[Samba] Cannot add ACL through windows client

Zoddo zoddo.ino at gmail.com
Mon Oct 20 15:19:24 MDT 2014


Yes, it's this !

2014-10-20 23:17 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:

> On 20/10/14 22:11, Zoddo wrote:
>
>> Yes, the users is UNIX accounts "imported" in samba via /smbpasswd/.
>>
>> Windows machines are in the same workgroup.
>>
>> 2014-10-20 22:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>
>>     On 20/10/14 21:43, Zoddo wrote:
>>
>>         Samba has been installed via Debian repositories (apt-get).
>>
>>         Here is my /smb.conf/ :
>>
>>
>>             #
>>             # Sample configuration file for the Samba suite for Debian
>>         GNU/Linux.
>>             #
>>             #
>>             # This is the main Samba configuration file. You should
>>         read the
>>             # smb.conf(5) manual page in order to understand the
>>         options listed
>>             # here. Samba has a huge number of configurable options
>>         most of which
>>             # are not shown in this example
>>             #
>>             # Some options that are often worth tuning have been
>>         included as
>>             # commented-out examples in this file.
>>             #  - When such options are commented with ";", the
>>         proposed setting
>>             #    differs from the default Samba behaviour
>>             #  - When commented with "#", the proposed setting is the
>>         default
>>             #    behaviour of Samba but the option is considered important
>>             #    enough to be mentioned here
>>             #
>>             # NOTE: Whenever you modify this file you should run the
>>         command
>>             # "testparm" to check that you have not made any basic
>>         syntactic
>>             # errors.
>>             # A well-established practice is to name the original file
>>             # "smb.conf.master" and create the "real" config file with
>>             # testparm -s smb.conf.master >smb.conf
>>             # This minimizes the size of the really used smb.conf file
>>             # which, according to the Samba Team, impacts performance
>>             # However, use this with caution if your smb.conf file
>>         contains nested
>>             # "include" statements. See Debian bug #483187 for a case
>>             # where using a master file is not a good idea.
>>             #
>>             #======================= Global Settings
>>         =======================
>>             [global]
>>             username map = /etc/samba/samba_usermapping
>>             ## Browsing/Identification ###
>>             # Change this to the workgroup/NT-domain name your Samba
>>         server
>>             will part of
>>                workgroup = WORKGROUP
>>             # server string is the equivalent of the NT Description field
>>                server string = %h server
>>             # Windows Internet Name Serving Support Section:
>>             # WINS Support - Tells the NMBD component of Samba to
>>         enable its
>>             WINS Server
>>             #   wins support = no
>>             # WINS Server - Tells the NMBD components of Samba to be a
>>         WINS Client
>>             # Note: Samba can be either a WINS Server, or a WINS
>>         Client, but
>>             NOT both
>>             ;   wins server = w.x.y.z
>>             # This will prevent nmbd to search for NetBIOS names
>>         through DNS.
>>                dns proxy = no
>>             # What naming service and in what order should we use to
>>         resolve
>>             host names
>>             # to IP addresses
>>             ;   name resolve order = lmhosts host wins bcast
>>             #### Networking ####
>>             # The specific set of interfaces / networks to bind to
>>             # This can be either the interface name or an IP
>>         address/netmask;
>>             # interface names are normally preferred
>>             ;   interfaces = 127.0.0.0/8 <http://127.0.0.0/8>
>>         <http://127.0.0.0/8> eth0
>>
>>             # Only bind to the named interfaces and/or networks; you
>>         must use the
>>             # 'interfaces' option above to use this.
>>             # It is recommended that you enable this feature if your Samba
>>             machine is
>>             # not protected by a firewall or is a firewall itself.
>>  However, this
>>             # option cannot handle dynamic or non-broadcast interfaces
>>         correctly.
>>             ;   bind interfaces only = yes
>>
>>
>>             #### Debugging/Accounting ####
>>             # This tells Samba to use a separate log file for each machine
>>             # that connects
>>                log file = /var/log/samba/log.%m
>>             # Cap the size of the individual log files (in KiB).
>>                max log size = 1000
>>             # If you want Samba to only log through syslog then set
>>         the following
>>             # parameter to 'yes'.
>>             #   syslog only = no
>>             # We want Samba to log a minimum amount of information to
>>         syslog.
>>             Everything
>>             # should go to /var/log/samba/log.{smbd,nmbd} instead. If
>>         you want
>>             to log
>>             # through syslog you should set the following parameter to
>>             something higher.
>>                syslog = 0
>>             # Do something sensible when Samba crashes: mail the admin
>>         a backtrace
>>                panic action = /usr/share/samba/panic-action %d
>>
>>             ####### Authentication #######
>>             # "security = user" is always a good idea. This will require a
>>             Unix account
>>             # in this server for every user accessing the server. See
>>             #
>>         /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
>>             # in the samba-doc package for details.
>>             #   security = user
>>             # You may wish to use password encryption.  See the section on
>>             # 'encrypt passwords' in the smb.conf(5) manpage before
>>         enabling.
>>                encrypt passwords = true
>>             # If you are using encrypted passwords, Samba will need to
>>         know what
>>             # password database type you are using.
>>                passdb backend = tdbsam
>>                obey pam restrictions = yes
>>             # This boolean parameter controls whether Samba attempts
>>         to sync
>>             the Unix
>>             # password with the SMB password when the encrypted SMB
>>         password
>>             in the
>>             # passdb is changed.
>>                unix password sync = yes
>>             # For Unix password sync to work on a Debian GNU/Linux
>>         system, the
>>             following
>>             # parameters must be set (thanks to Ian Kahan
>>             <<kahan at informatik.tu-muenchen.de
>>         <mailto:kahan at informatik.tu-muenchen.de>
>>             <mailto:kahan at informatik.tu-muenchen.de
>>
>>         <mailto:kahan at informatik.tu-muenchen.de>>> for
>>
>>             # sending the correct chat script for the passwd program
>>         in Debian
>>             Sarge).
>>                passwd program = /usr/bin/passwd %u
>>                passwd chat = *Enter\snew\s*\spassword:* %n\n
>>             *Retype\snew\s*\spassword:* %n\n
>>         *password\supdated\ssuccessfully* .
>>             # This boolean controls whether PAM will be used for
>>         password changes
>>             # when requested by an SMB client instead of the program
>>         listed in
>>             # 'passwd program'. The default is 'no'.
>>                pam password change = yes
>>             # This option controls how unsuccessful authentication
>>         attempts
>>             are mapped
>>             # to anonymous connections
>>                map to guest = bad user
>>             ########## Domains ###########
>>             # Is this machine able to authenticate users. Both PDC and BDC
>>             # must have this setting enabled. If you are the BDC you must
>>             # change the 'domain master' setting to no
>>             #
>>             ;   domain logons = yes
>>             #
>>             # The following setting only takes effect if 'domain
>>         logons' is set
>>             # It specifies the location of the user's profile directory
>>             # from the client point of view)
>>             # The following required a [profiles] share to be setup on the
>>             # samba server (see below)
>>             ;   logon path = \\%N\profiles\%U
>>             # Another common choice is storing the profile in the
>>         user's home
>>             directory
>>             # (this is Samba's default)
>>             #   logon path = \\%N\%U\profile
>>             # The following setting only takes effect if 'domain
>>         logons' is set
>>             # It specifies the location of a user's home directory
>>         (from the
>>             client
>>             # point of view)
>>             ;   logon drive = H:
>>             #   logon home = \\%N\%U
>>             # The following setting only takes effect if 'domain
>>         logons' is set
>>             # It specifies the script to run during logon. The script
>>         must be
>>             stored
>>             # in the [netlogon] share
>>             # NOTE: Must be store in 'DOS' file format convention
>>             ;   logon script = logon.cmd
>>             # This allows Unix users to be created on the domain
>>         controller
>>             via the SAMR
>>             # RPC pipe.  The example command creates a user account with a
>>             disabled Unix
>>             # password; please adapt to your needs
>>             ; add user script = /usr/sbin/adduser --quiet
>>         --disabled-password
>>             --gecos "" %u
>>             # This allows machine accounts to be created on the domain
>>             controller via the
>>             # SAMR RPC pipe.
>>             # The following assumes a "machines" group exists on the
>>         system
>>             ; add machine script  = /usr/sbin/useradd -g machines -c "%u
>>             machine account" -d /var/lib/samba -s /bin/false %u
>>             # This allows Unix groups to be created on the domain
>>         controller
>>             via the SAMR
>>             # RPC pipe.
>>             ; add group script = /usr/sbin/addgroup --force-badname %g
>>             ########## Printing ##########
>>             # If you want to automatically load your printer list rather
>>             # than setting them up individually then you'll need this
>>             #   load printers = yes
>>             # lpr(ng) printing. You may wish to override the location
>>         of the
>>             # printcap file
>>             ;   printing = bsd
>>             ;   printcap name = /etc/printcap
>>             # CUPS printing.  See also the cupsaddsmb(8) manpage in the
>>             # cupsys-client package.
>>             ;   printing = cups
>>             ;   printcap name = cups
>>             ############ Misc ############
>>             # Using the following line enables you to customise your
>>         configuration
>>             # on a per machine basis. The %m gets replaced with the
>>         netbios name
>>             # of the machine that is connecting
>>             ;   include = /home/samba/etc/smb.conf.%m
>>             # Most people will find that this option gives better
>>         performance.
>>             # See smb.conf(5) and
>>             /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
>>             # for details
>>             # You may want to add the following on a Linux system:
>>             # SO_RCVBUF=8192 SO_SNDBUF=8192
>>             #   socket options = TCP_NODELAY
>>             # The following parameter is useful only if you have the
>>         linpopup
>>             package
>>             # installed. The samba maintainer and the linpopup
>>         maintainer are
>>             # working to ease installation and configuration of
>>         linpopup and
>>             samba.
>>             ;   message command = /bin/sh -c '/usr/bin/linpopup "%f"
>>         "%m" %s;
>>             rm %s' &
>>             # Domain Master specifies Samba to be the Domain Master
>>         Browser.
>>             If this
>>             # machine will be configured as a BDC (a secondary logon
>>         server), you
>>             # must set this to 'no'; otherwise, the default behavior is
>>             recommended.
>>             #   domain master = auto
>>             # Some defaults for winbind (make sure you're not using
>>         the ranges
>>             # for something else.)
>>             ;   idmap uid = 10000-20000
>>             ;   idmap gid = 10000-20000
>>             ;   template shell = /bin/bash
>>             # The following was the default behaviour in sarge,
>>             # but samba upstream reverted the default because it might
>>         induce
>>             # performance issues in large organizations.
>>             # See Debian bug #368251 for some of the consequences of *not*
>>             # having this setting and smb.conf(5) for details.
>>             ;   winbind enum groups = yes
>>             ;   winbind enum users = yes
>>             # Setup usershare options to enable non-root users to
>>         share folders
>>             # with the net usershare command.
>>             # Maximum number of usershare. 0 (default) means that
>>         usershare is
>>             disabled.
>>             ;   usershare max shares = 100
>>             # Allow users who've been granted usershare privileges to
>>         create
>>             # public shares, not just authenticated ones
>>                usershare allow guests = yes
>>             #======================= Share Definitions
>>         =======================
>>             [homes]
>>                comment = Home Directories
>>                browseable = no
>>             # By default, the home directories are exported read-only.
>>         Change the
>>             # next parameter to 'no' if you want to be able to write
>>         to them.
>>                read only = yes
>>             # File creation mask is set to 0700 for security reasons.
>>         If you
>>             want to
>>             # create files with group=rw permissions, set next
>>         parameter to 0775.
>>                create mask = 0700
>>             # Directory creation mask is set to 0700 for security
>>         reasons. If
>>             you want to
>>             # create dirs. with group=rw permissions, set next
>>         parameter to 0775.
>>                directory mask = 0700
>>             # By default, \\server\username shares can be connected to
>>         by anyone
>>             # with access to the samba server.
>>             # The following parameter makes sure that only "username"
>>         can connect
>>             # to \\server\username
>>             # This might need tweaking when using external
>>         authentication schemes
>>                valid users = %S
>>             # Un-comment the following and create the netlogon
>>         directory for
>>             Domain Logons
>>             # (you need to configure Samba to act as a domain
>>         controller too.)
>>             ;[netlogon]
>>             ;   comment = Network Logon Service
>>             ;   path = /home/samba/netlogon
>>             ;   guest ok = yes
>>             ;   read only = yes
>>             # Un-comment the following and create the profiles
>>         directory to store
>>             # users profiles (see the "logon path" option above)
>>             # (you need to configure Samba to act as a domain
>>         controller too.)
>>             # The path below should be writable by all users so that their
>>             # profile directory may be created the first time they log on
>>             ;[profiles]
>>             ;   comment = Users profiles
>>             ;   path = /home/samba/profiles
>>             ;   guest ok = no
>>             ;   browseable = no
>>             ;   create mask = 0600
>>             ;   directory mask = 0700
>>             [printers]
>>                comment = All Printers
>>                browseable = no
>>                path = /var/spool/samba
>>                printable = yes
>>                guest ok = no
>>                read only = yes
>>                create mask = 0700
>>             # Windows clients look for this share name as a source of
>>         downloadable
>>             # printer drivers
>>             [print$]
>>                comment = Printer Drivers
>>                path = /var/lib/samba/printers
>>                browseable = yes
>>                read only = yes
>>                guest ok = no
>>             # Uncomment to allow remote administration of Windows
>>         print drivers.
>>             # You may need to replace 'lpadmin' with the name of the
>>         group your
>>             # admin users are members of.
>>             # Please note that you also need to set appropriate Unix
>>         permissions
>>             # to the drivers directory for these users to have write
>>         rights in it
>>             ;   write list = root, @lpadmin
>>             # A sample share for sharing your CD-ROM with others.
>>             ;[cdrom]
>>             ;   comment = Samba server's CD-ROM
>>             ;   read only = yes
>>             ;   locking = no
>>             ;   path = /cdrom
>>             ;   guest ok = yes
>>             # The next two parameters show how to auto-mount a CD-ROM
>>         when the
>>             #cdrom share is accesed. For this to work /etc/fstab must
>>         contain
>>             #an entry like this:
>>             #
>>             #       /dev/scd0 /cdrom  iso9660 defaults,noauto,ro,user
>>       0 0
>>             #
>>             # The CD-ROM gets unmounted automatically after the
>>         connection to the
>>             #
>>             # If you don't want to use auto-mounting/unmounting make
>>         sure the CD
>>             #is mounted on /cdrom
>>             #
>>             ;   preexec = /bin/mount /cdrom
>>             ;   postexec = /bin/umount /cdrom
>>
>>             [data]
>>             writeable = yes
>>             path = /data
>>
>>
>>
>>         2014-10-20 22:26 GMT+02:00 Rowland Penny
>>         <rowlandpenny at googlemail.com
>>         <mailto:rowlandpenny at googlemail.com>
>>         <mailto:rowlandpenny at googlemail.com
>>         <mailto:rowlandpenny at googlemail.com>>>:
>>
>>             On 20/10/14 21:19, Zoddo wrote:
>>
>>                 It doesn't work (NT_STATUS_ACCESS_DENIED).
>>
>>                 What's the administrator's password ? It's the root's
>>         password
>>                 ? When I
>>                 installed samba, it hasn't ask me for an
>>         administrative password.
>>
>>                 2014-10-20 8:50 GMT+02:00 L.P.H. van Belle
>>         <belle at bazuin.nl <mailto:belle at bazuin.nl>
>>                 <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>>:
>>
>>                     Is this is on a member server try :
>>
>>                     net rpc rights grant 'TEST_IMGDSK\test'
>>                     SeDiskOperatorPrivilege
>>                     -Uadministrator -S SERVERNAME
>>                     or
>>                     net rpc rights grant 'TEST_IMGDSK\test'
>>                     SeDiskOperatorPrivilege
>>                     -UDOMAIN\administrator -S SERVERNAME
>>
>>                     ( as i dont thinks this is a DC above should work. )
>>                     and last option is add
>>                     the to smb.conf
>>                     username map = /etc/samba/samba_usermapping
>>                     and add : !root = DOMAIN\Administrator
>>         DOMAIN\administrator
>>                     in it.
>>
>>
>>                     Louis
>>
>>
>>                         -----Oorspronkelijk bericht-----
>>                         Van: mmuehlfeld at samba.org
>>         <mailto:mmuehlfeld at samba.org> <mailto:mmuehlfeld at samba.org
>>
>>         <mailto:mmuehlfeld at samba.org>>
>>                         [mailto:samba-bounces at lists.samba.org
>>         <mailto:samba-bounces at lists.samba.org>
>>
>>                         <mailto:samba-bounces at lists.samba.org
>>         <mailto:samba-bounces at lists.samba.org>>] Namens Marc
>>                         Muehlfeld
>>                         Verzonden: zondag 19 oktober 2014 11:28
>>                         Aan: Zoddo
>>                         CC: samba
>>                         Onderwerp: Re: [Samba] Cannot add ACL through
>>         windows
>>                         client
>>
>>                         Am 19.10.2014 um 01:07 schrieb Zoddo:
>>
>>                             I've a problem : I'm unable to add the
>>
>>                         *SeDiskOperatorPrivilege* to my user
>>
>>                             *test*.
>>
>>                             root at test-imgdsk:~# net rpc rights grant
>>                             'TEST_IMGDSK\test'
>>
>>                                 SeDiskOperatorPrivilege -Uadministrator
>>                                 Enter administrator's password:
>>                                 Failed to grant privileges for
>>         TEST_IMGDSK\test
>>
>>                         (NT_STATUS_ACCESS_DENIED)
>>
>>
>>                         OK. We're comming closer - slowly.
>>
>>
>>                         But if you don't give us more information
>>         about your
>>                         environment
>>                         everything else is just guessing.
>>                         - Samba version
>>                         - smb.conf
>>                         - Permissions about the account (is Administrator
>>                         mapped to root, etc.)
>>                         - Type of Server (DC, PDC, Member, Standalone,
>>         etc.)
>>
>>
>>                         Regards,
>>                         Marc
>>
>>                         --
>>                         To unsubscribe from this list go to the
>>         following URL
>>                         and read the
>>                         instructions:
>>         https://lists.samba.org/mailman/options/samba
>>
>>
>>                     --
>>                     To unsubscribe from this list go to the following
>>         URL and
>>                     read the
>>                     instructions:
>>         https://lists.samba.org/mailman/options/samba
>>
>>             I don't think this has been asked yet, but how did you install
>>             samba and what is in smb.conf.
>>
>>             Rowland
>>
>>
>>             --     To unsubscribe from this list go to the following
>>         URL and read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>     No, this is your smb.conf:
>>
>>         [global]
>>         username map = /etc/samba/samba_usermapping
>>            workgroup = WORKGROUP
>>            server string = %h server
>>            dns proxy = no
>>            log file = /var/log/samba/log.%m
>>            max log size = 1000
>>            syslog = 0
>>            panic action = /usr/share/samba/panic-action %d
>>            encrypt passwords = true
>>            passdb backend = tdbsam
>>            obey pam restrictions = yes
>>            unix password sync = yes
>>            passwd program = /usr/bin/passwd %u
>>            passwd chat = *Enter\snew\s*\spassword:* %n\n
>>     *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>            pam password change = yes
>>            map to guest = bad user
>>            usershare allow guests = yes
>>
>>         [homes]
>>            comment = Home Directories
>>            browseable = no
>>            read only = yes
>>            create mask = 0700
>>            directory mask = 0700
>>            valid users = %S
>>
>>         [printers]
>>            comment = All Printers
>>            browseable = no
>>            path = /var/spool/samba
>>            printable = yes
>>            guest ok = no
>>            read only = yes
>>            create mask = 0700
>>
>>         [print$]
>>            comment = Printer Drivers
>>            path = /var/lib/samba/printers
>>            browseable = yes
>>            read only = yes
>>            guest ok = no
>>
>>         [data]
>>         writeable = yes
>>         path = /data
>>
>>     From it, I can tell that you are running a workgroup, so are
>>     windows users created on the linux machine and in the samba
>>     database ??
>>     Are the windows machines in the same workgroup ??
>>
>>
>>     Rowland
>>
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>  So <username> on the windows machine is unix <username> on the linux
> machine with samba <username> in tdbsam, all of them having the same
> password ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list