Hi Am 09.03.20 um 16:32 schrieb Rowland penny via samba:> On 09/03/2020 14:25, Andreas Hauffe via samba wrote: >> [global] >> ??????? dedicated keytab file = /etc/krb5.keytab >> ??????? kerberos method = secrets and keytab > Why the dedicated keytab ?We have a kerberized NFS4 running on that machine, too.> >> workgroup = ILRW >> ??????? idmap config dom : range = 10000-9999999 >> ??????? idmap config dom : backend = rid >> ??????? idmap config subdom : range = 3000-9999 >> ??????? idmap config subdom : backend = rid > > I take it that either 'dom' or subdom' is really 'ILRW', if not why not ?This was an error during anonymization of the smb.conf. So "workgroup = SUBDOM" is the correct smb.conf entry in this case.> > Rowland > > >Andreas
On 10/03/2020 08:03, Andreas Hauffe via samba wrote:> We have a kerberized NFS4 running on that machine, too.I do hope that you are not resharing the NFS share(s) via Samba, that way lies madness ;-) Try this smb.conf: [global] ??????? workgroup = SUBDOM ??????? realm = SUBDOM.DOM.EXAMPLE.COM ??????? security = ADS ??????? bind interfaces only = Yes ??????? interfaces = lo enp1s0f0 ??????? dedicated keytab file = /etc/krb5.keytab ??????? kerberos method = secrets and keytab ??????? winbind refresh tickets = Yes ??????? idmap config SUBDOM : range = 3000-9999 ??????? idmap config SUBDOM : backend = rid ??????? idmap config * : range = 2000-2999 ??????? idmap config * : backend = tdb ??????? template homedir = /home/users/linux/%U ??????? template shell = /bin/bash ??????? map acl inherit = Yes ??????? vfs objects = acl_xattr ??????? smb encrypt = desired ??????? recycle:exclude_dir = tmp | temp | cache ??????? recycle:exclude = *.TMP | *.tmp | ~$*.doc ??????? recycle:noversions = *.ini | *.dat ??????? recycle:versions = Yes ??????? recycle:maxsize = 536870912 ??????? recycle:touch = Yes ??????? recycle:keeptree = Yes ??????? recycle:directory_mode = 0700 ??????? recycle:repository = %H/.Papierkorb/%S [share1] ??????? comment = Share 1 ??????? create mask = 0740 ??????? directory mask = 0750 ??????? force create mode = 0660 ??????? force directory mode = 0660 ??????? force group = SUBDOM\worker ??????? inherit permissions = Yes ??????? path = PATHNAME ??????? read only = No ??????? root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S ??????? valid users = SUBDOM\worker ??????? vfs objects = acl_xattr recycle crossrename [share2] ??????? comment = Share 2 ??????? inherit acls = Yes ??????? path = PATHNAME ??????? read only = No ??????? valid users = SUBDOM\worker SUBDOM\user ??????? acl_xattr:ignore system acls = yes [share3] ??????? comment = Share 3 ??????? create mask = 0660 ??????? directory mask = 0770 ??????? force create mode = 0660 ??????? force directory mode = 0770 ??????? force group = SUBDOM\group2 ??????? path = PATHNAME ??????? read only = No ??????? root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S ??????? valid users = SUBDOM\group2 ??????? vfs objects = acl_xattr recycle crossrename [share4] ??????? comment = Share 4 ??????? path = PATHNAME ??????? valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4 You will notice a few things: 'dom' has gone, whilst allowing it as a trusted domain, you were not allowing the 'dom' users to actually do anything. 'winbind separator = +' has gone, there is no real point to it and 'testparm' throws a warning. As you are using the same recycle lines, you only need to set them once in [global] and set the recycle vfs in the required shares. I would also check that /etc/krb5.keytab contains all the required keys. Rowland
Thanks, I will give that a try. But I need the 'winbind separator = +'. We use some expensive commercial software (e.g. ANSYS, ABAQUS, ...), which uses shell scripts to start their software under linux. These scripts are not able to handle a backslash in the user name. The only solution was to switch to a "+" character. We reported these issues two years ago. Regards, Andreas Am 10.03.20 um 10:23 schrieb Rowland penny via samba:> On 10/03/2020 08:03, Andreas Hauffe via samba wrote: >> We have a kerberized NFS4 running on that machine, too. > I do hope that you are not resharing the NFS share(s) via Samba, that > way lies madness ;-) > > Try this smb.conf: > > [global] > ??????? workgroup = SUBDOM > ??????? realm = SUBDOM.DOM.EXAMPLE.COM > ??????? security = ADS > > ??????? bind interfaces only = Yes > ??????? interfaces = lo enp1s0f0 > ??????? dedicated keytab file = /etc/krb5.keytab > ??????? kerberos method = secrets and keytab > ??????? winbind refresh tickets = Yes > ??????? idmap config SUBDOM : range = 3000-9999 > ??????? idmap config SUBDOM : backend = rid > ??????? idmap config * : range = 2000-2999 > ??????? idmap config * : backend = tdb > ??????? template homedir = /home/users/linux/%U > ??????? template shell = /bin/bash > ??????? map acl inherit = Yes > ??????? vfs objects = acl_xattr > ??????? smb encrypt = desired > > ??????? recycle:exclude_dir = tmp | temp | cache > ??????? recycle:exclude = *.TMP | *.tmp | ~$*.doc > ??????? recycle:noversions = *.ini | *.dat > ??????? recycle:versions = Yes > ??????? recycle:maxsize = 536870912 > ??????? recycle:touch = Yes > ??????? recycle:keeptree = Yes > ??????? recycle:directory_mode = 0700 > ??????? recycle:repository = %H/.Papierkorb/%S > > [share1] > ??????? comment = Share 1 > ??????? create mask = 0740 > ??????? directory mask = 0750 > ??????? force create mode = 0660 > ??????? force directory mode = 0660 > ??????? force group = SUBDOM\worker > ??????? inherit permissions = Yes > ??????? path = PATHNAME > ??????? read only = No > ??????? root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S > ??????? valid users = SUBDOM\worker > ??????? vfs objects = acl_xattr recycle crossrename > > [share2] > ??????? comment = Share 2 > ??????? inherit acls = Yes > ??????? path = PATHNAME > ??????? read only = No > ??????? valid users = SUBDOM\worker SUBDOM\user > ??????? acl_xattr:ignore system acls = yes > > [share3] > ??????? comment = Share 3 > ??????? create mask = 0660 > ??????? directory mask = 0770 > ??????? force create mode = 0660 > ??????? force directory mode = 0770 > ??????? force group = SUBDOM\group2 > ??????? path = PATHNAME > ??????? read only = No > ??????? root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S > ??????? valid users = SUBDOM\group2 > ??????? vfs objects = acl_xattr recycle crossrename > > [share4] > ??????? comment = Share 4 > ??????? path = PATHNAME > ??????? valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4 > > You will notice a few things: > > 'dom' has gone, whilst allowing it as a trusted domain, you were not > allowing the 'dom' users to actually do anything. > > 'winbind separator = +' has gone, there is no real point to it and > 'testparm' throws a warning. > > As you are using the same recycle lines, you only need to set them > once in [global] and set the recycle vfs in the required shares. > > I would also check that /etc/krb5.keytab contains all the required keys. > > Rowland > > >