[Samba] Samba 3 to 4 AD migration - extensive permissions problems

Chan Min Wai dcmwai at gmail.com
Sat Feb 8 22:05:37 MST 2014 

Dear Jason,

It was not recommended to have Dc and files together...
According to AD design...



On Sun, Feb 9, 2014 at 11:59 AM, Jason Ostermann <oddball at oddworld.org>wrote:

> This is the domain controller I'm working on. The comments on that page
> state that these settings are only for domain member servers and not the DC?
>
> Thanks!
> Jason
>
>
> On 2/8/2014 8:24 PM, Chan Min Wai wrote:
>
>> Have you missed this guide?
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>
>>       vfs objects = acl_xattr
>>       map acl inherit = Yes
>>       store dos attributes = Yes
>>
>>
>>
>> On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann <oddball at oddworld.org
>> <mailto:oddball at oddworld.org>> wrote:
>>
>>     Finally biting the bullet and upgrading home machines to Windows 7 but
>>     experiencing many problems.
>>     Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
>>     source. My setup has been doing roaming profiles for XP since 2003 or
>> so
>>     with almost no changes. I want to keep roaming profiles going plus
>>     do some
>>     folder redirection (Desktop (my wife doesn't believe in file shares
>> for
>>     pictures) and AppData (I find new ways to hate iTunes every day)
>>     particularly). Took a while to find that my passdb was still
>>     smbpasswd and
>>     the passdb had the default system accounts. Got the smbpasswd
>> converted
>>     over, user accounts in place, and the new Win7 machine was able to
>>     join the
>>     domain.
>>     I was able to set the *share* permissions per the "Setting up a home
>>     share"
>>     without issue. However, attempting to set any permissions to the
>>     files or
>>     directories fails with "Access denied". I have tried all manner of
>> unix
>>     modes on the files/directories to no avail. I made a new directory for
>>     redirected folders and that one can be used properly. So I tried to
>> copy
>>     the acls (getfacl /home/redir | setfact --set=- /home) but that
>>     fails with
>>     setfacl: Option -s: Invalid argument near character 1.
>>     The permissions problems exist across all my file shares. I did grant
>>     SeDiskOperatorPrivilege to domain\Administrators, then also
>>     domain\Administrator and domain\root just in case. Both
>>     Administrator and
>>     root are in the Domain Admins group. I can access the policy and users
>>     nicely through the RSAT mmc plugins.
>>
>>     Is there a baseline permission/acl/mode/attr that I need to lay down
>>     across
>>     the entire filesystem? I've worked on this for a couple of days, so
>> I've
>>     tried every stupid idea I could think up. Nothing particularly
>>     useful has
>>     come up in my searches.
>>
>>     Thanks!
>>
>>     smb.conf:
>>
>>     # Global parameters
>>     [global]
>>              workgroup = ODDWORLD
>>              realm = oddworld.org <http://oddworld.org>
>>
>>              netbios name = ROHAN
>>              server role = active directory domain controller
>>              idmap_ldb:use rfc2307 = yes
>>              dns forwarder = [ISP'S DNS SERVER]
>>              socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>              interfaces = 192.168.4.1/24 <http://192.168.4.1/24>
>>     127.0.0.1/24 <http://127.0.0.1/24>
>>
>>
>>     [netlogon]
>>              path = /home/netlogon
>>              read only = No
>>
>>     [sysvol]
>>              path = /usr/local/samba4/var/locks/sysvol
>>              read only = No
>>     [home]
>>         comment= Home master
>>         path = /home
>>
>>     [backups]
>>         comment= Backup space, software
>>         path = /exports/bigdisk/backup
>>
>>     [Profiles]
>>          path = /home/profiles
>>          read only = no
>>
>>     [Redirected]
>>          path = /home/redir
>>     #    browseable = no
>>          read only = no
>>
>>
>>     rohan:/home# getfacl /home/redir
>>     getfacl: Removing leading '/' from absolute path names
>>     # file: home/redir
>>     # owner: root
>>     # group: root
>>     user::rwx
>>     user:root:rwx                   #effective:---
>>     user:3000000:rwx                #effective:---
>>     user:3000002:rwx                #effective:---
>>     user:3000003:r-x                #effective:---
>>     group::---
>>     group:root:---
>>     group:3000000:rwx               #effective:---
>>     group:3000002:rwx               #effective:---
>>     group:3000003:r-x               #effective:---
>>     mask::---
>>     other::---
>>     default:user::rwx
>>     default:user:root:rwx
>>     default:user:3000000:rwx
>>     default:user:3000002:rwx
>>     default:group::---
>>     default:group:root:---
>>     default:group:3000000:rwx
>>     default:group:3000002:rwx
>>     default:mask::rwx
>>     default:other::---
>>
>>     rohan:/home# getfacl .
>>     # file: .
>>     # owner: root
>>     # group: root
>>     user::rwx
>>     user:3000000:rwx                #effective:r-x
>>     user:3000002:rwx                #effective:r-x
>>     user:3000003:rwx                #effective:r-x
>>     group::r-x
>>     mask::r-x
>>     other::r-x
>>     --
>>     To unsubscribe from this list go to the following URL and read the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>  --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list