[Samba] Fileserver Upgrade problems

Elias Pereira empbilly at gmail.com
Thu Feb 4 20:08:27 UTC 2021


>
>  Why have you added 'dfs_samba4' ?

Removed. :)

it isn't a problem on a Unix domain member (never has been) but it
> breaks sysvol on a Samba AD DC if you add a gidNumber to Domain Admins.
> Windows has this quaint idea of letting a group own files & folders,
> something that isn't normally possible on Unix. However, on a Samba AD
> DC, Domain Admins is mapped as 'ID_TYPE_BOTH' (it is both a group and a
> user), if you give Domain Admins a gidNumber, you break this mapping and
> it just becomes a group and cannot own things in sysvol.


Ok.  At first I have Domain Admins with Unix Attribute.

If I remove it, what does that imply? Will I have to redo something?

What about my fileserver upgrade (4.10 to 4.13) that is now requesting a
password to access the shares?

On Thu, Feb 4, 2021 at 5:02 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 04/02/2021 19:30, Elias Pereira via samba wrote:
> > Hello,
> >
> > After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the
> shared
> > folder has stopped working. In fact now, every time I try to access the
> > shared folder, the password is requested.
> >
> > smb.conf
> > [global]
> >
> >          # Enable modules
> >          vfs objects = acl_xattr, recycle, full_audit, dfs_samba4
>
>
> Why have you added 'dfs_samba4' ?
>
> It should only be used on a Samba AD DC
>
> >
> >
> >
> >
> >
> > This below part of
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > If you use the winbind 'ad' backend on Unix domain members and you add a
> > gidNumber attribute to the Domain Admins group in AD, you will break the
> > mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in
> idmap.ldb,
> > this is to allow the group to own files in Sysvol on a Samba AD DC. It is
> > suggested you create a new AD group (Unix Admins for instance), give this
> > group a gidNumber attribute and add it to the Administrators group and
> > then, on Unix, use the group wherever you would normally use Domain
> Admins.
> >
> > didn't seem necessary in samba 4.10? Or at least when I set up the
> > fileserver it will be requested for "Domain Admins".
>
>
> it isn't a problem on a Unix domain member (never has been) but it
> breaks sysvol on a Samba AD DC if you add a gidNumber to Domain Admins.
> Windows has this quaint idea of letting a group own files & folders,
> something that isn't normally possible on Unix. However, on a Samba AD
> DC, Domain Admins is mapped as 'ID_TYPE_BOTH' (it is both a group and a
> user), if you give Domain Admins a gidNumber, you break this mapping and
> it just becomes a group and cannot own things in sysvol.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira


More information about the samba mailing list