[Samba] Fileserver Upgrade problems

Elias Pereira empbilly at gmail.com
Thu Feb 4 19:30:59 UTC 2021


After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the shared
folder has stopped working. In fact now, every time I try to access the
shared folder, the password is requested.

        netbios name = FILESERVER
        workgroup = CAMPUS
        security = ADS
        realm = CAMPUS.COMPAMY.COM
        bind interfaces only = yes
        interfaces = eth0 lo

        # default config
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config CAMPUS:backend = ad
        idmap config CAMPUS:schema_mode = rfc2307
        idmap config CAMPUS:range = 10000-999999
        idmap config CAMPUS:unix_nss_info = yes
        idmap config CAMPUS:unix_primary_group = yes

        #winbind trusted domains only = no
        winbind use default domain = yes
        winbind nested groups = Yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind cache time = 300

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        domain master = no
        local master = no
        prefered master = no

        # DFS server
        host msdfs = yes

        # Enable modules
        vfs objects = acl_xattr, recycle, full_audit, dfs_samba4

        map acl inherit = Yes
        store dos attributes = Yes
        username map = /etc/samba/user.map

        #log file
        log file = /var/log/samba/machines/%m.log
        log level = 1 passdb:2 auth:2 winbind:1

        # Variaveis para print server
        printing = cups
        load printers = yes
        printcap name = cups
        printcap cache time = 300
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        spoolss: architecture = Windows x64
        #ldap server require strong auth = no

        # audit log file
        full_audit:success = open, opendir, write, unlink, rename, mkdir,
rmdir, chmod, chown
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:facility = LOCAL1
        full_audit:priority = notice

        path = /mnt/strdc3/
        read only = no

        # Entradas para a lixeira
        recycle:repository = /mnt/strdc3/recycle/%U
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:touch = yes
        recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
        recycle:exclude_dir=  /tmp,/temp,/cache
        recycle:noversions = *.doc,*.xls,*.ppt,*.docx,*.xlsx,*.pptx,*.pdf

        comment = All Printers
        path = /var/spool/samba
        #browseable = yes
        #writeable = yes
        printable = yes
        #read only = no
        #print ok = yes
        #public = yes
        #force printername = yes
        #guest ok = yes

        path = /var/samba/drivers
        read only = no
        #browseable = yes
        #write list = @"Domain Admins", root, administrator
        #inherit permissions = yes

This below part of

If you use the winbind 'ad' backend on Unix domain members and you add a
gidNumber attribute to the Domain Admins group in AD, you will break the
mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb,
this is to allow the group to own files in Sysvol on a Samba AD DC. It is
suggested you create a new AD group (Unix Admins for instance), give this
group a gidNumber attribute and add it to the Administrators group and
then, on Unix, use the group wherever you would normally use Domain Admins.

didn't seem necessary in samba 4.10? Or at least when I set up the
fileserver it will be requested for "Domain Admins".

Does this refer to adding a Unix Attribute to the "Domain Admins" group?

Elias Pereira

More information about the samba mailing list