[Samba] clients not connecting to samba shares
Rowland Penny
rpenny at samba.org
Sat Apr 1 15:48:37 UTC 2023
On 01/04/2023 16:15, Gary Dale via samba wrote:
>>
>> The problem is, you shouldn't really have Linux groups per se, you
>> should have Windows groups that are also Linux groups i.e. everything
>> is in AD.
>
> That's not a great idea. It would mean I'd have to modify every Linux
> system.
Possibly
> And can Linux groups even have a domain let alone spaces in
> their names (e.g. home\Domain Users")?
Yes:
rowland at devstation:~$ getent group Domain\ Users
domain
users:x:10513:krbtgt,dhcpduser,test,user1,backupuser,user2,fred,rowland,administrator
Mapping seems like a far more
> practical solution.
No it isn't and it sort of misses one of the points of AD, a single
point of authority.
>
>
>>
>>>
>>> Any advice on how to proceed?
>>
>> Can we start with the smb.conf you are using now.
>
> Here's the part without the share definitions:
>
> # Global parameters
> [global]
> dns forwarder = 192.168.1.1
> netbios name = THELIBRARIAN
> realm = HOME.RAHIM-DALE.ORG
> server role = active directory domain controller
> workgroup = HOME
> idmap_ldb:use rfc2307 = yes
See below about the following lines:
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config HOME:backend = ad
> idmap config HOME:schema_mode = rfc2307
> idmap config HOME:range = 10000-999999
> idmap config HOME:unix_nss_info = yes
> idmap config HOME:unix_primary_group = yes
I will say this yet again, do not add 'idmap config' to a Samba AD DC's
smb.conf , they will do absolutely nothing.
> vfs objects = acl_xattr
Now that is a really, really big mistake. Whilst 'acl_xattr' is one of
the vfs objects used by a DC, you have just turned off the main one '
dfs_samba4'
> map acl inherit = yes
> store dos attributes = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts
> read only = No
>
> [Profiles]
> path = /home/samba/profiles
> read only = No
> create mask = 0777
> directory mask = 0777
> guest ok = Yes
> browseable = No
>
> [homes]
> comment = Home Directories
> valid users = %S
> create mask = 0700
> directory mask = 0700
> browseable = No
>
>>
>> What version of NFS are you using 3 or 4 ?
>
> nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports
> (e.g. /home/shares 192.168.1.0/24(rw,sync) ). I haven't set up
> anything that takes advantage of any v4 features. I note that there are
> options for using Kerberos in v4, which I'm guessing is where you are
> going...
>
Yep, you really should be using NFSv4, I wish Louis was still around, he
knew more about NFS than I do.
What I will say is this, you know all that knowledge you know about
Samba PDC's and the like, well, you should forget most of it, AD is
nothing like an NT4-style domain. Once you get your head around this and
start to use AD as it is meant to be used, you will realise just how
much easier it is to use. Just one point of maintenance, user, group and
computer wise.
Rowland
More information about the samba
mailing list