[Samba] Samba 3 to 4 AD migration - extensive permissions problems

Jason Ostermann oddball at oddworld.org
Sat Feb 8 20:59:06 MST 2014 

This is the domain controller I'm working on. The comments on that page 
state that these settings are only for domain member servers and not the DC?

Thanks!
Jason

On 2/8/2014 8:24 PM, Chan Min Wai wrote:
> Have you missed this guide?
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>
>       vfs objects = acl_xattr
>       map acl inherit = Yes
>       store dos attributes = Yes
>
>
>
> On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann <oddball at oddworld.org
> <mailto:oddball at oddworld.org>> wrote:
>
>     Finally biting the bullet and upgrading home machines to Windows 7 but
>     experiencing many problems.
>     Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
>     source. My setup has been doing roaming profiles for XP since 2003 or so
>     with almost no changes. I want to keep roaming profiles going plus
>     do some
>     folder redirection (Desktop (my wife doesn't believe in file shares for
>     pictures) and AppData (I find new ways to hate iTunes every day)
>     particularly). Took a while to find that my passdb was still
>     smbpasswd and
>     the passdb had the default system accounts. Got the smbpasswd converted
>     over, user accounts in place, and the new Win7 machine was able to
>     join the
>     domain.
>     I was able to set the *share* permissions per the "Setting up a home
>     share"
>     without issue. However, attempting to set any permissions to the
>     files or
>     directories fails with "Access denied". I have tried all manner of unix
>     modes on the files/directories to no avail. I made a new directory for
>     redirected folders and that one can be used properly. So I tried to copy
>     the acls (getfacl /home/redir | setfact --set=- /home) but that
>     fails with
>     setfacl: Option -s: Invalid argument near character 1.
>     The permissions problems exist across all my file shares. I did grant
>     SeDiskOperatorPrivilege to domain\Administrators, then also
>     domain\Administrator and domain\root just in case. Both
>     Administrator and
>     root are in the Domain Admins group. I can access the policy and users
>     nicely through the RSAT mmc plugins.
>
>     Is there a baseline permission/acl/mode/attr that I need to lay down
>     across
>     the entire filesystem? I've worked on this for a couple of days, so I've
>     tried every stupid idea I could think up. Nothing particularly
>     useful has
>     come up in my searches.
>
>     Thanks!
>
>     smb.conf:
>
>     # Global parameters
>     [global]
>              workgroup = ODDWORLD
>              realm = oddworld.org <http://oddworld.org>
>              netbios name = ROHAN
>              server role = active directory domain controller
>              idmap_ldb:use rfc2307 = yes
>              dns forwarder = [ISP'S DNS SERVER]
>              socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>              interfaces = 192.168.4.1/24 <http://192.168.4.1/24>
>     127.0.0.1/24 <http://127.0.0.1/24>
>
>     [netlogon]
>              path = /home/netlogon
>              read only = No
>
>     [sysvol]
>              path = /usr/local/samba4/var/locks/sysvol
>              read only = No
>     [home]
>         comment= Home master
>         path = /home
>
>     [backups]
>         comment= Backup space, software
>         path = /exports/bigdisk/backup
>
>     [Profiles]
>          path = /home/profiles
>          read only = no
>
>     [Redirected]
>          path = /home/redir
>     #    browseable = no
>          read only = no
>
>
>     rohan:/home# getfacl /home/redir
>     getfacl: Removing leading '/' from absolute path names
>     # file: home/redir
>     # owner: root
>     # group: root
>     user::rwx
>     user:root:rwx                   #effective:---
>     user:3000000:rwx                #effective:---
>     user:3000002:rwx                #effective:---
>     user:3000003:r-x                #effective:---
>     group::---
>     group:root:---
>     group:3000000:rwx               #effective:---
>     group:3000002:rwx               #effective:---
>     group:3000003:r-x               #effective:---
>     mask::---
>     other::---
>     default:user::rwx
>     default:user:root:rwx
>     default:user:3000000:rwx
>     default:user:3000002:rwx
>     default:group::---
>     default:group:root:---
>     default:group:3000000:rwx
>     default:group:3000002:rwx
>     default:mask::rwx
>     default:other::---
>
>     rohan:/home# getfacl .
>     # file: .
>     # owner: root
>     # group: root
>     user::rwx
>     user:3000000:rwx                #effective:r-x
>     user:3000002:rwx                #effective:r-x
>     user:3000003:rwx                #effective:r-x
>     group::r-x
>     mask::r-x
>     other::r-x
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list