[Samba] clients not connecting to samba shares

Gary Dale gary at extremeground.com
Sat Apr 1 15:15:08 UTC 2023 

On 2023-04-01 07:01, Rowland Penny via samba wrote:
>
>
> On 31/03/2023 22:38, Gary Dale via samba wrote:
>> Actually, I was probably a little optimistic in assessment. My 
>> network shares are problematic. I tried using 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
>> to get the shares working but that let me down a rabbithole
>>
>> The basic problem is my Linux computers use NSF to connect to network 
>> shares, If I set up the shares as described in the wiki, my Linux 
>> computers lose access - there doesn't appear to be a mapping between, 
>> for example, "Domain Users" and users.
>
>
> Hmm, this is one of the problems of using a DC as a fileserver with 
> the 'ad' idmap backend.
>
> On a standard Samba DC using the idmap backend (the default), if you 
> look in idmap.ldb, you should find something ike this:
>
> dn: CN=S-1-5-21-627072207-2265849604-124128874-513
> cn: S-1-5-21-627072207-2265849604-124128874-513
> objectClass: sidMap
> objectSid: S-1-5-21-627072207-2265849604-124128874-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513
>
> Which clearly shows that Domain Users (the RID 513) is mapped to the 
> Unix ID (xidNumber) 100
>
> If you check /etc/group on the DC you will find this:
>
> grep '100' /etc/group
> users:x:100:<LIST_OF_LOCAL_USERS>
>
> So, as standard, Domain Users is mapped to the Unix group users.
> If you give Domain Users a gidNumber attribute (you have to, to get 
> the 'ad' idmap backend to work on Unix domain members), whatever 
> number you use will override the '100' and break the mapping. You 
> might think that you could use '100' for the gidNumber and yes you 
> could, but this would mean that the idmap config range for the domain 
> would have to start at 100 and that isn't really a good idea.
>
I was trying to follow the advice at 
https://wiki.samba.org/index.php/Idmap_config_ad but testparm keeps 
returning the error "ERROR: The idmap range for the domain * (tdb) 
overlaps with the range of HOME (ad)!"
>
>> If I don't set up all the file ownerships to use "Domain Users", my 
>> Windows users can't use them (except for the domain Administrator).
>>
>> And even going into the security tab on files or folders properties 
>> usually crashes the window - even when I'm logged in as the domain 
>> Administrator.
>
> That should not happen, though there was a known bug, which I though 
> had been fixed.
>
>>
>> My first attempt to fix this was to upgrade to the backports version 
>> of Samba since you indicated it might be necessary for an up-to-date 
>> Windows 10 machine. The upgrade had no impact - the problems remain 
>> the same.
>>
>> In the past this was resolvable by manually mapping the Windows 
>> groups to the Linux ones - and this was working on my server until 
>> recently. However I gather that some change to either Windows or 
>> Samba caused that to stop working.
>
> The problem is, you shouldn't really have Linux groups per se, you 
> should have Windows groups that are also Linux groups i.e. everything 
> is in AD.

That's not a great idea. It would mean I'd have to modify every Linux 
system. And can Linux groups even have a domain let alone spaces in 
their names (e.g. home\Domain Users")? Mapping seems like a far more 
practical solution.


>
>>
>> Any advice on how to proceed?
>
> Can we start with the smb.conf you are using now.

Here's the part without the share definitions:

# Global parameters
[global]
         dns forwarder = 192.168.1.1
         netbios name = THELIBRARIAN
         realm = HOME.RAHIM-DALE.ORG
         server role = active directory domain controller
         workgroup = HOME
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config HOME:backend = ad
         idmap config HOME:schema_mode = rfc2307
         idmap config HOME:range = 10000-999999
         idmap config HOME:unix_nss_info = yes
         idmap config HOME:unix_primary_group = yes
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[netlogon]
         path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts
         read only = No

[Profiles]
         path = /home/samba/profiles
         read only = No
         create mask = 0777
         directory mask = 0777
         guest ok = Yes
         browseable = No

[homes]
         comment = Home Directories
         valid users = %S
         create mask = 0700
         directory mask = 0700
         browseable = No

>
> What version of NFS are you using 3 or 4 ?

nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports 
(e.g. /home/shares    192.168.1.0/24(rw,sync) ). I haven't set up 
anything that takes advantage of any v4 features. I note that there are 
options for using Kerberos in v4, which I'm guessing is where you are 
going...

More information about the samba mailing list