[Samba] Samba user profiles file ownership
Stefan Kania
stefan at kania-online.de
Wed Sep 9 13:26:26 UTC 2020
We moved profiles with this tool
https://www.forensit.com/downloads.html
It worked perfect
Am 13.08.20 um 15:54 schrieb James B. Byrne via samba:
> FreeBSD-12.1p7
> Samba-4.10.15
>
> The user profiles were transferred from the existing Samba AD-DC to a new
> domain running on Samba-4.10. An ls on the original Samba (4.3.13) domain DC
> shows this:
>
> [root at SAMBA-01 ~]# ls -ld /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
> drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll BROCKLEY-2016\domain admins 512 Aug
> 12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
>
> [root at SAMBA-01 ~]# ls -ldn /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
> drwxrwx---+ 16 3000025 3000008 512 Aug 12 17:07
> /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
>
> On the new domain ls shows this:
>
> ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
> drwxrwx--- 16 3000025 3000008 25 Jul 24 17:24
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
>
> But on the new domain controller ls shows this:
>
> ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
> drwxrwx--- 16 3000025 3000008 25 Jul 24 17:24
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
>
> This is expected as the uid/gid mapping from one installation to another is not
> expected to match. However, when I log on to the new domain from a Win10
> workstation this is created:
>
> d---------+ 18 3000027 3000008 27 Aug 12 15:29
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6
>
> Which leads to a few questions:
>
> 1. What configuration is required on the new DC to show uid 3000027 as
> BROCKLEY\lyneak_hll or has this changed in later versions of Samba?
>
> 2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains. But
> does not display as such on the enw domain. What configuration setting is
> required to get the group to display using ls?
>
> 3. On the existing domain the gid on user profiles seems to be 20 (staff). On
> the new domain profiles are created with the gid 3000008. However, gid 20
> 9staff) exists in /etc/group on both DCs. Why the difference? Is this due to
> a configuration setting?
>
> The smb.conf file on the new DC is:
>
> [root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf
> ## Global parameters
> [global]
> netbios name = SMB4-2
> disable netbios = yes
> realm = BROCKLEY.HARTE-LYNE.CA
> server role = active directory domain controller
> ## use 'samba-tool testparm -v | grep services' to list active services
> workgroup = BROCKLEY
> idmap_ldb:use rfc2307 = yes
> vfs objects = dfs_samba4 zfsacl
>
> ## Temp fix for roaming profiles? oplock
> # veto oplock files = /NTUSER.DAT/
> # veto oplock files = /ntuser.ini/
>
> socket options = TCP_NODELAY SO_KEEPALIVE
>
> ## nbt causes a fatal startup error (or use disable netbios = yes)
> # server services = -nbt
>
> ## Eliminate ipv6 errors
> bind interfaces only = Yes
> interfaces = localhost smb4-2
>
> ## DNS
> dns forwarder = 216.185.71.33 216.185.71.34
> #additional dns hostnames = smb4-2.brockley.harte-lyne.ca
>
> ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns
> dns update command = /usr/local/sbin/samba_dnsupdate
> ## samba_dnsupdate insists on finding rndc
> rndc command = /usr/bin/true
> ## For secure dns dynamic updates use these (but secure does not work):
> # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g
> # 1 allow dns updates = secure only
> ## For insecure dynamic updates use these settings:
> nsupdate command = /usr/local/bin/samba-nsupdate
> allow dns updates = nonsecure
>
> ## Logging
> log level = 1
> # log file = /var/log/samba4/smbd.log.%m
> log file = /var/log/samba4/smbd.log
> max log size = 10000
> debug timestamp = yes
>
> # Disable printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> ## Shares
> [sysvol]
> path = /var/db/samba4/sysvol
> read only = No
>
> [netlogon]
> path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts
> read only = No
>
> [PROFILES]
> comment = Users profiles
> path = /var/samba4/BROCKLEY/PROFILES/
> browseable = No
> read only = No
> force create mode = 0600
> force directory mode = 0700
> csc policy = disable
> store dos attributes = yes
> vfs objects = dfs_samba4 zfsacl
>
> [USERS]
> comment = Users folder redirection
> path = /var/samba4/BROCKLEY/USERS/
> browseable = No
> read only = No
> force create mode = 0600
> force directory mode = 0700
> csc policy = disable
> store dos attributes = yes
> vfs objects = dfs_samba4 zfsacl
>
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
More information about the samba
mailing list