[Samba] access "claim types"
Stefan G. Weichinger
lists at xunil.at
Fri Feb 10 07:44:00 UTC 2023
Am 10.02.23 um 07:50 schrieb Stefan G. Weichinger via samba:
>
> Samba 4.17.3 on Debian 11.6
>
> [global]
> unix charset = iso8859-15
>
> security = ads
> realm = COMP.INTRA
> workgroup = COMP
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
>
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
>
> domain master = no
> local master = no
> preferred master = no
>
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config NORAS : range = 10000-20000
> idmap config NORAS : backend = rid
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> inherit acls = yes
>
> unix extensions = no
> follow symlinks= yes
> wide links= yes
>
> load printers = no
> printcap name = /dev/null
>
> acl allow execute always = True
>
> # Audit settings
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = mkdirat read pread write pwrite renameat unlinkat
> full_audit:facility = local5
> full_audit:priority = notice
>
> log level = 1
>
> min domain uid=0
>
> ---
>
> (I even noticed that this config was improved in 2019 after some thread
> in here ;-))
>
> issues:
>
> Their external windows admin tries to edit ACLs etc by accessing them
> from their DC, a Windows 2016 server.
>
> And in editing Security Settings he gets something like
>
> no connection to AD to access or check claim types
>
> (I translated this from the german error text ... not the exact english
> text)
Maybe this is the same issue I already had at another customer.
The thread was named "editing samba-share ACLs etc from Windows"
and it was that "Administrator" vs. "root" issue.
-
Now I am investigating ... trying not to break things.
For sure there is a bit of a mess: some shares are owned by
Administrator, some by root (also shares where I get the same error
messages).
More information about the samba
mailing list