[Samba] Fileserver Upgrade problems
Elias Pereira
empbilly at gmail.com
Thu Feb 4 19:30:59 UTC 2021
Hello,
After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the shared
folder has stopped working. In fact now, every time I try to access the
shared folder, the password is requested.
smb.conf
[global]
netbios name = FILESERVER
workgroup = CAMPUS
security = ADS
realm = CAMPUS.COMPAMY.COM
bind interfaces only = yes
interfaces = eth0 lo
# default config
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config CAMPUS:backend = ad
idmap config CAMPUS:schema_mode = rfc2307
idmap config CAMPUS:range = 10000-999999
idmap config CAMPUS:unix_nss_info = yes
idmap config CAMPUS:unix_primary_group = yes
#winbind trusted domains only = no
winbind use default domain = yes
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind cache time = 300
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
domain master = no
local master = no
prefered master = no
# DFS server
host msdfs = yes
# Enable modules
vfs objects = acl_xattr, recycle, full_audit, dfs_samba4
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
#log file
log file = /var/log/samba/machines/%m.log
log level = 1 passdb:2 auth:2 winbind:1
# Variaveis para print server
printing = cups
load printers = yes
printcap name = cups
printcap cache time = 300
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64
#ldap server require strong auth = no
# audit log file
full_audit:success = open, opendir, write, unlink, rename, mkdir,
rmdir, chmod, chown
full_audit:prefix = %u|%I|%S
full_audit:failure = none
full_audit:facility = LOCAL1
full_audit:priority = notice
[storage]
path = /mnt/strdc3/
read only = no
# Entradas para a lixeira
recycle:repository = /mnt/strdc3/recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
recycle:exclude_dir= /tmp,/temp,/cache
recycle:noversions = *.doc,*.xls,*.ppt,*.docx,*.xlsx,*.pptx,*.pdf
[Printers]
comment = All Printers
path = /var/spool/samba
#browseable = yes
#writeable = yes
printable = yes
#read only = no
#print ok = yes
#public = yes
#force printername = yes
#guest ok = yes
[print$]
path = /var/samba/drivers
read only = no
#browseable = yes
#write list = @"Domain Admins", root, administrator
#inherit permissions = yes
This below part of
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
If you use the winbind 'ad' backend on Unix domain members and you add a
gidNumber attribute to the Domain Admins group in AD, you will break the
mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb,
this is to allow the group to own files in Sysvol on a Samba AD DC. It is
suggested you create a new AD group (Unix Admins for instance), give this
group a gidNumber attribute and add it to the Administrators group and
then, on Unix, use the group wherever you would normally use Domain Admins.
didn't seem necessary in samba 4.10? Or at least when I set up the
fileserver it will be requested for "Domain Admins".
Does this refer to adding a Unix Attribute to the "Domain Admins" group?
--
Elias Pereira
More information about the samba
mailing list