[Samba] Samba 4 AD share: Access denied
Davor Vusir
davortvusir at gmail.com
Tue Aug 12 13:41:24 MDT 2014
2014-08-12 17:50 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
> Alright, now all the printers are giving me access denied. I need an answer
> in the next thirty minutes or I am going to file a bug report. I have spent
> too many days and nights on this already. I have been over countless
> documents and such both at the Samba Wiki and at other sites. I worked with
> people on this list and I have tried so much that should not have mattered,
> and now we have other people reporting access denied errors, including one
> on this very list. I believe Samba is broken in some way currently that is
> denying access to everybody, despite proper permissions (ACLs) and
> configuration. I get denied access to both shares and printers, even though
> I have the correct UID/GID on all of my systems. I will await a response. If
> nobody can figure this out, I'll file the report so this can be fixed.
>
In my first setup, a combined (compiled) AD DC and file server I never
got it to work with "vfs objects = acl_xattr" in the global section. I
had two more shares and could not get the permissions to work until I
put "vfs objects = acl_xattr" in the share sections. The shares were
on LVM volumes mapped to directories later shared with Samba. My
conclusion is that "vfs objects = acl_xattr" in the global section on
a AD DC does not extend (or how to put it) beyond the netlogon and
sysvol shares. I have not tested this configuration on one (1) mounted
LVM volume where /usr/local and Sambashares reside.
I have now changed the setup to a dedicated virtual AD DC and a
physical file server because of poor network performance. After the
switch I experienced the same; proper permissions denies access... The
setup is still the same; mounted LVM volumes later shared with samba.
By removing "vfs objects = acl_xattr, map acl inherit = Yes and store
dos attributes = Yes" from the global section, as mentioned in
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs,
and instead putting "vfs objects = acl_xattr" in the share section
solves it. If you are using more vfs objects you may have to reorder
them. And I also noticed that removing Everyone from the Share tab
will neither let you edit nor remove ACE:s in the Security tab. So
first let Everyone be there, add Domain Admins, press Apply. Add
Domain Admins to the ACL, press Apply. Take ownership. After this
procedure you are able to edit ACE:s. This will not guarantee that
inheritence is correct. Again, "vfs objects = acl_xattr" in the global
section does not seem to extend beyond global section. And I'm not
sure why "map acl inherit = Yes and store dos attributes = Yes" are in
the global section (I'm using neither). Both belongs to a share
section according to
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.
Hope it helps.
Regards
Davor
>
> On 08/12/2014 10:55 AM, Ryan Ashley wrote:
>>
>> I did some more reading and apparently things above 3,000,000 are from the
>> BUILTIN stuff. Is this correct? If so, should it be resolving or not? I mean
>> this IS my DC, and I would think it would resolve. If not, that is fine, so
>> long as this is normal.
>>
>> root at dc01:/var/lib/samba# getfacl sysvol
>> # file: sysvol
>> # owner: TRUEVINE\134reachfp
>> # group: 3000000
>> user::rwx
>> user:TRUEVINE\134reachfp:rwx
>> user:3000000:rwx
>> user:3000001:r-x
>> user:3000002:rwx
>> user:3000003:r-x
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:TRUEVINE\134reachfp:rwx
>> default:user:3000000:rwx
>> default:user:3000001:r-x
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> On 08/12/2014 10:34 AM, Ryan Ashley wrote:
>>>
>>> I may have found the culprit. I attempted to change a group policy this
>>> morning, as domain admin, and got "Access is denied" when applying the
>>> change. This led me to the DC. Specifically, the sysvol directory. It was
>>> owned by root and 3000000. Not good. I restarted S4. Same thing. I did
>>> "samba-tool ntacl sysvolreset" and now I have this.
>>>
>>> root at dc01:/var/lib/samba# l
>>> total 1376
>>> -rw------- 1 root root 421888 Jun 19 14:32
>>> account_policy.tdb
>>> drwx------ 2 root root 16384 Jun 19 09:41 lost+found
>>> drwxr-x--- 2 root root 4096 Aug 12 10:29 ntp_signd
>>> drwxr-xr-x 7 root root 4096 Aug 12 10:29 private
>>> -rw------- 1 root root 528384 Jun 19 14:32 registry.tdb
>>> -rw------- 1 root root 421888 Jun 19 14:32 share_info.tdb
>>> drwxrwx---+ 3 TRUEVINE\reachfp 3000000 4096 Aug 12 10:29 sysvol
>>> drwxr-x--- 2 root root 4096 Aug 12 10:29
>>> winbindd_privileged
>>> root at dc01:/var/lib/samba#
>>>
>>> What group is supposed to have access to that and why is it setting it to
>>> some unknown ID? This is my DC and it is the ONLY DC in the domain. Yes,
>>> /etc/nsswitch.conf is setup to use winbind, which should be clear from the
>>> owner. Still, this could be why the domain is acting so strange. How do I
>>> fix this?
>>>
>>> On 08/12/2014 09:28 AM, Ryan Ashley wrote:
>>>>
>>>> Still stuck. I have even tried giving everybody full permissions and no
>>>> matter what I do with ACLs, I keep being denied access. I believe the issue
>>>> is on the network level. In Windows, you normally set network access to
>>>> "Everyone/Full Control" and then control things via NTFS permissions. Is it
>>>> possible Samba is somehow stopping me at the network level? How can I check?
>>>>
>>>> Also, I did some thinking and believe we went down a path that was in no
>>>> way going to help me. Steve and Rowland, you both had me get my ID's mapping
>>>> the same across all servers, but here is my thinking, and it may be wrong.
>>>> If I had never fixed that, but server A always saw me as ID 70001 and server
>>>> B saw me as 70009, who cares? If I always access server A and get ID 70001
>>>> then everything with that ID is always owned by me. So what should it matter
>>>> if the other server has a different ID for me? Everything on that server
>>>> would be owned by that ID. The only case I could see for having the same ID
>>>> across servers would be for something like a DFS. Either way, the ID's did
>>>> not change a thing other than the numbers stored in the ACLs. I am still
>>>> being denied access by every user EXCEPT the domain admin.
>>>>
>>>> So what should I look at next? I am still lost as to why this won't
>>>> work.
>>>>
>>>> On 08/11/2014 10:20 PM, Ryan Ashley wrote:
>>>>>
>>>>> Alright, I have spent the day trying various things to get nowhere. It
>>>>> is like the user being in the group means nothing to Samba. I have my
>>>>> support user in all groups, the drives map, but I get "Access is denied"
>>>>> whenever I attempt to click on a mapped drive. I read dozens of posts about
>>>>> how this could be a Windows 7 thing, so I added the lines below to the
>>>>> global section, but it does not help. I also cannot access the share from
>>>>> Linux (KDE4/Dolphin), so I am fairly sure this isn't a Windows 7 bug. I
>>>>> cannot access them from an iPad either, or my Android phone. In other words,
>>>>> Samba is denying access to everybody who is not the actual owner of the
>>>>> share, even if the user is in any of the groups in the ACL on the Linux
>>>>> filesystem.
>>>>>
>>>>> ntlm auth = no
>>>>> lanman auth = no
>>>>> client ntlmv2 auth = yes
>>>>>
>>>>> The rest has not changed at this point. I did configure with
>>>>> "--with-ads and --with-shared-modules=idmap_ad". Still no go. What could
>>>>> cause Samba to not figure out a user is in a group that has access to a
>>>>> directory? This is where I am stuck.
>>>>>
>>>>> On 8/11/2014 12:44 PM, Ryan Ashley wrote:
>>>>>>
>>>>>> Alright, I am back where I started. I now have the correct ID's on
>>>>>> both servers, but nothing I do allows users and groups access to the shares.
>>>>>> I keep getting "Access Denied" when any domain user attempts to access the
>>>>>> shares. I have tried 777/666 and 770/660 for the Linux permissions and
>>>>>> nothing changes. Here is a dump of the current server config and ACLs.
>>>>>>
>>>>>> root at fs01:~# testparm /etc/samba/smb.conf
>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>>> (16384)
>>>>>> Processing section "[install$]"
>>>>>> Processing section "[staff$]"
>>>>>> Processing section "[fbc$]"
>>>>>> Loaded services file OK.
>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>> Press enter to see a dump of your service definitions
>>>>>>
>>>>>> [global]
>>>>>> workgroup = TRUEVINE
>>>>>> realm = TRUEVINE.LAN
>>>>>> security = ADS
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> local master = No
>>>>>> domain master = No
>>>>>> winbind enum users = Yes
>>>>>> winbind enum groups = Yes
>>>>>> winbind use default domain = Yes
>>>>>> winbind nss info = rfc2307
>>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>> idmap config TRUEVINE:backend = ad
>>>>>> idmap config *:range = 70001-80000
>>>>>> idmap config * : backend = tdb
>>>>>> map acl inherit = Yes
>>>>>> store dos attributes = Yes
>>>>>> vfs objects = acl_xattr
>>>>>>
>>>>>> [install$]
>>>>>> comment = "Software installation files"
>>>>>> path = /home/shared/install
>>>>>> read only = No
>>>>>>
>>>>>> [staff$]
>>>>>> comment = "Staff file share"
>>>>>> path = /home/shared/staff
>>>>>> read only = No
>>>>>>
>>>>>> [fbc$]
>>>>>> comment = "Family Bible College file share"
>>>>>> path = /home/shared/fbc
>>>>>> read only = No
>>>>>>
>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: home/shared/fbc/
>>>>>> # owner: reachfp
>>>>>> # group: fbc
>>>>>> # flags: -s-
>>>>>> user::rwx
>>>>>> user:reachfp:rwx
>>>>>> group::rwx
>>>>>> group:fbc:rwx
>>>>>> group:70006:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:reachfp:rwx
>>>>>> default:group::---
>>>>>> default:group:fbc:rwx
>>>>>> default:group:70006:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: home/shared/staff/
>>>>>> # owner: reachfp
>>>>>> # group: staff
>>>>>> # flags: -s-
>>>>>> user::rwx
>>>>>> user:reachfp:rwx
>>>>>> group::rwx
>>>>>> group:staff:rwx
>>>>>> group:70006:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:reachfp:rwx
>>>>>> default:group::---
>>>>>> default:group:staff:rwx
>>>>>> default:group:70006:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>> root at fs01:~#
>>>>>>
>>>>>> The 70006 ID is the "SYSTEM" account. The guides recommended using
>>>>>> this for the printer shares and I have always used it on file shares also.
>>>>>> Removing it does not fix things, so I added it back. If you can give me a
>>>>>> good reason to remove it again, I will happily do so.
>>>>>>
>>>>>> On 08/11/2014 12:11 PM, Ryan Ashley wrote:
>>>>>>>
>>>>>>> Just so it can be avoided, all shares had directory permissions of
>>>>>>> 777 and file permissions of 666. Still getting access denied. I just changed
>>>>>>> permissions to 770 and 660 for security. I can change them back if needed.
>>>>>>>
>>>>>>> root at fs01:/home/shared# l
>>>>>>> total 40
>>>>>>> drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>> drwxrwsrwx 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>>>> drwxrws---+ 13 reachfp staff 4096 Jul 23 11:30 staff
>>>>>>> root at fs01:/home/shared# l -n
>>>>>>> total 40
>>>>>>> drwxrws---+ 6 10001 10030 4096 Jul 23 11:31 fbc
>>>>>>> drwxrwsrwx 8 10001 10002 4096 Jul 23 11:14 install
>>>>>>> drwx------ 2 0 0 16384 Jul 15 10:00 lost+found
>>>>>>> drwxrws---+ 13 10001 10032 4096 Jul 23 11:30 staff
>>>>>>> root at fs01:/home/shared#
>>>>>>>
>>>>>>> root at fs01:/home/shared# getent group
>>>>>>> <snipped out the UNIX groups>
>>>>>>> allowed rodc password replication group:x:10007:
>>>>>>> enterprise read-only domain controllers:x:10013:
>>>>>>> denied rodc password replication group:x:10009:krbtgt
>>>>>>> read-only domain controllers:x:10015:
>>>>>>> audiovideo:x:10029:reach_support,yolandab,daquanm,richards
>>>>>>> group policy creator owners:x:10014:reachfp
>>>>>>> newmembers:x:10031:cynthiaj,joyces,yolandab,jovanm,thomasa
>>>>>>> vpn users:x:10033:reach_support
>>>>>>>
>>>>>>> staff:x:10032:reach_support,ernestj,cynthiaj,joyces,yolandab,jovanm,daquanm,patriceb,jessicaj,shamekias,thomasa,richards
>>>>>>> fbc:x:10030:reach_support,ernestj,cynthiaj,joyces,jessicaj
>>>>>>> ras and ias servers:x:10015:
>>>>>>> domain controllers:x:10005:
>>>>>>> enterprise admins:x:10012:reachfp
>>>>>>> domain computers:x:10004:
>>>>>>> cert publishers:x:10008:
>>>>>>> dnsupdateproxy:x:10011:
>>>>>>> domain admins:x:10002:reachfp
>>>>>>> domain guests:x:10006:
>>>>>>> schema admins:x:10016:reachfp
>>>>>>> domain users:x:10003:
>>>>>>> dnsadmins:x:10010:
>>>>>>> root at fs01:/home/shared# getent passwd
>>>>>>> <snipped the UNIX stuff again>
>>>>>>> shamekias:*:10011:10003:<???>:/home/TRUEVINE/shamekias:/bin/false
>>>>>>> richards:*:10010:10003:<???>:/home/TRUEVINE/richards:/bin/false
>>>>>>> yolandab:*:10013:10003:<???>:/home/TRUEVINE/yolandab:/bin/false
>>>>>>> joyces:*:10008:10003:<???>:/home/TRUEVINE/joyces:/bin/false
>>>>>>> patriceb:*:10009:10003:<???>:/home/TRUEVINE/patriceb:/bin/false
>>>>>>> cynthiaj:*:10003:10003:<???>:/home/TRUEVINE/cynthiaj:/bin/false
>>>>>>> jessicaj:*:10006:10003:<???>:/home/TRUEVINE/jessicaj:/bin/false
>>>>>>> reach_support:*:10002:10003:Reach
>>>>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>>>>> daquanm:*:10004:10003:<???>:/home/TRUEVINE/daquanm:/bin/false
>>>>>>> ernestj:*:10005:10003:<???>:/home/TRUEVINE/ernestj:/bin/false
>>>>>>> jovanm:*:10007:10003:<???>:/home/TRUEVINE/jovanm:/bin/false
>>>>>>> thomasa:*:10012:10003:<???>:/home/TRUEVINE/thomasa:/bin/false
>>>>>>> reachfp:*:10001:10003:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>>>>> root at fs01:/home/shared#
>>>>>>>
>>>>>>> On 08/11/2014 11:52 AM, Ryan Ashley wrote:
>>>>>>>>
>>>>>>>> Just to let everybody know, I rebuilt S4 from scratch using
>>>>>>>> "--with-shared-modules=idmap_ad" in the configuration parameters, and now I
>>>>>>>> am getting the correct ID's on both member servers. Now my issue is that
>>>>>>>> despite this, only the domain admin can browse the mapped drives.
>>>>>>>> Permissions are correct on all shares (I redid them by hand) but people in
>>>>>>>> those groups are NOT allowed access despite having "full control" over the
>>>>>>>> share.
>>>>>>>>
>>>>>>>> At least we made some progress. Now what should I look at since the
>>>>>>>> ID's are being pulled from AD correctly? My nsswitch.conf nis set to use
>>>>>>>> winbind and winbind is running. Everything appears to work correctly on both
>>>>>>>> servers including same ID and such, but it still denies access to everybody
>>>>>>>> EXCEPT the owner.
>>>>>>>>
>>>>>>>> On 08/11/2014 09:48 AM, Ryan Ashley wrote:
>>>>>>>>>
>>>>>>>>> Thank you for that information. I just ran the command on out
>>>>>>>>> print-server and it appears to be using the correct configuration file, but
>>>>>>>>> there are LOADS of extra parameters I am assuming are at default settings.
>>>>>>>>> However, I do not appear to have /var/run/samba o9r /var/lock/samba
>>>>>>>>> directories. I am going to create those and see if it helps, but if it does
>>>>>>>>> I do not know why.
>>>>>>>>>
>>>>>>>>> Also, I cannot seem to be able to install the S4 packages from
>>>>>>>>> backports onto ANY Wheezy system, including my laptop. The
>>>>>>>>> "samba4-common-bin" is configured to depend on "python-samba" but the only
>>>>>>>>> version available is 4.0.x so it won't install. I am working that issue out
>>>>>>>>> on the Debian forums and may result in a bug report.
>>>>>>>>>
>>>>>>>>> root at ps01:~# testparm -v /etc/samba/smb.conf
>>>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>>>>>> (16384)
>>>>>>>>> Processing section "[printers]"
>>>>>>>>> Processing section "[print$]"
>>>>>>>>> Processing section "[Xerox7545]"
>>>>>>>>> Loaded services file OK.
>>>>>>>>> ERROR: lock directory /var/lock/samba does not exist
>>>>>>>>> ERROR: pid directory /var/run/samba does not exist
>>>>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> dos charset = CP850
>>>>>>>>> unix charset = UTF-8
>>>>>>>>> workgroup = TRUEVINE
>>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>>> netbios name = PS01
>>>>>>>>> netbios aliases =
>>>>>>>>> netbios scope =
>>>>>>>>> server string = Samba 4.1.11
>>>>>>>>> interfaces =
>>>>>>>>> bind interfaces only = No
>>>>>>>>> server role = auto
>>>>>>>>> security = ADS
>>>>>>>>> auth methods = winbind
>>>>>>>>> encrypt passwords = Yes
>>>>>>>>> client schannel = Auto
>>>>>>>>> server schannel = Auto
>>>>>>>>> allow trusted domains = Yes
>>>>>>>>> map to guest = Never
>>>>>>>>> null passwords = No
>>>>>>>>> obey pam restrictions = No
>>>>>>>>> password server = *
>>>>>>>>> smb passwd file = /var/lib/samba/private/smbpasswd
>>>>>>>>> private dir = /var/lib/samba/private
>>>>>>>>> passdb backend = tdbsam
>>>>>>>>> algorithmic rid base = 1000
>>>>>>>>> root directory =
>>>>>>>>> guest account = nobody
>>>>>>>>> enable privileges = Yes
>>>>>>>>> pam password change = No
>>>>>>>>> passwd program =
>>>>>>>>> passwd chat = *new*password* %n\n *new*password* %n\n
>>>>>>>>> *changed*
>>>>>>>>> passwd chat debug = No
>>>>>>>>> passwd chat timeout = 2
>>>>>>>>> check password script =
>>>>>>>>> username map =
>>>>>>>>> username level = 0
>>>>>>>>> unix password sync = No
>>>>>>>>> restrict anonymous = 0
>>>>>>>>> lanman auth = No
>>>>>>>>> ntlm auth = Yes
>>>>>>>>> client NTLMv2 auth = Yes
>>>>>>>>> client lanman auth = No
>>>>>>>>> client plaintext auth = No
>>>>>>>>> client use spnego principal = No
>>>>>>>>> preload modules =
>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>> map untrusted to domain = No
>>>>>>>>> log level = 2
>>>>>>>>> syslog = 1
>>>>>>>>> syslog only = No
>>>>>>>>> log file =
>>>>>>>>> max log size = 5000
>>>>>>>>> debug timestamp = Yes
>>>>>>>>> debug prefix timestamp = No
>>>>>>>>> debug hires timestamp = Yes
>>>>>>>>> debug pid = No
>>>>>>>>> debug uid = No
>>>>>>>>> debug class = No
>>>>>>>>> enable core files = Yes
>>>>>>>>> smb ports = 445, 139
>>>>>>>>> large readwrite = Yes
>>>>>>>>> server max protocol = SMB3
>>>>>>>>> server min protocol = LANMAN1
>>>>>>>>> client max protocol = NT1
>>>>>>>>> client min protocol = CORE
>>>>>>>>> unicode = Yes
>>>>>>>>> min receivefile size = 0
>>>>>>>>> read raw = Yes
>>>>>>>>> write raw = Yes
>>>>>>>>> disable netbios = No
>>>>>>>>> reset on zero vc = No
>>>>>>>>> log writeable files on exit = No
>>>>>>>>> defer sharing violations = Yes
>>>>>>>>> nt pipe support = Yes
>>>>>>>>> nt status support = Yes
>>>>>>>>> max mux = 50
>>>>>>>>> max xmit = 16644
>>>>>>>>> name resolve order = lmhosts, wins, host, bcast
>>>>>>>>> max ttl = 259200
>>>>>>>>> max wins ttl = 518400
>>>>>>>>> min wins ttl = 21600
>>>>>>>>> time server = No
>>>>>>>>> unix extensions = Yes
>>>>>>>>> use spnego = Yes
>>>>>>>>> client signing = default
>>>>>>>>> server signing = default
>>>>>>>>> client use spnego = Yes
>>>>>>>>> client ldap sasl wrapping = plain
>>>>>>>>> enable asu support = No
>>>>>>>>> svcctl list =
>>>>>>>>> cldap port = 0
>>>>>>>>> dgram port = 0
>>>>>>>>> nbt port = 0
>>>>>>>>> krb5 port = 0
>>>>>>>>> kpasswd port = 0
>>>>>>>>> web port = 0
>>>>>>>>> rpc big endian = No
>>>>>>>>> deadtime = 0
>>>>>>>>> getwd cache = Yes
>>>>>>>>> keepalive = 300
>>>>>>>>> lpq cache time = 30
>>>>>>>>> max smbd processes = 0
>>>>>>>>> max disk size = 0
>>>>>>>>> max open files = 16384
>>>>>>>>> socket options = TCP_NODELAY
>>>>>>>>> use mmap = Yes
>>>>>>>>> use ntdb = No
>>>>>>>>> hostname lookups = No
>>>>>>>>> name cache timeout = 660
>>>>>>>>> ctdbd socket =
>>>>>>>>> cluster addresses =
>>>>>>>>> clustering = No
>>>>>>>>> ctdb timeout = 0
>>>>>>>>> ctdb locktime warn threshold = 0
>>>>>>>>> smb2 max read = 1048576
>>>>>>>>> smb2 max write = 1048576
>>>>>>>>> smb2 max trans = 1048576
>>>>>>>>> smb2 max credits = 8192
>>>>>>>>> load printers = Yes
>>>>>>>>> printcap cache time = 750
>>>>>>>>> printcap name =
>>>>>>>>> cups server =
>>>>>>>>> cups encrypt = No
>>>>>>>>> cups connection timeout = 30
>>>>>>>>> iprint server =
>>>>>>>>> disable spoolss = No
>>>>>>>>> addport command =
>>>>>>>>> enumports command =
>>>>>>>>> addprinter command =
>>>>>>>>> deleteprinter command =
>>>>>>>>> show add printer wizard = Yes
>>>>>>>>> os2 driver map =
>>>>>>>>> mangling method = hash2
>>>>>>>>> mangle prefix = 1
>>>>>>>>> max stat cache size = 256
>>>>>>>>> stat cache = Yes
>>>>>>>>> machine password timeout = 604800
>>>>>>>>> add user script =
>>>>>>>>> rename user script =
>>>>>>>>> delete user script =
>>>>>>>>> add group script =
>>>>>>>>> delete group script =
>>>>>>>>> add user to group script =
>>>>>>>>> delete user from group script =
>>>>>>>>> set primary group script =
>>>>>>>>> add machine script =
>>>>>>>>> shutdown script =
>>>>>>>>> abort shutdown script =
>>>>>>>>> username map script =
>>>>>>>>> username map cache time = 0
>>>>>>>>> logon script =
>>>>>>>>> logon path = \\%N\%U\profile
>>>>>>>>> logon drive =
>>>>>>>>> logon home = \\%N\%U
>>>>>>>>> domain logons = No
>>>>>>>>> init logon delayed hosts =
>>>>>>>>> init logon delay = 100
>>>>>>>>> os level = 20
>>>>>>>>> lm announce = Auto
>>>>>>>>> lm interval = 60
>>>>>>>>> preferred master = No
>>>>>>>>> local master = Yes
>>>>>>>>> domain master = Auto
>>>>>>>>> browse list = Yes
>>>>>>>>> enhanced browsing = Yes
>>>>>>>>> dns proxy = Yes
>>>>>>>>> wins proxy = No
>>>>>>>>> wins server =
>>>>>>>>> wins support = No
>>>>>>>>> wins hook =
>>>>>>>>> lock spin time = 200
>>>>>>>>> oplock break wait time = 0
>>>>>>>>> ldap admin dn =
>>>>>>>>> ldap delete dn = No
>>>>>>>>> ldap group suffix =
>>>>>>>>> ldap idmap suffix =
>>>>>>>>> ldap machine suffix =
>>>>>>>>> ldap passwd sync = no
>>>>>>>>> ldap replication sleep = 1000
>>>>>>>>> ldap suffix =
>>>>>>>>> ldap ssl = start tls
>>>>>>>>> ldap ssl ads = No
>>>>>>>>> ldap deref = auto
>>>>>>>>> ldap follow referral = Auto
>>>>>>>>> ldap timeout = 15
>>>>>>>>> ldap connection timeout = 2
>>>>>>>>> ldap page size = 1024
>>>>>>>>> ldap user suffix =
>>>>>>>>> ldap debug level = 0
>>>>>>>>> ldap debug threshold = 10
>>>>>>>>> eventlog list =
>>>>>>>>> add share command =
>>>>>>>>> change share command =
>>>>>>>>> delete share command =
>>>>>>>>> preload =
>>>>>>>>> lock directory = /var/lock/samba
>>>>>>>>> state directory = /var/lib/samba
>>>>>>>>> cache directory = /var/cache/samba
>>>>>>>>> pid directory = /var/run/samba
>>>>>>>>> ntp signd socket directory =
>>>>>>>>> utmp directory =
>>>>>>>>> wtmp directory =
>>>>>>>>> utmp = No
>>>>>>>>> default service =
>>>>>>>>> message command =
>>>>>>>>> get quota command =
>>>>>>>>> set quota command =
>>>>>>>>> remote announce =
>>>>>>>>> remote browse sync =
>>>>>>>>> nbt client socket address = 0.0.0.0
>>>>>>>>> nmbd bind explicit broadcast = Yes
>>>>>>>>> homedir map = auto.home
>>>>>>>>> afs username map =
>>>>>>>>> afs token lifetime = 604800
>>>>>>>>> log nt token command =
>>>>>>>>> NIS homedir = No
>>>>>>>>> registry shares = No
>>>>>>>>> usershare allow guests = No
>>>>>>>>> usershare max shares = 0
>>>>>>>>> usershare owner only = Yes
>>>>>>>>> usershare path = /var/lib/samba/usershares
>>>>>>>>> usershare prefix allow list =
>>>>>>>>> usershare prefix deny list =
>>>>>>>>> usershare template share =
>>>>>>>>> async smb echo handler = No
>>>>>>>>> panic action =
>>>>>>>>> perfcount module =
>>>>>>>>> host msdfs = Yes
>>>>>>>>> passdb expand explicit = No
>>>>>>>>> idmap backend = tdb
>>>>>>>>> idmap cache time = 604800
>>>>>>>>> idmap negative cache time = 120
>>>>>>>>> idmap uid =
>>>>>>>>> idmap gid =
>>>>>>>>> template homedir = /home/%D/%U
>>>>>>>>> template shell = /bin/false
>>>>>>>>> winbind separator = \
>>>>>>>>> winbind cache time = 300
>>>>>>>>> winbind reconnect delay = 30
>>>>>>>>> winbind max clients = 200
>>>>>>>>> winbind enum users = Yes
>>>>>>>>> winbind enum groups = Yes
>>>>>>>>> winbind use default domain = Yes
>>>>>>>>> winbind trusted domains only = No
>>>>>>>>> winbind nested groups = Yes
>>>>>>>>> winbind expand groups = 1
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind refresh tickets = No
>>>>>>>>> winbind offline logon = No
>>>>>>>>> winbind normalize names = No
>>>>>>>>> winbind rpc only = No
>>>>>>>>> create krb5 conf = Yes
>>>>>>>>> ncalrpc dir = /var/run/samba/ncalrpc
>>>>>>>>> winbind max domain connections = 1
>>>>>>>>> winbindd socket directory =
>>>>>>>>> winbindd privileged socket directory =
>>>>>>>>> winbind sealed pipes = No
>>>>>>>>> allow dns updates = disabled
>>>>>>>>> dns forwarder =
>>>>>>>>> dns update command =
>>>>>>>>> nsupdate command =
>>>>>>>>> rndc command =
>>>>>>>>> multicast dns register = Yes
>>>>>>>>> samba kcc command =
>>>>>>>>> server services =
>>>>>>>>> dcerpc endpoint servers =
>>>>>>>>> spn update command =
>>>>>>>>> share backend =
>>>>>>>>> tls enabled = No
>>>>>>>>> tls keyfile =
>>>>>>>>> tls certfile =
>>>>>>>>> tls cafile =
>>>>>>>>> tls crlfile =
>>>>>>>>> tls dh params file =
>>>>>>>>> spoolss: architecture = Windows x64
>>>>>>>>> rpc_daemon:spoolssd = fork
>>>>>>>>> rpc_server:spoolss = external
>>>>>>>>> idmap config TRUEVINE:range = 10000-40000
>>>>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>>>> idmap config TRUEVINE:backend = ad
>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> comment =
>>>>>>>>> path =
>>>>>>>>> username =
>>>>>>>>> invalid users =
>>>>>>>>> valid users =
>>>>>>>>> admin users =
>>>>>>>>> read list =
>>>>>>>>> write list =
>>>>>>>>> force user =
>>>>>>>>> force group =
>>>>>>>>> read only = Yes
>>>>>>>>> acl check permissions = Yes
>>>>>>>>> acl group control = No
>>>>>>>>> acl map full control = Yes
>>>>>>>>> acl allow execute always = No
>>>>>>>>> create mask = 0744
>>>>>>>>> force create mode = 00
>>>>>>>>> directory mask = 0755
>>>>>>>>> force directory mode = 00
>>>>>>>>> force unknown acl user = No
>>>>>>>>> inherit permissions = No
>>>>>>>>> inherit acls = No
>>>>>>>>> inherit owner = No
>>>>>>>>> guest only = No
>>>>>>>>> administrative share = No
>>>>>>>>> guest ok = No
>>>>>>>>> only user = No
>>>>>>>>> hosts allow =
>>>>>>>>> hosts deny =
>>>>>>>>> allocation roundup size = 1048576
>>>>>>>>> aio read size = 0
>>>>>>>>> aio write size = 0
>>>>>>>>> aio write behind =
>>>>>>>>> ea support = No
>>>>>>>>> nt acl support = Yes
>>>>>>>>> profile acls = No
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> afs share = No
>>>>>>>>> smb encrypt = default
>>>>>>>>> durable handles = Yes
>>>>>>>>> block size = 1024
>>>>>>>>> change notify = Yes
>>>>>>>>> directory name cache size = 100
>>>>>>>>> kernel change notify = Yes
>>>>>>>>> max connections = 0
>>>>>>>>> min print space = 0
>>>>>>>>> strict allocate = No
>>>>>>>>> strict sync = No
>>>>>>>>> sync always = No
>>>>>>>>> use sendfile = No
>>>>>>>>> write cache size = 0
>>>>>>>>> max reported print jobs = 0
>>>>>>>>> max print jobs = 1000
>>>>>>>>> printable = No
>>>>>>>>> print notify backchannel = Yes
>>>>>>>>> print ok = No
>>>>>>>>> printing = cups
>>>>>>>>> cups options =
>>>>>>>>> print command =
>>>>>>>>> lpq command = %p
>>>>>>>>> lprm command =
>>>>>>>>> lppause command =
>>>>>>>>> lpresume command =
>>>>>>>>> queuepause command =
>>>>>>>>> queueresume command =
>>>>>>>>> printer name =
>>>>>>>>> use client driver = No
>>>>>>>>> default devmode = Yes
>>>>>>>>> force printername = No
>>>>>>>>> printjob username = %U
>>>>>>>>> default case = lower
>>>>>>>>> case sensitive = Auto
>>>>>>>>> preserve case = Yes
>>>>>>>>> short preserve case = Yes
>>>>>>>>> mangling char = ~
>>>>>>>>> hide dot files = Yes
>>>>>>>>> hide special files = No
>>>>>>>>> hide unreadable = No
>>>>>>>>> hide unwriteable files = No
>>>>>>>>> delete veto files = No
>>>>>>>>> veto files =
>>>>>>>>> hide files =
>>>>>>>>> veto oplock files =
>>>>>>>>> map archive = Yes
>>>>>>>>> map hidden = No
>>>>>>>>> map system = No
>>>>>>>>> map readonly = yes
>>>>>>>>> mangled names = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>> dmapi support = No
>>>>>>>>> browseable = Yes
>>>>>>>>> access based share enum = No
>>>>>>>>> blocking locks = Yes
>>>>>>>>> csc policy = manual
>>>>>>>>> fake oplocks = No
>>>>>>>>> kernel oplocks = No
>>>>>>>>> kernel share modes = Yes
>>>>>>>>> locking = Yes
>>>>>>>>> oplocks = Yes
>>>>>>>>> level2 oplocks = Yes
>>>>>>>>> oplock contention limit = 2
>>>>>>>>> posix locking = Yes
>>>>>>>>> strict locking = Auto
>>>>>>>>> dfree cache time = 0
>>>>>>>>> dfree command =
>>>>>>>>> copy =
>>>>>>>>> preexec =
>>>>>>>>> preexec close = No
>>>>>>>>> postexec =
>>>>>>>>> root preexec =
>>>>>>>>> root preexec close = No
>>>>>>>>> root postexec =
>>>>>>>>> available = Yes
>>>>>>>>> volume =
>>>>>>>>> fstype = NTFS
>>>>>>>>> wide links = No
>>>>>>>>> follow symlinks = Yes
>>>>>>>>> dont descend =
>>>>>>>>> magic script =
>>>>>>>>> magic output =
>>>>>>>>> delete readonly = No
>>>>>>>>> dos filemode = No
>>>>>>>>> dos filetimes = Yes
>>>>>>>>> dos filetime resolution = No
>>>>>>>>> fake directory create times = No
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> msdfs root = No
>>>>>>>>> msdfs proxy =
>>>>>>>>> ntvfs handler =
>>>>>>>>>
>>>>>>>>> [printers]
>>>>>>>>> path = /var/spool/samba
>>>>>>>>> printable = Yes
>>>>>>>>> print ok = Yes
>>>>>>>>> browseable = No
>>>>>>>>>
>>>>>>>>> [print$]
>>>>>>>>> comment = Printer drivers
>>>>>>>>> path = /srv/samba/printer_drivers
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [Xerox7545]
>>>>>>>>> path = /var/spool/samba
>>>>>>>>> printable = Yes
>>>>>>>>> print ok = Yes
>>>>>>>>> printer name = Xerox_WC_7545
>>>>>>>>>
>>>>>>>>> On 08/10/2014 02:54 AM, Davor Vusir wrote:
>>>>>>>>>>
>>>>>>>>>> 2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>>>>
>>>>>>>>>>> Alright, I am calling it quits for the day unless somebody knows
>>>>>>>>>>> what I have
>>>>>>>>>>> screwed up here. If I do "getent passwd" it shows all local and
>>>>>>>>>>> domain
>>>>>>>>>>> users, and the domain users have the wrong ID's. If I do "getent
>>>>>>>>>>> passwd
>>>>>>>>>>> <domain user>" I get absolutely nothing. Obviously I have done
>>>>>>>>>>> something
>>>>>>>>>>> wrong here, but I have no clue what. This behavior started after
>>>>>>>>>>> modifying
>>>>>>>>>>> the configuration file though. The modifications Rowland showed
>>>>>>>>>>> me in his.
>>>>>>>>>>> That tells me that maybe it is trying to do something right and
>>>>>>>>>>> cannot. I
>>>>>>>>>>> have one last idea of my own, then I will be installing the
>>>>>>>>>>> backports
>>>>>>>>>>> version Monday on a clean VM.
>>>>>>>>>>>
>>>>>>>>>> Hey Ryan!
>>>>>>>>>>
>>>>>>>>>> I noticed when I ran 'testparm -v /etc/samba/smb.conf | more' that
>>>>>>>>>> samba is using the directories (lock directory =
>>>>>>>>>> /usr/local/samba/var/lock) from the old selfcompiled installation.
>>>>>>>>>> Now I'm using the Sernet package.
>>>>>>>>>>
>>>>>>>>>> When i run ''testparm -v | more' it reads
>>>>>>>>>> /usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf and
>>>>>>>>>> shows
>>>>>>>>>> only one out of two share definitions.
>>>>>>>>>>
>>>>>>>>>> The file /etc/samba/smb.conf is copied from an old AD DC
>>>>>>>>>> serverconfig
>>>>>>>>>> and later edited. The hidden entries like "lock directory =" above
>>>>>>>>>> are
>>>>>>>>>> present.
>>>>>>>>>>
>>>>>>>>>> Are you perhaps experienceing the same?
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Davor
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list