[Samba] R: winbindd no access console with root

Rowland Penny rpenny at samba.org
Thu Dec 22 10:34:36 UTC 2022 


On 22/12/2022 10:18, Corrado Ravinetto via samba wrote:
> I compiled by my self and it's a domain member's role 😊

No, I was trying to find out if you had compiled without the DC 
components, but it sounds like you just ran:

./configure
make
make install

and everything ended up in /usr/local/samba/

> 
> [global]
>          client min protocol = NT1
>          log file = /var/log/samba/message.log
>          max log size = 1000
>          ntlm auth = ntlmv1-permitted
>          os level = 250
>          realm = LXCERRUTI.COM
>          security = ADS
>          server min protocol = NT1
>          server role = member server
>          server string = Samba Member - Versione %v
>          winbind offline logon = Yes
>          winbind use default domain = Yes
>          workgroup = LXCERRUTI
>          idmap config * : range = 100000-107999
>          idmap config lxcerruti : backend = ad
>          idmap config lxcerruti : range = 0-99999
>          idmap config lxcerruti : unix_nss_info = yes
>          idmap config * : backend = tdb
>          acl allow execute always = Yes
> 
> 
> [Vol1]
>          admin users = @g_admin
>          comment = Home Directory per ogni User
>          create mask = 0777
>          directory mask = 0777
>          hide unreadable = Yes
>          path = /Cerruti
>          read only = No
>          vfs objects = recycle
>          recycle:maxsize = 500000000
>          recycle:exclude = *.tmp *.ldb *.temp ~$* *.LCK *.dmp
>          recycle:versions = yes
>          recycle:keeptree = yes
>          recycle:touch = yes
>          recycle:repository = .recycle/%U
> 

It looks like you upgraded from an NT4-style domain and are still 
thinking in NT4-style ways.

There is an obvious reason why 'root' isn't working, perhaps you will 
understand why after reading this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

Do you still have any pre-vista Windows machines in your domain ?
If not, you can remove all the SMBv1 lines.

I would also suggest you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

And then set the share permissions from Windows, this will you much 
finer access control.

Rowland

More information about the samba mailing list