[Samba] Samba 3 to 4 AD migration - extensive permissions problems

Chan Min Wai dcmwai at gmail.com
Sat Feb 8 19:24:57 MST 2014


Have you missed this guide?
https://wiki.samba.org/index.php/Setup_and_configure_file_shares

     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes



On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann <oddball at oddworld.org>wrote:

> Finally biting the bullet and upgrading home machines to Windows 7 but
> experiencing many problems.
> Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
> source. My setup has been doing roaming profiles for XP since 2003 or so
> with almost no changes. I want to keep roaming profiles going plus do some
> folder redirection (Desktop (my wife doesn't believe in file shares for
> pictures) and AppData (I find new ways to hate iTunes every day)
> particularly). Took a while to find that my passdb was still smbpasswd and
> the passdb had the default system accounts. Got the smbpasswd converted
> over, user accounts in place, and the new Win7 machine was able to join the
> domain.
> I was able to set the *share* permissions per the "Setting up a home share"
> without issue. However, attempting to set any permissions to the files or
> directories fails with "Access denied". I have tried all manner of unix
> modes on the files/directories to no avail. I made a new directory for
> redirected folders and that one can be used properly. So I tried to copy
> the acls (getfacl /home/redir | setfact --set=- /home) but that fails with
> setfacl: Option -s: Invalid argument near character 1.
> The permissions problems exist across all my file shares. I did grant
> SeDiskOperatorPrivilege to domain\Administrators, then also
> domain\Administrator and domain\root just in case. Both Administrator and
> root are in the Domain Admins group. I can access the policy and users
> nicely through the RSAT mmc plugins.
>
> Is there a baseline permission/acl/mode/attr that I need to lay down across
> the entire filesystem? I've worked on this for a couple of days, so I've
> tried every stupid idea I could think up. Nothing particularly useful has
> come up in my searches.
>
> Thanks!
>
> smb.conf:
>
> # Global parameters
> [global]
>         workgroup = ODDWORLD
>         realm = oddworld.org
>         netbios name = ROHAN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = [ISP'S DNS SERVER]
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         interfaces = 192.168.4.1/24 127.0.0.1/24
>
> [netlogon]
>         path = /home/netlogon
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba4/var/locks/sysvol
>         read only = No
> [home]
>    comment= Home master
>    path = /home
>
> [backups]
>    comment= Backup space, software
>    path = /exports/bigdisk/backup
>
> [Profiles]
>     path = /home/profiles
>     read only = no
>
> [Redirected]
>     path = /home/redir
> #    browseable = no
>     read only = no
>
>
> rohan:/home# getfacl /home/redir
> getfacl: Removing leading '/' from absolute path names
> # file: home/redir
> # owner: root
> # group: root
> user::rwx
> user:root:rwx                   #effective:---
> user:3000000:rwx                #effective:---
> user:3000002:rwx                #effective:---
> user:3000003:r-x                #effective:---
> group::---
> group:root:---
> group:3000000:rwx               #effective:---
> group:3000002:rwx               #effective:---
> group:3000003:r-x               #effective:---
> mask::---
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:group::---
> default:group:root:---
> default:group:3000000:rwx
> default:group:3000002:rwx
> default:mask::rwx
> default:other::---
>
> rohan:/home# getfacl .
> # file: .
> # owner: root
> # group: root
> user::rwx
> user:3000000:rwx                #effective:r-x
> user:3000002:rwx                #effective:r-x
> user:3000003:rwx                #effective:r-x
> group::r-x
> mask::r-x
> other::r-x
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list