[Samba] access "claim types"
Stefan G. Weichinger
lists at xunil.at
Fri Feb 10 06:50:36 UTC 2023
Samba 4.17.3 on Debian 11.6
[global]
unix charset = iso8859-15
security = ads
realm = COMP.INTRA
workgroup = COMP
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes
template homedir = /mnt/MSA2040/smb/Homes/%D/%U
domain master = no
local master = no
preferred master = no
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config NORAS : range = 10000-20000
idmap config NORAS : backend = rid
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
inherit acls = yes
unix extensions = no
follow symlinks= yes
wide links= yes
load printers = no
printcap name = /dev/null
acl allow execute always = True
# Audit settings
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdirat read pread write pwrite renameat unlinkat
full_audit:facility = local5
full_audit:priority = notice
log level = 1
min domain uid=0
---
(I even noticed that this config was improved in 2019 after some thread
in here ;-))
issues:
Their external windows admin tries to edit ACLs etc by accessing them
from their DC, a Windows 2016 server.
And in editing Security Settings he gets something like
no connection to AD to access or check claim types
(I translated this from the german error text ... not the exact english
text)
Any hints for me?
Yes, we plan to upgrade to 4.17.5 asap as well.
thanks, Stefan
More information about the samba
mailing list