Arnaud Cruzel via samba
2017-03-15 13:00:01 UTC
Hi everybody,
I have a samba server member for file sharing configured like below.
Domains controllers are on samba too.
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.
Now I think rfc2307 was a bad idea...
My problem is that I'd like to allow users and computers to access to
the file server even if uidNumber is not set.
If I create an user without uidNumber, he is able to access to sysvol
(by exemple) on all DC without problems. But if he try to access to the
file server (from a Windows 10 client), he get an "Access refused".
I understand that the problem come from uidNumber not set. And I think
that the solution is in relation with idmap, winbind and rfc2307.
So I'm completely lost with those features : How can I disable
idmapping for get the same behavior on the file server than the Domain
controller ?
And if I do that, is the MacOS users will have problems to access to
the shares with afp protocol (netatalk).
I'd like this behavior to permit computers to access to shares for
installing application with GPO set on DC and applied to computers
instead of users section in the GPO.
Thanks
Below my smb.conf on the file server :
=========================================================
[global]
netbios name = FS1
security = ADS
workgroup = IFPOAD
realm = IFPOAD.IFPORIENT.ORG
log file = /var/log/samba/%m.log
log level = 1
interfaces=lo eth0
bind interfaces only=yes
server string = %h samba server
wins support = yes
# Default idmap config used for BUILTIN and local
accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config IFPOAD:backend = ad
idmap config IFPOAD:schema_mode = rfc2307
idmap config IFPOAD:range = 10000-99999
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind trusted domains only = no
winbind use default domain = yes
# Activation des attributs Etendus Windows
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# For Mac OS compatibility ?
unix extensions = no
# Spool d'impression
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64
veto files = /._*/.DS_Store/~*/
delete veto files = yes
[Shares]
path = /srv/samba/shares
read only = no
[home]
path = /home/samba
read only = no
[profile$]
path = /srv/samba/Profiles
read only = no
[deploy$]
path = /srv/samba/deploy
read only = no
[BkShares]
path = /srv/Backups/bkIFPO/shares
read only = no
[printers]
path = /var/spool/samba/
printable = yes
printing = CUPS
==========================================================
--
Arnaud Cruzel
Administrateur Système et Réseau
Institut français du Proche-Orient (Ifpo)
المعهد الفرنسي للشرق الأدنى
UMIFRE 6 - MAEDI - CNRS - USR 3135
Tél. Liban : +961 76 596 131
Tél. France : +33 6 67 51 68 50
***@ifporient.org
I have a samba server member for file sharing configured like below.
Domains controllers are on samba too.
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.
Now I think rfc2307 was a bad idea...
My problem is that I'd like to allow users and computers to access to
the file server even if uidNumber is not set.
If I create an user without uidNumber, he is able to access to sysvol
(by exemple) on all DC without problems. But if he try to access to the
file server (from a Windows 10 client), he get an "Access refused".
I understand that the problem come from uidNumber not set. And I think
that the solution is in relation with idmap, winbind and rfc2307.
So I'm completely lost with those features : How can I disable
idmapping for get the same behavior on the file server than the Domain
controller ?
And if I do that, is the MacOS users will have problems to access to
the shares with afp protocol (netatalk).
I'd like this behavior to permit computers to access to shares for
installing application with GPO set on DC and applied to computers
instead of users section in the GPO.
Thanks
Below my smb.conf on the file server :
=========================================================
[global]
netbios name = FS1
security = ADS
workgroup = IFPOAD
realm = IFPOAD.IFPORIENT.ORG
log file = /var/log/samba/%m.log
log level = 1
interfaces=lo eth0
bind interfaces only=yes
server string = %h samba server
wins support = yes
# Default idmap config used for BUILTIN and local
accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config IFPOAD:backend = ad
idmap config IFPOAD:schema_mode = rfc2307
idmap config IFPOAD:range = 10000-99999
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind trusted domains only = no
winbind use default domain = yes
# Activation des attributs Etendus Windows
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# For Mac OS compatibility ?
unix extensions = no
# Spool d'impression
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64
veto files = /._*/.DS_Store/~*/
delete veto files = yes
[Shares]
path = /srv/samba/shares
read only = no
[home]
path = /home/samba
read only = no
[profile$]
path = /srv/samba/Profiles
read only = no
[deploy$]
path = /srv/samba/deploy
read only = no
[BkShares]
path = /srv/Backups/bkIFPO/shares
read only = no
[printers]
path = /var/spool/samba/
printable = yes
printing = CUPS
==========================================================
--
Arnaud Cruzel
Administrateur Système et Réseau
Institut français du Proche-Orient (Ifpo)
المعهد الفرنسي للشرق الأدنى
UMIFRE 6 - MAEDI - CNRS - USR 3135
Tél. Liban : +961 76 596 131
Tél. France : +33 6 67 51 68 50
***@ifporient.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba