[Samba] AD migration issues

Praveen Ghimire PGhimire at sundata.com.au
Thu Apr 11 12:05:13 UTC 2019 

Hi ,

We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came across issues with user shares. Some of the users were able to access the shares and some were not.

The server in question has both AD and File and we followed the samba wiki to enable the Windows ACL

To migrate , we ran the following
samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf --use-ntvfs

We had to use the ntvfs as we got the Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option."

The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL

A user with the issue has the following
uid=1091(chel) gid=1091(cheryl) groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(deptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086(depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttraining),1170(deptshms),100(users),3000002(lin\ocetest)
The bit at the end, ocetest is not even a group, it is a user

One of the share is the netlogon the getacl gives
# file: var/lib/samba/sysvol/lin.group/scripts/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

The other one is a file share
# file: zones/827be14a-ffda-60f5-f7f9-b260c6cab739/data/main/
# owner: root
# group: lin
user::rwx
group::r-x
other::r-x

The home drive has
# file: zones/827be14a-ffda-60f5-f7f9-b260c6cab739/data/home/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

When we use the following smb.conf file the user is not even able to see any shares
# Global parameters
# Global parameters
[global]
        workgroup = lin
        realm = lin.GROUP
        netbios name = DOZER5
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/log.%m
        log level = 4
        winbind nss info = rfc2307
              winbind enum users = yes
        winbind enum groups = yes
              acl allow execute always = True
              server services = -dns
              allow dns updates = nonsecure


              idmap config * : backend = tdb
              idmap config * : range = 4000-7999
              idmap config lin:backend = ad
              idmap config lin:schema_mode = rfc2307
              idmap config lin:range = 10000-999999

        full_audit:priority = notice
        full_audit:facility = local5
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:failure = none
        full_audit:prefix = %u|%I|%S

[netlogon]
        path = /var/lib/samba/sysvol/lin.group/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No



But when we use the default smb.conf file (i.e created by AD), the users can see the sysvol but not access it
# Global parameters
[global]
              workgroup = lin
              realm = lin.GROUP
              netbios name = DOZER5
              server role = active directory domain controller
              server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, smb
              dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
              idmap_ldb:use rfc2307 = yes
              posix:eadb = /var/lib/samba/private/eadb.tdb

[netlogon]
              path = /var/lib/samba/sysvol/lin.group/scripts
              read only = No

[sysvol]
              path = /var/lib/samba/sysvol
              read only = No


Any assistance will be greaty appreciated


Regards,
Praveen Ghimire

More information about the samba mailing list