[Samba] Fileserver Upgrade problems
Rowland penny
rpenny at samba.org
Thu Feb 4 20:01:30 UTC 2021
On 04/02/2021 19:30, Elias Pereira via samba wrote:
> Hello,
>
> After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the shared
> folder has stopped working. In fact now, every time I try to access the
> shared folder, the password is requested.
>
> smb.conf
> [global]
>
> # Enable modules
> vfs objects = acl_xattr, recycle, full_audit, dfs_samba4
Why have you added 'dfs_samba4' ?
It should only be used on a Samba AD DC
>
>
>
>
>
> This below part of
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If you use the winbind 'ad' backend on Unix domain members and you add a
> gidNumber attribute to the Domain Admins group in AD, you will break the
> mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb,
> this is to allow the group to own files in Sysvol on a Samba AD DC. It is
> suggested you create a new AD group (Unix Admins for instance), give this
> group a gidNumber attribute and add it to the Administrators group and
> then, on Unix, use the group wherever you would normally use Domain Admins.
>
> didn't seem necessary in samba 4.10? Or at least when I set up the
> fileserver it will be requested for "Domain Admins".
it isn't a problem on a Unix domain member (never has been) but it
breaks sysvol on a Samba AD DC if you add a gidNumber to Domain Admins.
Windows has this quaint idea of letting a group own files & folders,
something that isn't normally possible on Unix. However, on a Samba AD
DC, Domain Admins is mapped as 'ID_TYPE_BOTH' (it is both a group and a
user), if you give Domain Admins a gidNumber, you break this mapping and
it just becomes a group and cannot own things in sysvol.
Rowland
More information about the samba
mailing list