[Samba] Administrator User Has no access to Remote File Server
Rowland Penny
rpenny at samba.org
Mon Dec 6 20:33:17 UTC 2021
On Mon, 2021-12-06 at 15:19 -0500, ralph strebbing wrote:
> On Mon, Dec 6, 2021 at 3:11 PM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > Can we have a bit more info:
> > What OS's are you using ?
> DC and File Server are both running Ubuntu 20.04.3
> > What versions of Samba are you using ?
> DC1: 4.13.14-Debian (Using Van-Belle's Repo)
> Filesrv1: 4.13.14-Ubuntu (Using Standard Ubuntu Repo)
> > Have you added any RFC2307 attributes to AD ?
> Here is my SMB config from DC1:
> # Global parameters
> [global]
> dns forwarder = 10.60.4.31
> netbios name = DC1
> realm = DOMAIN.COM
> server role = active directory domain controller
> workgroup = DOMAIN
> idmap_ldb:use rfc2307 = yes
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
>
> winbind enum users = yes
> winbind enum groups = yes
You do not need those two lines above, they only slow things down.
> server services = -dns
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.com/scripts
> read only = No
>
> So yes, in both DC1, rfc2307 has been set to yes for the idmap_ldb,
> and is being called in the idmap settings of filesrv1 (posted
> before).
That isn't what I asked, but it possibly answers the question. If you
use the winbind 'ad' backend, you must manually add RFC2307 attributes,
nothing adds them automatically, so if you haven't added them, they
will not be there. If you haven't added them yet, can I suggest you
start at '10000' and adjust your 'idmap config' lines on the Unix
domain members.
After you have done the above, add 'min domain uid = 0' to your Unix
domain members.
Rowland
More information about the samba
mailing list