[Samba] Samba 3 to 4 AD migration - extensive permissions problems
Chan Min Wai
dcmwai at gmail.com
Sat Feb 8 22:05:37 MST 2014
Dear Jason,
It was not recommended to have Dc and files together...
According to AD design...
On Sun, Feb 9, 2014 at 11:59 AM, Jason Ostermann <oddball at oddworld.org>wrote:
> This is the domain controller I'm working on. The comments on that page
> state that these settings are only for domain member servers and not the DC?
>
> Thanks!
> Jason
>
>
> On 2/8/2014 8:24 PM, Chan Min Wai wrote:
>
>> Have you missed this guide?
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>>
>>
>> On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann <oddball at oddworld.org
>> <mailto:oddball at oddworld.org>> wrote:
>>
>> Finally biting the bullet and upgrading home machines to Windows 7 but
>> experiencing many problems.
>> Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
>> source. My setup has been doing roaming profiles for XP since 2003 or
>> so
>> with almost no changes. I want to keep roaming profiles going plus
>> do some
>> folder redirection (Desktop (my wife doesn't believe in file shares
>> for
>> pictures) and AppData (I find new ways to hate iTunes every day)
>> particularly). Took a while to find that my passdb was still
>> smbpasswd and
>> the passdb had the default system accounts. Got the smbpasswd
>> converted
>> over, user accounts in place, and the new Win7 machine was able to
>> join the
>> domain.
>> I was able to set the *share* permissions per the "Setting up a home
>> share"
>> without issue. However, attempting to set any permissions to the
>> files or
>> directories fails with "Access denied". I have tried all manner of
>> unix
>> modes on the files/directories to no avail. I made a new directory for
>> redirected folders and that one can be used properly. So I tried to
>> copy
>> the acls (getfacl /home/redir | setfact --set=- /home) but that
>> fails with
>> setfacl: Option -s: Invalid argument near character 1.
>> The permissions problems exist across all my file shares. I did grant
>> SeDiskOperatorPrivilege to domain\Administrators, then also
>> domain\Administrator and domain\root just in case. Both
>> Administrator and
>> root are in the Domain Admins group. I can access the policy and users
>> nicely through the RSAT mmc plugins.
>>
>> Is there a baseline permission/acl/mode/attr that I need to lay down
>> across
>> the entire filesystem? I've worked on this for a couple of days, so
>> I've
>> tried every stupid idea I could think up. Nothing particularly
>> useful has
>> come up in my searches.
>>
>> Thanks!
>>
>> smb.conf:
>>
>> # Global parameters
>> [global]
>> workgroup = ODDWORLD
>> realm = oddworld.org <http://oddworld.org>
>>
>> netbios name = ROHAN
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> dns forwarder = [ISP'S DNS SERVER]
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> interfaces = 192.168.4.1/24 <http://192.168.4.1/24>
>> 127.0.0.1/24 <http://127.0.0.1/24>
>>
>>
>> [netlogon]
>> path = /home/netlogon
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba4/var/locks/sysvol
>> read only = No
>> [home]
>> comment= Home master
>> path = /home
>>
>> [backups]
>> comment= Backup space, software
>> path = /exports/bigdisk/backup
>>
>> [Profiles]
>> path = /home/profiles
>> read only = no
>>
>> [Redirected]
>> path = /home/redir
>> # browseable = no
>> read only = no
>>
>>
>> rohan:/home# getfacl /home/redir
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/redir
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx #effective:---
>> user:3000000:rwx #effective:---
>> user:3000002:rwx #effective:---
>> user:3000003:r-x #effective:---
>> group::---
>> group:root:---
>> group:3000000:rwx #effective:---
>> group:3000002:rwx #effective:---
>> group:3000003:r-x #effective:---
>> mask::---
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx
>> default:user:3000002:rwx
>> default:group::---
>> default:group:root:---
>> default:group:3000000:rwx
>> default:group:3000002:rwx
>> default:mask::rwx
>> default:other::---
>>
>> rohan:/home# getfacl .
>> # file: .
>> # owner: root
>> # group: root
>> user::rwx
>> user:3000000:rwx #effective:r-x
>> user:3000002:rwx #effective:r-x
>> user:3000003:rwx #effective:r-x
>> group::r-x
>> mask::r-x
>> other::r-x
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list