[Samba] AD migration issues
Praveen Ghimire
PGhimire at sundata.com.au
Thu Apr 11 12:05:13 UTC 2019
Hi ,
We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came across issues with user shares. Some of the users were able to access the shares and some were not.
The server in question has both AD and File and we followed the samba wiki to enable the Windows ACL
To migrate , we ran the following
samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf --use-ntvfs
We had to use the ntvfs as we got the Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option."
The smbd -b | grep HAVE_LIBACL gave HAVE_LIBACL
A user with the issue has the following
uid=1091(chel) gid=1091(cheryl) groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(deptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086(depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttraining),1170(deptshms),100(users),3000002(lin\ocetest)
The bit at the end, ocetest is not even a group, it is a user
One of the share is the netlogon the getacl gives
# file: var/lib/samba/sysvol/lin.group/scripts/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
The other one is a file share
# file: zones/827be14a-ffda-60f5-f7f9-b260c6cab739/data/main/
# owner: root
# group: lin
user::rwx
group::r-x
other::r-x
The home drive has
# file: zones/827be14a-ffda-60f5-f7f9-b260c6cab739/data/home/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
When we use the following smb.conf file the user is not even able to see any shares
# Global parameters
# Global parameters
[global]
workgroup = lin
realm = lin.GROUP
netbios name = DOZER5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%m
log level = 4
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
acl allow execute always = True
server services = -dns
allow dns updates = nonsecure
idmap config * : backend = tdb
idmap config * : range = 4000-7999
idmap config lin:backend = ad
idmap config lin:schema_mode = rfc2307
idmap config lin:range = 10000-999999
full_audit:priority = notice
full_audit:facility = local5
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:failure = none
full_audit:prefix = %u|%I|%S
[netlogon]
path = /var/lib/samba/sysvol/lin.group/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
But when we use the default smb.conf file (i.e created by AD), the users can see the sysvol but not access it
# Global parameters
[global]
workgroup = lin
realm = lin.GROUP
netbios name = DOZER5
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
idmap_ldb:use rfc2307 = yes
posix:eadb = /var/lib/samba/private/eadb.tdb
[netlogon]
path = /var/lib/samba/sysvol/lin.group/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Any assistance will be greaty appreciated
Regards,
Praveen Ghimire
More information about the samba
mailing list