[Samba] clients not connecting to samba shares

Rowland Penny rpenny at samba.org
Sat Apr 1 15:48:37 UTC 2023 


On 01/04/2023 16:15, Gary Dale via samba wrote:
>>
>> The problem is, you shouldn't really have Linux groups per se, you 
>> should have Windows groups that are also Linux groups i.e. everything 
>> is in AD.
> 
> That's not a great idea. It would mean I'd have to modify every Linux 
> system. 

Possibly

> And can Linux groups even have a domain let alone spaces in 
> their names (e.g. home\Domain Users")?

Yes:

rowland at devstation:~$ getent group Domain\ Users
domain 
users:x:10513:krbtgt,dhcpduser,test,user1,backupuser,user2,fred,rowland,administrator


  Mapping seems like a far more
> practical solution.

No it isn't and it sort of misses one of the points of AD, a single 
point of authority.

> 
> 
>>
>>>
>>> Any advice on how to proceed?
>>
>> Can we start with the smb.conf you are using now.
> 
> Here's the part without the share definitions:
> 
> # Global parameters
> [global]
>          dns forwarder = 192.168.1.1
>          netbios name = THELIBRARIAN
>          realm = HOME.RAHIM-DALE.ORG
>          server role = active directory domain controller
>          workgroup = HOME
>          idmap_ldb:use rfc2307 = yes

See below about the following lines:

>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config HOME:backend = ad
>          idmap config HOME:schema_mode = rfc2307
>          idmap config HOME:range = 10000-999999
>          idmap config HOME:unix_nss_info = yes
>          idmap config HOME:unix_primary_group = yes

I will say this yet again, do not add 'idmap config' to a Samba AD DC's 
smb.conf , they will do absolutely nothing.

>          vfs objects = acl_xattr

Now that is a really, really big mistake. Whilst 'acl_xattr' is one of 
the vfs objects used by a DC, you have just turned off the main one ' 
dfs_samba4'

>          map acl inherit = yes
>          store dos attributes = yes
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts
>          read only = No
> 
> [Profiles]
>          path = /home/samba/profiles
>          read only = No
>          create mask = 0777
>          directory mask = 0777
>          guest ok = Yes
>          browseable = No
> 
> [homes]
>          comment = Home Directories
>          valid users = %S
>          create mask = 0700
>          directory mask = 0700
>          browseable = No
> 
>>
>> What version of NFS are you using 3 or 4 ?
> 
> nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports 
> (e.g. /home/shares    192.168.1.0/24(rw,sync) ). I haven't set up 
> anything that takes advantage of any v4 features. I note that there are 
> options for using Kerberos in v4, which I'm guessing is where you are 
> going...
> 

Yep, you really should be using NFSv4, I wish Louis was still around, he 
knew more about NFS than I do.

What I will say is this, you know all that knowledge you know about 
Samba PDC's and the like, well, you should forget most of it, AD is 
nothing like an NT4-style domain. Once you get your head around this and 
start to use AD as it is meant to be used, you will realise just how 
much easier it is to use. Just one point of maintenance, user, group and 
computer wise.

Rowland

More information about the samba mailing list