>
> As you are using the same recycle lines, you only need to set them
> once in [global] and set the recycle vfs in the required shares.
>
> I would also check that /etc/krb5.keytab contains all the required keys.
>
> Rowland
>
>
>
More information about the samba
mailing list