[Samba] clients not connecting to samba shares

Rowland Penny rpenny at samba.org
Sat Apr 1 11:01:21 UTC 2023 


On 31/03/2023 22:38, Gary Dale via samba wrote:
> Actually, I was probably a little optimistic in assessment. My network 
> shares are problematic. I tried using 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
> to get the shares working but that let me down a rabbithole
> 
> The basic problem is my Linux computers use NSF to connect to network 
> shares, If I set up the shares as described in the wiki, my Linux 
> computers lose access - there doesn't appear to be a mapping between, 
> for example, "Domain Users" and users.


Hmm, this is one of the problems of using a DC as a fileserver with the 
'ad' idmap backend.

On a standard Samba DC using the idmap backend (the default), if you 
look in idmap.ldb, you should find something ike this:

dn: CN=S-1-5-21-627072207-2265849604-124128874-513
cn: S-1-5-21-627072207-2265849604-124128874-513
objectClass: sidMap
objectSid: S-1-5-21-627072207-2265849604-124128874-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513

Which clearly shows that Domain Users (the RID 513) is mapped to the 
Unix ID (xidNumber) 100

If you check /etc/group on the DC you will find this:

grep '100' /etc/group
users:x:100:<LIST_OF_LOCAL_USERS>

So, as standard, Domain Users is mapped to the Unix group users.
If you give Domain Users a gidNumber attribute (you have to, to get the 
'ad' idmap backend to work on Unix domain members), whatever number you 
use will override the '100' and break the mapping. You might think that 
you could use '100' for the gidNumber and yes you could, but this would 
mean that the idmap config range for the domain would have to start at 
100 and that isn't really a good idea.


> If I don't set up all the file 
> ownerships to use "Domain Users", my Windows users can't use them 
> (except for the domain Administrator).
> 
> And even going into the security tab on files or folders properties 
> usually crashes the window - even when I'm logged in as the domain 
> Administrator.

That should not happen, though there was a known bug, which I though had 
been fixed.

> 
> My first attempt to fix this was to upgrade to the backports version of 
> Samba since you indicated it might be necessary for an up-to-date 
> Windows 10 machine. The upgrade had no impact - the problems remain the 
> same.
> 
> In the past this was resolvable by manually mapping the Windows groups 
> to the Linux ones - and this was working on my server until recently. 
> However I gather that some change to either Windows or Samba caused that 
> to stop working.

The problem is, you shouldn't really have Linux groups per se, you 
should have Windows groups that are also Linux groups i.e. everything is 
in AD.

> 
> Any advice on how to proceed?

Can we start with the smb.conf you are using now.

What version of NFS are you using 3 or 4 ?

Rowland

More information about the samba mailing list