[Samba] Errors for shares since 4.12.0

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Mar 10 11:54:30 UTC 2020


Thanks, I will give that a try.

But I need the 'winbind separator = +'. We use some expensive commercial 
software (e.g. ANSYS, ABAQUS, ...), which uses shell scripts to start 
their software under linux. These scripts are not able to handle a 
backslash in the user name. The only solution was to switch to a "+" 
character. We reported these issues two years ago.

Regards,
Andreas

Am 10.03.20 um 10:23 schrieb Rowland penny via samba:
> On 10/03/2020 08:03, Andreas Hauffe via samba wrote:
>> We have a kerberized NFS4 running on that machine, too.
> I do hope that you are not resharing the NFS share(s) via Samba, that 
> way lies madness ;-)
>
> Try this smb.conf:
>
> [global]
>         workgroup = SUBDOM
>         realm = SUBDOM.DOM.EXAMPLE.COM
>         security = ADS
>
>         bind interfaces only = Yes
>         interfaces = lo enp1s0f0
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind refresh tickets = Yes
>         idmap config SUBDOM : range = 3000-9999
>         idmap config SUBDOM : backend = rid
>         idmap config * : range = 2000-2999
>         idmap config * : backend = tdb
>         template homedir = /home/users/linux/%U
>         template shell = /bin/bash
>         map acl inherit = Yes
>         vfs objects = acl_xattr
>         smb encrypt = desired
>
>         recycle:exclude_dir = tmp | temp | cache
>         recycle:exclude = *.TMP | *.tmp | ~$*.doc
>         recycle:noversions = *.ini | *.dat
>         recycle:versions = Yes
>         recycle:maxsize = 536870912
>         recycle:touch = Yes
>         recycle:keeptree = Yes
>         recycle:directory_mode = 0700
>         recycle:repository = %H/.Papierkorb/%S
>
> [share1]
>         comment = Share 1
>         create mask = 0740
>         directory mask = 0750
>         force create mode = 0660
>         force directory mode = 0660
>         force group = SUBDOM\worker
>         inherit permissions = Yes
>         path = PATHNAME
>         read only = No
>         root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
>         valid users = SUBDOM\worker
>         vfs objects = acl_xattr recycle crossrename
>
> [share2]
>         comment = Share 2
>         inherit acls = Yes
>         path = PATHNAME
>         read only = No
>         valid users = SUBDOM\worker SUBDOM\user
>         acl_xattr:ignore system acls = yes
>
> [share3]
>         comment = Share 3
>         create mask = 0660
>         directory mask = 0770
>         force create mode = 0660
>         force directory mode = 0770
>         force group = SUBDOM\group2
>         path = PATHNAME
>         read only = No
>         root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
>         valid users = SUBDOM\group2
>         vfs objects = acl_xattr recycle crossrename
>
> [share4]
>         comment = Share 4
>         path = PATHNAME
>         valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4
>
> You will notice a few things:
>
> 'dom' has gone, whilst allowing it as a trusted domain, you were not 
> allowing the 'dom' users to actually do anything.
>
> 'winbind separator = +' has gone, there is no real point to it and 
> 'testparm' throws a warning.
>
> As you are using the same recycle lines, you only need to set them 
> once in [global] and set the recycle vfs in the required shares.
>
> I would also check that /etc/krb5.keytab contains all the required keys.
>
> Rowland
>
>
>


More information about the samba mailing list