Q. When samba running, i issued command to list process using ps -C smbd listmore than one process.I have following queries regarding thishow one can determine how many smbd process run?Is there any way to determine which smbd process link with which sharesession.
Ans.
smbstatus command will be helpful in this regard.
Q. I am using winbind to get ADz user on samba. The problem i facing is related with group.
To clear the problem i am taking an example There is a AD user that belong to "Domain users" and "Marketting" Group, the new file/folder created by that user has group ownership "Domain users" but i want that "Marketting" should be group owner. Is it possible without setting SGID bit? Is there any short of primary group feature in AD?.
Ans.
There is, and only (fortunately) for POSIX compatibility. AD makes no
real use of it, it's just normally set to what Domain Users equates to.
I have modified it for accounts used on UNIX OSs that want a different
group FROM AD as primary group (note: I have found that attempting to
point it to an (effective) GID that's not derived from AD, I always
found failed, and AD would either deny the update or reset it to Domain
Users).
If you use something like adsiedit, the user attribute you want is
primaryGroupID. And (being as I used winbind with RID mapping for UID
and GID currently, I make sure I find what id (from the UNIX command
line) perceives as the GID for the AD group I'm interested in, then set
that value using adsiedit, as the primaryGroupID in AD for the user
account.
Q. Does "inherit permission" and "inherit acl" parameter should be used only
when default acl not present on parent directory ?.
Ans.
No, if you want to be sure that permissions are inhereted properly, you need both, default permissions and "inherit permissions/acl". If "inherit permissions/acl" is missing, the default acl are inherited but may be they are modified. The man page reads:
inherit acls (S)
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these
parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus
guaranteeing that default directory acls are propagated.
The important point is, that the unix mode is set to 0777, if "inherit acl = yes" is set. Otherwise the unix mode, that is active for the user context Samba is running in, will be taken. I will give an example to make things clear.
Imagine you have a directory with the following acls:
default:mask::rwx
default:user::rwx
default:user:my_account:r-x
and the effective user mode is not 0777 but 0666 and "inherit acl" is set to "no". In this case the new file gets the following acls
default:mask::rw-
default:user::rw-
default:user:my_account:r--
Please recognize the missing executive bit. The acl of the new object is the logical AND operation of the default acl and the effective unix mode. The acl are inherited anyway, no matter what "inherit acl" says. But the result might be different from what you expect.
Q. i am running samba 3.0.28 on two server and using winbind to get active directory users and group. the problem i facing is attach the uid assigned for same user is diffrent on samba servers.The uid saved in the Active Directory is different from the winbind Linux side ?
Ans:
Ans:
No, the problem is that the uids on the two samba servers are
different for the same user. This is because you are using
(the default of) "idmap backend = tdb". This assigns increasing
uids (per server) to users in the the order the access the server.
If you need the same user ids, you have (at least) the following
two options:
1. Use "idmap backend = rid". Then a user gets the the
uid built as LOW_RANGE_UID + RID.
Here LOW_RANGE_UID is the lower bound of the range
"idmap uid = LOW_RANGE_UID - HIGH_RANGE_UID"
and RID is the "relative identifyer": the user SID
is built as follows: DOMAIN_SID-RID. i.e. the rid
is the last block of digits of the user's sid, hence
is unique inside one domain, and users will get the
same uid on all samba servers using "idmap backend = rid".
See the man paget idmap_rid(8).
2. Use "idmap backend = ad":
When you install the SFU (Services For Unix) schema
extensions, then you can set unix attributes for users
and groups in actice directory. and the same uid is
obtained for users on all samba servers using this backend.
winbind uid->sid mapping
There are multiple methods winbind can use to generate the uid<->sid mapping.
The default being tdb, which just generates a uid on the fly. As you noticed
it does not necessarily sync between machines. If you need uid sync, you are
better off looking at the rid module, which generates a uid based on the
windows sid.
Subscribe to:
Posts (Atom)