[Samba] Cannot add ACL through windows client
Zoddo
zoddo.ino at gmail.com
Mon Oct 20 15:19:24 MDT 2014
Yes, it's this !
2014-10-20 23:17 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 20/10/14 22:11, Zoddo wrote:
>
>> Yes, the users is UNIX accounts "imported" in samba via /smbpasswd/.
>>
>> Windows machines are in the same workgroup.
>>
>> 2014-10-20 22:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>
>> On 20/10/14 21:43, Zoddo wrote:
>>
>> Samba has been installed via Debian repositories (apt-get).
>>
>> Here is my /smb.conf/ :
>>
>>
>> #
>> # Sample configuration file for the Samba suite for Debian
>> GNU/Linux.
>> #
>> #
>> # This is the main Samba configuration file. You should
>> read the
>> # smb.conf(5) manual page in order to understand the
>> options listed
>> # here. Samba has a huge number of configurable options
>> most of which
>> # are not shown in this example
>> #
>> # Some options that are often worth tuning have been
>> included as
>> # commented-out examples in this file.
>> # - When such options are commented with ";", the
>> proposed setting
>> # differs from the default Samba behaviour
>> # - When commented with "#", the proposed setting is the
>> default
>> # behaviour of Samba but the option is considered important
>> # enough to be mentioned here
>> #
>> # NOTE: Whenever you modify this file you should run the
>> command
>> # "testparm" to check that you have not made any basic
>> syntactic
>> # errors.
>> # A well-established practice is to name the original file
>> # "smb.conf.master" and create the "real" config file with
>> # testparm -s smb.conf.master >smb.conf
>> # This minimizes the size of the really used smb.conf file
>> # which, according to the Samba Team, impacts performance
>> # However, use this with caution if your smb.conf file
>> contains nested
>> # "include" statements. See Debian bug #483187 for a case
>> # where using a master file is not a good idea.
>> #
>> #======================= Global Settings
>> =======================
>> [global]
>> username map = /etc/samba/samba_usermapping
>> ## Browsing/Identification ###
>> # Change this to the workgroup/NT-domain name your Samba
>> server
>> will part of
>> workgroup = WORKGROUP
>> # server string is the equivalent of the NT Description field
>> server string = %h server
>> # Windows Internet Name Serving Support Section:
>> # WINS Support - Tells the NMBD component of Samba to
>> enable its
>> WINS Server
>> # wins support = no
>> # WINS Server - Tells the NMBD components of Samba to be a
>> WINS Client
>> # Note: Samba can be either a WINS Server, or a WINS
>> Client, but
>> NOT both
>> ; wins server = w.x.y.z
>> # This will prevent nmbd to search for NetBIOS names
>> through DNS.
>> dns proxy = no
>> # What naming service and in what order should we use to
>> resolve
>> host names
>> # to IP addresses
>> ; name resolve order = lmhosts host wins bcast
>> #### Networking ####
>> # The specific set of interfaces / networks to bind to
>> # This can be either the interface name or an IP
>> address/netmask;
>> # interface names are normally preferred
>> ; interfaces = 127.0.0.0/8 <http://127.0.0.0/8>
>> <http://127.0.0.0/8> eth0
>>
>> # Only bind to the named interfaces and/or networks; you
>> must use the
>> # 'interfaces' option above to use this.
>> # It is recommended that you enable this feature if your Samba
>> machine is
>> # not protected by a firewall or is a firewall itself.
>> However, this
>> # option cannot handle dynamic or non-broadcast interfaces
>> correctly.
>> ; bind interfaces only = yes
>>
>>
>> #### Debugging/Accounting ####
>> # This tells Samba to use a separate log file for each machine
>> # that connects
>> log file = /var/log/samba/log.%m
>> # Cap the size of the individual log files (in KiB).
>> max log size = 1000
>> # If you want Samba to only log through syslog then set
>> the following
>> # parameter to 'yes'.
>> # syslog only = no
>> # We want Samba to log a minimum amount of information to
>> syslog.
>> Everything
>> # should go to /var/log/samba/log.{smbd,nmbd} instead. If
>> you want
>> to log
>> # through syslog you should set the following parameter to
>> something higher.
>> syslog = 0
>> # Do something sensible when Samba crashes: mail the admin
>> a backtrace
>> panic action = /usr/share/samba/panic-action %d
>>
>> ####### Authentication #######
>> # "security = user" is always a good idea. This will require a
>> Unix account
>> # in this server for every user accessing the server. See
>> #
>> /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
>> # in the samba-doc package for details.
>> # security = user
>> # You may wish to use password encryption. See the section on
>> # 'encrypt passwords' in the smb.conf(5) manpage before
>> enabling.
>> encrypt passwords = true
>> # If you are using encrypted passwords, Samba will need to
>> know what
>> # password database type you are using.
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> # This boolean parameter controls whether Samba attempts
>> to sync
>> the Unix
>> # password with the SMB password when the encrypted SMB
>> password
>> in the
>> # passdb is changed.
>> unix password sync = yes
>> # For Unix password sync to work on a Debian GNU/Linux
>> system, the
>> following
>> # parameters must be set (thanks to Ian Kahan
>> <<kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>>
>> <mailto:kahan at informatik.tu-muenchen.de>>> for
>>
>> # sending the correct chat script for the passwd program
>> in Debian
>> Sarge).
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n
>> *password\supdated\ssuccessfully* .
>> # This boolean controls whether PAM will be used for
>> password changes
>> # when requested by an SMB client instead of the program
>> listed in
>> # 'passwd program'. The default is 'no'.
>> pam password change = yes
>> # This option controls how unsuccessful authentication
>> attempts
>> are mapped
>> # to anonymous connections
>> map to guest = bad user
>> ########## Domains ###########
>> # Is this machine able to authenticate users. Both PDC and BDC
>> # must have this setting enabled. If you are the BDC you must
>> # change the 'domain master' setting to no
>> #
>> ; domain logons = yes
>> #
>> # The following setting only takes effect if 'domain
>> logons' is set
>> # It specifies the location of the user's profile directory
>> # from the client point of view)
>> # The following required a [profiles] share to be setup on the
>> # samba server (see below)
>> ; logon path = \\%N\profiles\%U
>> # Another common choice is storing the profile in the
>> user's home
>> directory
>> # (this is Samba's default)
>> # logon path = \\%N\%U\profile
>> # The following setting only takes effect if 'domain
>> logons' is set
>> # It specifies the location of a user's home directory
>> (from the
>> client
>> # point of view)
>> ; logon drive = H:
>> # logon home = \\%N\%U
>> # The following setting only takes effect if 'domain
>> logons' is set
>> # It specifies the script to run during logon. The script
>> must be
>> stored
>> # in the [netlogon] share
>> # NOTE: Must be store in 'DOS' file format convention
>> ; logon script = logon.cmd
>> # This allows Unix users to be created on the domain
>> controller
>> via the SAMR
>> # RPC pipe. The example command creates a user account with a
>> disabled Unix
>> # password; please adapt to your needs
>> ; add user script = /usr/sbin/adduser --quiet
>> --disabled-password
>> --gecos "" %u
>> # This allows machine accounts to be created on the domain
>> controller via the
>> # SAMR RPC pipe.
>> # The following assumes a "machines" group exists on the
>> system
>> ; add machine script = /usr/sbin/useradd -g machines -c "%u
>> machine account" -d /var/lib/samba -s /bin/false %u
>> # This allows Unix groups to be created on the domain
>> controller
>> via the SAMR
>> # RPC pipe.
>> ; add group script = /usr/sbin/addgroup --force-badname %g
>> ########## Printing ##########
>> # If you want to automatically load your printer list rather
>> # than setting them up individually then you'll need this
>> # load printers = yes
>> # lpr(ng) printing. You may wish to override the location
>> of the
>> # printcap file
>> ; printing = bsd
>> ; printcap name = /etc/printcap
>> # CUPS printing. See also the cupsaddsmb(8) manpage in the
>> # cupsys-client package.
>> ; printing = cups
>> ; printcap name = cups
>> ############ Misc ############
>> # Using the following line enables you to customise your
>> configuration
>> # on a per machine basis. The %m gets replaced with the
>> netbios name
>> # of the machine that is connecting
>> ; include = /home/samba/etc/smb.conf.%m
>> # Most people will find that this option gives better
>> performance.
>> # See smb.conf(5) and
>> /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
>> # for details
>> # You may want to add the following on a Linux system:
>> # SO_RCVBUF=8192 SO_SNDBUF=8192
>> # socket options = TCP_NODELAY
>> # The following parameter is useful only if you have the
>> linpopup
>> package
>> # installed. The samba maintainer and the linpopup
>> maintainer are
>> # working to ease installation and configuration of
>> linpopup and
>> samba.
>> ; message command = /bin/sh -c '/usr/bin/linpopup "%f"
>> "%m" %s;
>> rm %s' &
>> # Domain Master specifies Samba to be the Domain Master
>> Browser.
>> If this
>> # machine will be configured as a BDC (a secondary logon
>> server), you
>> # must set this to 'no'; otherwise, the default behavior is
>> recommended.
>> # domain master = auto
>> # Some defaults for winbind (make sure you're not using
>> the ranges
>> # for something else.)
>> ; idmap uid = 10000-20000
>> ; idmap gid = 10000-20000
>> ; template shell = /bin/bash
>> # The following was the default behaviour in sarge,
>> # but samba upstream reverted the default because it might
>> induce
>> # performance issues in large organizations.
>> # See Debian bug #368251 for some of the consequences of *not*
>> # having this setting and smb.conf(5) for details.
>> ; winbind enum groups = yes
>> ; winbind enum users = yes
>> # Setup usershare options to enable non-root users to
>> share folders
>> # with the net usershare command.
>> # Maximum number of usershare. 0 (default) means that
>> usershare is
>> disabled.
>> ; usershare max shares = 100
>> # Allow users who've been granted usershare privileges to
>> create
>> # public shares, not just authenticated ones
>> usershare allow guests = yes
>> #======================= Share Definitions
>> =======================
>> [homes]
>> comment = Home Directories
>> browseable = no
>> # By default, the home directories are exported read-only.
>> Change the
>> # next parameter to 'no' if you want to be able to write
>> to them.
>> read only = yes
>> # File creation mask is set to 0700 for security reasons.
>> If you
>> want to
>> # create files with group=rw permissions, set next
>> parameter to 0775.
>> create mask = 0700
>> # Directory creation mask is set to 0700 for security
>> reasons. If
>> you want to
>> # create dirs. with group=rw permissions, set next
>> parameter to 0775.
>> directory mask = 0700
>> # By default, \\server\username shares can be connected to
>> by anyone
>> # with access to the samba server.
>> # The following parameter makes sure that only "username"
>> can connect
>> # to \\server\username
>> # This might need tweaking when using external
>> authentication schemes
>> valid users = %S
>> # Un-comment the following and create the netlogon
>> directory for
>> Domain Logons
>> # (you need to configure Samba to act as a domain
>> controller too.)
>> ;[netlogon]
>> ; comment = Network Logon Service
>> ; path = /home/samba/netlogon
>> ; guest ok = yes
>> ; read only = yes
>> # Un-comment the following and create the profiles
>> directory to store
>> # users profiles (see the "logon path" option above)
>> # (you need to configure Samba to act as a domain
>> controller too.)
>> # The path below should be writable by all users so that their
>> # profile directory may be created the first time they log on
>> ;[profiles]
>> ; comment = Users profiles
>> ; path = /home/samba/profiles
>> ; guest ok = no
>> ; browseable = no
>> ; create mask = 0600
>> ; directory mask = 0700
>> [printers]
>> comment = All Printers
>> browseable = no
>> path = /var/spool/samba
>> printable = yes
>> guest ok = no
>> read only = yes
>> create mask = 0700
>> # Windows clients look for this share name as a source of
>> downloadable
>> # printer drivers
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> browseable = yes
>> read only = yes
>> guest ok = no
>> # Uncomment to allow remote administration of Windows
>> print drivers.
>> # You may need to replace 'lpadmin' with the name of the
>> group your
>> # admin users are members of.
>> # Please note that you also need to set appropriate Unix
>> permissions
>> # to the drivers directory for these users to have write
>> rights in it
>> ; write list = root, @lpadmin
>> # A sample share for sharing your CD-ROM with others.
>> ;[cdrom]
>> ; comment = Samba server's CD-ROM
>> ; read only = yes
>> ; locking = no
>> ; path = /cdrom
>> ; guest ok = yes
>> # The next two parameters show how to auto-mount a CD-ROM
>> when the
>> #cdrom share is accesed. For this to work /etc/fstab must
>> contain
>> #an entry like this:
>> #
>> # /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user
>> 0 0
>> #
>> # The CD-ROM gets unmounted automatically after the
>> connection to the
>> #
>> # If you don't want to use auto-mounting/unmounting make
>> sure the CD
>> #is mounted on /cdrom
>> #
>> ; preexec = /bin/mount /cdrom
>> ; postexec = /bin/umount /cdrom
>>
>> [data]
>> writeable = yes
>> path = /data
>>
>>
>>
>> 2014-10-20 22:26 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>:
>>
>> On 20/10/14 21:19, Zoddo wrote:
>>
>> It doesn't work (NT_STATUS_ACCESS_DENIED).
>>
>> What's the administrator's password ? It's the root's
>> password
>> ? When I
>> installed samba, it hasn't ask me for an
>> administrative password.
>>
>> 2014-10-20 8:50 GMT+02:00 L.P.H. van Belle
>> <belle at bazuin.nl <mailto:belle at bazuin.nl>
>> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>>:
>>
>> Is this is on a member server try :
>>
>> net rpc rights grant 'TEST_IMGDSK\test'
>> SeDiskOperatorPrivilege
>> -Uadministrator -S SERVERNAME
>> or
>> net rpc rights grant 'TEST_IMGDSK\test'
>> SeDiskOperatorPrivilege
>> -UDOMAIN\administrator -S SERVERNAME
>>
>> ( as i dont thinks this is a DC above should work. )
>> and last option is add
>> the to smb.conf
>> username map = /etc/samba/samba_usermapping
>> and add : !root = DOMAIN\Administrator
>> DOMAIN\administrator
>> in it.
>>
>>
>> Louis
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: mmuehlfeld at samba.org
>> <mailto:mmuehlfeld at samba.org> <mailto:mmuehlfeld at samba.org
>>
>> <mailto:mmuehlfeld at samba.org>>
>> [mailto:samba-bounces at lists.samba.org
>> <mailto:samba-bounces at lists.samba.org>
>>
>> <mailto:samba-bounces at lists.samba.org
>> <mailto:samba-bounces at lists.samba.org>>] Namens Marc
>> Muehlfeld
>> Verzonden: zondag 19 oktober 2014 11:28
>> Aan: Zoddo
>> CC: samba
>> Onderwerp: Re: [Samba] Cannot add ACL through
>> windows
>> client
>>
>> Am 19.10.2014 um 01:07 schrieb Zoddo:
>>
>> I've a problem : I'm unable to add the
>>
>> *SeDiskOperatorPrivilege* to my user
>>
>> *test*.
>>
>> root at test-imgdsk:~# net rpc rights grant
>> 'TEST_IMGDSK\test'
>>
>> SeDiskOperatorPrivilege -Uadministrator
>> Enter administrator's password:
>> Failed to grant privileges for
>> TEST_IMGDSK\test
>>
>> (NT_STATUS_ACCESS_DENIED)
>>
>>
>> OK. We're comming closer - slowly.
>>
>>
>> But if you don't give us more information
>> about your
>> environment
>> everything else is just guessing.
>> - Samba version
>> - smb.conf
>> - Permissions about the account (is Administrator
>> mapped to root, etc.)
>> - Type of Server (DC, PDC, Member, Standalone,
>> etc.)
>>
>>
>> Regards,
>> Marc
>>
>> --
>> To unsubscribe from this list go to the
>> following URL
>> and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following
>> URL and
>> read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>> I don't think this has been asked yet, but how did you install
>> samba and what is in smb.conf.
>>
>> Rowland
>>
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> No, this is your smb.conf:
>>
>> [global]
>> username map = /etc/samba/samba_usermapping
>> workgroup = WORKGROUP
>> server string = %h server
>> dns proxy = no
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>> map to guest = bad user
>> usershare allow guests = yes
>>
>> [homes]
>> comment = Home Directories
>> browseable = no
>> read only = yes
>> create mask = 0700
>> directory mask = 0700
>> valid users = %S
>>
>> [printers]
>> comment = All Printers
>> browseable = no
>> path = /var/spool/samba
>> printable = yes
>> guest ok = no
>> read only = yes
>> create mask = 0700
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> browseable = yes
>> read only = yes
>> guest ok = no
>>
>> [data]
>> writeable = yes
>> path = /data
>>
>> From it, I can tell that you are running a workgroup, so are
>> windows users created on the linux machine and in the samba
>> database ??
>> Are the windows machines in the same workgroup ??
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> So <username> on the windows machine is unix <username> on the linux
> machine with samba <username> in tdbsam, all of them having the same
> password ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list