[Samba] SOLVED: Re: Samba 3 to 4 AD migration - extensive permissions problems

Sun Feb 9 20:22:32 MST 2014

Yes, it turned out to be a few stupid mistakes:

each share needed "read only = no" (that was obvious!)
The Unix attributes for Domain Users needs to match the users gid
Using the correct flag to setfacl (--set-file)

All good now. Thanks, Samba team! This is an incredible upgrade.

Jason

On 2/8/2014 11:05 PM, Chan Min Wai wrote:
>         On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann
>         <oddball at oddworld.org <mailto:oddball at oddworld.org>
>         <mailto:oddball at oddworld.org <mailto:oddball at oddworld.org>>> wrote:
>
>              Finally biting the bullet and upgrading home machines to
>         Windows 7 but
>              experiencing many problems.
>              Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4
>         built from
>              source. My setup has been doing roaming profiles for XP
>         since 2003 or so
>              with almost no changes. I want to keep roaming profiles
>         going plus
>              do some
>              folder redirection (Desktop (my wife doesn't believe in
>         file shares for
>              pictures) and AppData (I find new ways to hate iTunes every
>         day)
>              particularly). Took a while to find that my passdb was still
>              smbpasswd and
>              the passdb had the default system accounts. Got the
>         smbpasswd converted
>              over, user accounts in place, and the new Win7 machine was
>         able to
>              join the
>              domain.
>              I was able to set the *share* permissions per the "Setting
>         up a home
>              share"
>              without issue. However, attempting to set any permissions
>         to the
>              files or
>              directories fails with "Access denied". I have tried all
>         manner of unix
>              modes on the files/directories to no avail. I made a new
>         directory for
>              redirected folders and that one can be used properly. So I
>         tried to copy
>              the acls (getfacl /home/redir | setfact --set=- /home) but that
>              fails with
>              setfacl: Option -s: Invalid argument near character 1.
>              The permissions problems exist across all my file shares. I
>         did grant
>              SeDiskOperatorPrivilege to domain\Administrators, then also
>              domain\Administrator and domain\root just in case. Both
>              Administrator and
>              root are in the Domain Admins group. I can access the
>         policy and users
>              nicely through the RSAT mmc plugins.
>
>              Is there a baseline permission/acl/mode/attr that I need to
>         lay down
>              across
>              the entire filesystem? I've worked on this for a couple of
>         days, so I've
>              tried every stupid idea I could think up. Nothing particularly
>              useful has
>              come up in my searches.
>
>              Thanks!
>