Dear Mathieu,
>>> Why your UNIX groups don't match your Windows groups? This is usually
>>> the case, with nss_winbind.
>>
>> My site is mainly Linux; we have secondary groups in the /etc/group
>> file. ...
>>
>>> Alternatively, you can reverse the logic with idmap_nss.
>>
>> I tried that, did not seem to help.
>
> And have you tried "winbind use default domain = yes"?
Yes I did, and it did not help: even with that setting, "strace" shows
that samba does
setresuid(1001, 1001, -1)
with the UNIX UID/GID, but then also does
setgroups(7, [3000031, 100, 3000009, 3000013, 3000014, 3000003, 3000018])
with the "Windows group" GIDs. (The above was when a Windows10 PC did a
"map network drive" connecting to a share.)
> Can you post your (redacted) smb.conf?
Below, as was during the test with "winbind use default domain = yes",
in its entirety.
Cheers, Paul
--
Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
# Based on Debian "Sample configuration" for version 4.5.12 ,
# and on configuration we had for rome/bianco at version 3.6.25 .
# See documentation:
# www.samba.org/samba/docs/3.6/man-html/smb.conf.5.html
# www.samba.org/samba/docs/4.5/man-html/smb.conf.5.html
# www.samba.org/samba/docs/current/man-html/smb.conf.5.html
#========== Global Settings ==========
[global]
# Server role: "standalone server" or "active directory domain controller".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
# server role = standalone server
server role = active directory domain controller
### To be "realm = ROMEGROUP.maths.usyd.edu.au" or BIANCOGROUP.maths.usyd.edu.au
realm = P639GROUP.maths.usyd.edu.au
### To be "workgroup = ROMEGROUP" or BIANCOGROUP
workgroup = P639GROUP
# Do not need:
#netbios name = P639
preferred master = yes
domain master = yes
local master = yes
### On rome to be "os level = 65", on bianco to be "os level = 63"
os level = 61
### On rome only, to be "wins support = yes"
# wins support = no
### On rome only, "wins server" to be un-set
wins server = rome.maths.usyd.edu.au
### On rome only, to be "time server = yes"
# time server = yes
# We do not have xattr, see:
# https://wiki.samba.org/index.php/File_System_Support#Testing_your_filesystem
#posix:eadb = /etc/samba/private/eadb.tdb
# or as set by "samba-tool domain provision" if run without a smb.conf file:
#xattr_tdb:file = /var/lib/samba/xattr.tdb
xattr_tdb:file = /etc/samba/private/xattr.tdb
name resolve order = wins lmhosts bcast host
# Do not search for NetBIOS names through DNS.
dns proxy = no
dns forwarder = 129.78.69.129
hostname lookups = yes
### On bianco use "hosts allow = ..."
### hosts allow = p8268.pc.maths.usyd.edu.au p709.pc.maths.usyd.edu.au
p826jm.pc.maths.usyd.edu.au p6392.pc.maths.usyd.edu.au
129.78.69.0/255.255.255.192
security = USER
##### Seems that
##### default auth method list for server role = 'active directory domain
controller'
##### is
##### auth methods = trustdomain ntdomain guest sam sam_ignoredomain winbind
unix wbc samba4
auth methods = guest sam
### Need downgrade for Win7/Win10 machines ??!!
ntlm auth = yes
# Keep things in a "well-known" place
private dir = /etc/samba/private
# Would want old smbpasswd in proper place.
# But, it seems that smbpasswd is not used with and AD DC: even with
# setting "passdb backend = smbpasswd", the .../bin/smbpasswd command
# would update file ##### ???, instead.
# passdb backend = smbpasswd:/etc/samba/private/smbpasswd
# Could we use "pdbedit -i smbpasswd -e xyz" to convert?
# We create users and machines "manually" with smbpasswd: no PAM, no password
sync
# Different from 3.6.25 and contrary(?!) to documentation, we seem to have:
# %U %G : Unix user, group
# %u %g : Windows user, group
# e.g.:
# U=psz G=amstaff u=P639GROUP\psz g=users
# U= G=%G u=NT_AUTHORITY\ANONYMOUS_LOGON g=3000013
# U= G=? u=smbguest g=?
# U=P6392_ G=? u=P639GROUP\p6392_ g=?
domain logons = yes
logon drive = h:
logon home = \\%L\home
logon path = \\%L\profile\.profiles
logon script = %g.bat
utmp = yes
invalid users = root
guest account = smbguest
guest ok = yes
### On rome to be "map to guest = Bad User"
map to guest = Never
# We may have some files shared from NFS mounts
posix locking = no
unix extensions = no
wide links = yes
mangled names = no
case sensitive = no
map archive = no
map hidden = no
map system = no
strict locking = no
dont descend = /proc,/dev
csc policy = disable
deadtime = 15
log file = /var/log/samba/log.%m
max log size = 100
# Sensible logging levels
#logging = syslog@1 file@2
#logging = syslog@0 file
logging = file
debug pid = yes
debug uid = yes
### debug
# log level = auth:10 sam:10 tdb:5
# log level = auth:10 smb:10 vfs:10 idmap:10 acls:10 msdfs:10
# log level = 1 tdb:10 printdrivers:1 lanman:10 smb:10 rpc_parse:1
rpc_srv:1 rpc_cli:1 passdb:10 sam:10 auth:10 winbind:10 vfs:10 idmap:10
quota:10 acls:10 locking:10 msdfs:10 dmapi:10 registry:10
# max log size = 10000
# log level = 10
preexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for
%u (u=%u g=%g U=%u G=%G) from %m (%M, %I)'
postexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Disconnect %S
for %u from %m (%M, %I)'
message command = /bin/sh -c '/usr/bin/mailx -s "message from %f (%u)
on %m (%M, %I)" psz < %s; /bin/rm %s'
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
# Seems CUPS is default anyway (we used LPRNG at 3.6.25)
# printing = CUPS
# No include, but have separate "static" files for rome and bianco
# include = /home/samba/etc/smb.conf.%m
# Settings for winbind
#####
winbind use default domain = yes
#idmap config * : backend = nss
#idmap config * : range = 100-65535
# Leave usershare disabled (as default)
#========== Share Definitions ==========
[sysvol]
path = /var/lib/samba/sysvol
read only = No
browseable = no
[netlogon]
comment = Network Logon Service
path = /etc/samba/netlogon
guest ok = no
writeable = no
browseable = no
[profile]
comment = Above your .profiles
path = /users/%g/%u
# For "captive" accounts, might use "path = /usr/sms/win/profile/%g/%u" (as was
on rome)
guest ok = no
writeable = yes
browseable = no
create mask = 0600
directory mask = 0700
force create mode = 0600
force directory mode = 0700
preexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect
%S for %u (u=%u g=%g U=%u G=%G) from %m (%M, %I)'; /usr/sms/sbin/setup-profile
/users/%g/%u/.profiles"
postexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]'
'Disconnect %S for %u from %m (%M, %I)'; /usr/sms/sbin/unset-profile
/users/%g/%u/.profiles"
# We use home, not the special homes
[home]
comment = Your (p639) home directory
browseable = yes
path = /users/%g/%u
guest ok = no
writeable = yes
veto files = /$RECYCLE.BIN/
[nobackup]
comment = Your (p639) nobackup directory
path = /nb/%u
guest ok = no
writeable = yes
### On rome only
#[wwwfd]
# comment = Your web front directory (personal web pages)
# path = /users/misc/httpd/htdocs/u/%u
# guest ok = no
# writeable = yes
[sms]
comment = UNIX /usr/sms
path = /usr/sms
### On bianco to be "writeable = yes"
# writeable = yes
[local]
comment = UNIX /usr/sms (please use sms)
path = /usr/sms
### On bianco to be "writeable = yes"
# writeable = yes
## We do not use anymore
#[handin]
# comment = Use L:\win\bin\handin.bat to access
# path = /users/%g/%u
# guest ok = no
# preexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect
%S for %u from %m (%M, %I)'; ( cd /users/%g/%u; /usr/sms/sbin/handin-samba; )
2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; exit 1"
# preexec close = yes
### On bianco only
#[shared]
# comment = Shared (admin writeable) files
# path = /users/misc/shared
# writeable = yes
# create mask = 0660
# directory mask = 0770
# force create mode = 0660
# force directory mode = 0770
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Printer drivers for clients
# We do not carry drivers anymore, but let client choose
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# write list = psz
## We do not use anymore
#[lab]
# comment = Default (nearest) lab printer
# path = /tmp
# printable = yes
# print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr -lab
%s for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpr
-lab %s 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm
%s
# lpq command = DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpq -lab
# lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm -lab
%j for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lprm
-lab %j 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I
#[nearest]
# comment = Default (nearest) printer
# path = /tmp
# printable = yes
# print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr %s
for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpr %s
2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm %s
# lpq command = DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpq
# lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm %j
for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lprm %j
2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I
## Seems there is no need
#[IPC$]
# path = /tmp
# invalid users = root
# ========== Old settings, for the record ==========
#####
# For the record, at 3.6.25, settings on rome (and bianco ##) were:
#[global]
# workgroup = ROMEGROUP
# os level = 65
## workgroup = BIANCOGROUP
## os level = 63
# preferred master = Yes
# domain master = Yes
# local master = Yes
# hostname lookups = Yes
## hosts allow = p8268.pc.maths.usyd.edu.au p709.pc.maths.usyd.edu.au
p826jm.pc.maths.usyd.edu.au p6392.pc.maths.usyd.edu.au
129.78.69.0/255.255.255.192
# security = USER
# allow trusted domains = No
# restrict anonymous = 0
# encrypt passwords = Yes
# max protocol = SMB2
# passdb backend = smbpasswd
# unix password sync = No
# passwd program = /disabled
# invalid users = root
# writeable = No
# wide links = Yes
# guest account = smbguest
# guest ok = Yes
# map to guest = Bad User
## map to guest = Never
# browseable = Yes
# domain logons = Yes
# logon drive = h:
# logon home = \\%L\home
# logon path = \\%L\profile\.profiles
# logon script = %G.bat
# printing=LPRNG
# printcap name = /etc/printcap
# print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr -P%p
%s for %u from %m (%M, %I)'; /usr/sms/bin/lpr -P%p %s 2>&1 |
/usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm %s
# lpq command = /usr/sms/bin/lpq -P%p
# lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm -P%p
%j for %u from %m (%M, %I)'; /usr/sms/bin/lprm -P%p %j 2>&1 |
/usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I
# printer admin = psz
# printer name = %m
# load printers = No
# preload = c0lw c0lw-1 c0lw-m c0lw-s colw colw-1 colw-m colw-s fdlw
fdlw-1 fdlw-m fdlw-s gllw gllw-1 gllw-m gllw-s eslw eslw-1 eslw-m eslw-s mslw
mslw-1 mslw-m mslw-s mclw mclw-1 mclw-m mclw-s njlw njlw-1 njlw-m njlw-s o7lw
o7lw-1 o7lw-1-x o7lw-m o7lw-s o7lw-x otlw otlw-1 otlw-m otlw-s oclw oclw-1
oclw-m oclw-s p6lw p6lw-1 p6lw-m p6lw-s pglw pglw-1 pglw-m pglw-s r5lw r5lw-1
r5lw-1-x r5lw-m r5lw-s r5lw-x r7lw r7lw-1 r7lw-1-x r7lw-m r7lw-s r7lw-x rzlw
rzlw-1 rzlw-m rzlw-s s0lw s0lw-1 s0lw-m s0lw-s solw solw-1 solw-m solw-s stlw
# deadtime = 600
# lock directory = /usr/sms.host/samba/n/locks/
# log file = /usr/sms.host/samba/n/logs/log.%M
# max log size = 50
# utmp = Yes
# mangled names = No
# case sensitive = No
# map archive = No
# map hidden = No
# map system = No
# message command = /bin/sh -c '/usr/bin/mailx -s "message from %f (%u)
on %m (%M, %I)" psz < %s; /bin/rm %s'
# preexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for
%u from %m (%M, %I)'
# postexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Disconnect %S
for %u from %m (%M, %I)'
# debug pid = Yes
# debug uid = Yes
# level2 oplocks = Yes
# strict locking = no
# unix extensions = no
# socket options = TCP_NODELAY
# wins support = Yes
## #wins support = Yes
## wins server = rome.maths.usyd.edu.au
# name resolve order = wins lmhosts bcast host
# time server = Yes
## #time server = Yes
# dont descend = /proc,/dev
# csc policy = disable
#[netlogon]
# comment = Network Logon Service
# path = /usr/sms.host/samba/n/netlogon
# writable = No
# guest ok = No
#[profile]
# comment = Above your .profiles (either home or template directory)
# path = /usr/sms/win/profile/%g/%u
## path = /users/%g/%u
# guest ok = No
# writeable = Yes
# create mask = 0600
# directory mask = 0700
# force create mode = 0600
# force directory mode = 0700
# preexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect
%S for %u from %m (%M, %I)'; /usr/sms/sbin/setup-profile /users/%g/%u/.profiles"
# postexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]'
'Disconnect %S for %u from %m (%M, %I)'; /usr/sms/sbin/unset-profile
/users/%g/%u/.profiles"
# posix locking = No
## #posix locking = No
#[home]
# comment = Your (rome/dora) home directory
## comment = Your (bianco) home directory
# path = /users/%g/%u
# guest ok = No
# writeable = Yes
# posix locking = No
## #posix locking = No
# veto files = /$RECYCLE.BIN/
#[nobackup]
# comment = Your (rome/dora) nobackup directory
## comment = Your (bianco) nobackup directory
# path = /nb/%u
# guest ok = No
# writeable = Yes
# posix locking = No
## #posix locking = No
#[wwwfd]
# comment = Your web front directory (personal web pages)
# path = /users/misc/httpd/htdocs/u/%u
# guest ok = No
# writeable = Yes
## #No [wwwfd]
#[sms]
# comment = UNIX /usr/sms
# path = /usr/sms
# posix locking = No
## writable = Yes
#[local]
# comment = UNIX /usr/sms (please use sms)
# path = /usr/sms
# posix locking = No
## #posix locking = No
## writable = Yes
#[handin]
# comment = Use L:\win\bin\handin.bat to access
# path = /users/%g/%u
# guest ok = No
# preexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect
%S for %u from %m (%M, %I)'; ( cd /users/%g/%u; /usr/sms/sbin/handin-samba; )
2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; exit 1"
# preexec close = Yes
# posix locking = No
## #No [handin]
##[shared]
## comment = Shared (admin writable) files
## path = /users/misc/shared
## writeable = Yes
## create mask = 0660
## directory mask = 0770
## force create mode = 0660
## force directory mode = 0770
#[printers]
# comment = UNIX printers
# path = /tmp
# printable = Yes
#[lab]
# comment = Default (nearest) lab printer
# path = /tmp
# printable = Yes
# print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr -lab
%s for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpr
-lab %s 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm
%s
# lpq command = DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpq -lab
# lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm -lab
%j for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lprm
-lab %j 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I
#[nearest]
# comment = Default (nearest) printer
# path = /tmp
# printable = Yes
# print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr %s
for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpr %s
2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm %s
# lpq command = DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpq
# lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm %j
for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lprm %j
2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I
#[print$]
# comment = Printer drivers
# path = /usr/sms.host/samba/n/print
# browseable = Yes
# write list = psz
#[IPC$]
# path = /tmp
# invalid users = root
#####
