[Samba] Samba 3 to 4 AD migration - extensive permissions problems

Jason Ostermann oddball at oddworld.org
Sat Feb 8 16:55:45 MST 2014 

Finally biting the bullet and upgrading home machines to Windows 7 but
experiencing many problems.
Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
source. My setup has been doing roaming profiles for XP since 2003 or so
with almost no changes. I want to keep roaming profiles going plus do some
folder redirection (Desktop (my wife doesn't believe in file shares for
pictures) and AppData (I find new ways to hate iTunes every day)
particularly). Took a while to find that my passdb was still smbpasswd and
the passdb had the default system accounts. Got the smbpasswd converted
over, user accounts in place, and the new Win7 machine was able to join the
domain.
I was able to set the *share* permissions per the "Setting up a home share"
without issue. However, attempting to set any permissions to the files or
directories fails with "Access denied". I have tried all manner of unix
modes on the files/directories to no avail. I made a new directory for
redirected folders and that one can be used properly. So I tried to copy
the acls (getfacl /home/redir | setfact --set=- /home) but that fails with
setfacl: Option -s: Invalid argument near character 1.
The permissions problems exist across all my file shares. I did grant
SeDiskOperatorPrivilege to domain\Administrators, then also
domain\Administrator and domain\root just in case. Both Administrator and
root are in the Domain Admins group. I can access the policy and users
nicely through the RSAT mmc plugins.

Is there a baseline permission/acl/mode/attr that I need to lay down across
the entire filesystem? I've worked on this for a couple of days, so I've
tried every stupid idea I could think up. Nothing particularly useful has
come up in my searches.

Thanks!

smb.conf:

# Global parameters
[global]
        workgroup = ODDWORLD
        realm = oddworld.org
        netbios name = ROHAN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = [ISP'S DNS SERVER]
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        interfaces = 192.168.4.1/24 127.0.0.1/24

[netlogon]
        path = /home/netlogon
        read only = No

[sysvol]
        path = /usr/local/samba4/var/locks/sysvol
        read only = No
[home]
   comment= Home master
   path = /home

[backups]
   comment= Backup space, software
   path = /exports/bigdisk/backup

[Profiles]
    path = /home/profiles
    read only = no

[Redirected]
    path = /home/redir
#    browseable = no
    read only = no


rohan:/home# getfacl /home/redir
getfacl: Removing leading '/' from absolute path names
# file: home/redir
# owner: root
# group: root
user::rwx
user:root:rwx                   #effective:---
user:3000000:rwx                #effective:---
user:3000002:rwx                #effective:---
user:3000003:r-x                #effective:---
group::---
group:root:---
group:3000000:rwx               #effective:---
group:3000002:rwx               #effective:---
group:3000003:r-x               #effective:---
mask::---
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000002:rwx
default:group::---
default:group:root:---
default:group:3000000:rwx
default:group:3000002:rwx
default:mask::rwx
default:other::---

rohan:/home# getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:3000000:rwx                #effective:r-x
user:3000002:rwx                #effective:r-x
user:3000003:rwx                #effective:r-x
group::r-x
mask::r-x
other::r-x

More information about the samba mailing list