Hi I have updated a samba AD memeber server to 3.0.23b in an environment, where all Usernames are available in the AD and in NIS.
With 3.0.21b if I create a file with windows on a samba share and open the security dialog, samba shows the DOM\USERNAME string as owner of the file. With 3.0.23b only the SID+RID of the user is shown. The SID is the SID of the Samba-server. If I add the domain-user USERNAME2 with the security dialog, this user ist shown as DOM\USERNAME2 until I reopen the security dialog. Then I see alos the SID-RID If I stop winbind and do the same procedure I get Unix User/USERNAME1 for the owner of the file in the dialog If I give another user USERNAME2 access to this file and reopen the security dialog, the entry is not shown. To make it work with samba-3.0.21b we had this setting in smb.conf (winbindd running) With this settings in the Windows file-dialog all users appear DOM\USERNAME and in Unix teh ACL's show the correct NIS Unix Users idmap uid = 10000-10000 idmap gid = 10000-10000 winbind use default domain = Yes winbind trusted domains only = Yes Is it possible to make this work again with 3.0.23b? (I know that the zero uid and gid range might be brain damaged, but with this settings it works fine on both sides) Greetings Hansjörg Gerald (Jerry) Carter wrote: > ============================================================== > "Where does he get those wonders toys?" > -- The Joker (Batman 1989) > ============================================================== > Release Announcements > ===================== > > This is the latest stable release of Samba. This is the version > that production Samba servers should be running for all current > bug-fixes. Please read the changes in this section and for the > original 3.0.23 release regarding new features and difference > in behavior from previous releases. > > Common bugs fixed in 3.0.23b include: > > o Ambiguity with unqualified names in smb.conf parameters > such as "force user" and "valid users". > o Errors in 'net ads join' caused by bad IP address in the list > of domain controllers. > o SMB signing errors in the client and server code. > o Domain join failures when using smbpasswd on a Samba PDC. > > > Member servers, domain accounts, and smb.conf > ============================================= > > Since Samba 3.0.8, it has been recommended that all domain > accounts listed in smb.conf on a member server be fully > qualified with the domain name. This is now a requirement. > All unqualified names are assumed to be local to the Unix > host, either as part of the server's local passdb or in the > local system list of accounts (e.g. /etc/passwd or /etc/group). > > The reason for this change is that smbd has transitioned from > access checks based on string comparisons to token based > authorization. All names are resolved to a SID and then > verified against the logged on user's NT user token. Local > names will resolve to a local SID, while qualified domain > names will resolve to the appropriate domain SID. > > If the member server is not running winbindd at all, domain > accounts will be implicitly mapped to local accounts and their > tokens will be modified appropriately to reflect the local > SID and group membership. > > For example, the following share will restrict access to the > domain group "Linux Admins" and the local group srvadmin. > > [restricted] > path = /data > valid users = +"DOMAIN\Linux Admins" +srvadmin > > Note that to restrict the [homes] share on a member server to the > owner of that directory, it is necessary to prefix the %S value > to "valid users". > > [global] > security = {domain,ads} > workgroup = DOM > winbind separator = + > [homes] > valid users = DOM+%S > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba