[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 27 12:50:38 MST 2015


On 27/02/15 19:46, Shane Robinson wrote:
> Hello all,
>
> Sorry about the top-posting.
>
> I have added the bit about the linking (YAY!, I'm helping!).
>
> Now if we can clear up the ACL issue, this will be a great day!
>
> Summary: To edit ACL's from Windows on a Debian Member server, we need to
> either
> 1) map the domain admin to root OR
> 2) give explicit permissions to Domain Admins with a chmod 0755 and chgrp
> "MYDOM\Domain Admins"
>
> Which is better and why?
>
> Thanks everyone!
>
> Shane
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Friday, February 27, 2015 11:25 AM
> To: samba at lists.samba.org
> Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable
> to edit permissions of share without usermapping - shall I add to Wiki?
>
> On 27/02/15 19:09, Shane Robinson wrote:
>> Hello again List, Marc, and Louis!
>>
>> I'm afraid my message from yesterday may have been TL;DR. The short
>> version is as follows:
>>
>> Following the wiki's for AD member server (building from source on
>> Debian
>> Wheezy) and Setting up shares with Windows acls did not give the
>> expected results
>>
>> First, I needed to link libnss_winbind.so to /usr/lib/x86_64-linux-gnu
>> for winbind to work. Marc - may I add this to the wiki, or is there a
>> reason not to that I'm unaware of?
> I think this would be a good idea, the problem is the wiki is a bit RH
> centric, so go ahead and add something about setting the link for debian,
> but follow the format that is already there, don't worry if it isn't quite
> right, Marc will change it.
>
>> Second, setting permissions on a share did not work until I mapped the
>> domain administrator to root. This is mentioned in the Troubleshooting
>> member server wiki page, but only in relation to granting the
>> SeDiskOperatorPrivilege, which was not an issue for me.
>>    
>> Does this mapping have any ramifications that I (or others) should be
>> aware of?
> No, but I don't think it has to be done this way, I am beginning to think
> there are other ways of doing this.
>
> Rowland
>
>> The other way to allow ACL changes from windows (which I did on my
>> now-defunct member File Servers) was something like this:
>> "sudo chmod 0775 /srv/myshare" and
>> "sudo chgrp 'Domain Admins' /srv/myshare"
>> .. which as result will give full access to the members of the group
>> "MYDOM\Domain Admins"
>>
>> Is one better than the other?
>>
>> If you'd like any further information, I'd be happy to provide it.
>>
>> Thank you very much for your help!
>>
>> PS - I included Louis in the TO line because of your unanswered email
>> of February 16th ("Samba_Member_Server_Troubleshooting").
>>
>>
>> Shane Robinson
>> Chief Administrative Officer
>> SimpeQ Care Inc.
>> t. 604.988.3103 ext. 104
>> c. 604.506.3311
>> f. 604.988.3105
>> Please consider the environment before printing this email.
>>
>>
>> -----Original Message-----
>> From: Shane Robinson [mailto:srobinson at simpeq.ca]
>> Sent: Thursday, February 26, 2015 11:17 AM
>> To: 'samba at lists.samba.org'
>> Subject: Wheezy member Server - Unable to edit permissions of share
>> without usermapping - shall I add to Wiki?
>>
>> Hello List!
>>
>> I have a Samba AD domain with two virtualized DC's running 4.1.15 and
>> 4.1.17. I have had two member file servers with odd permissions
>> problems that I've now given up on, and decided to start fresh.
>>
>> I have created a File server (FS3) with Debian wheezy, built samba
>> 4.1.17 from source, with configure options of :
>> --with-ads --with-shared-modules=idmap_ad
>>
>> ... and placed the attached smb.conf into /usr/local/samba/etc/ . I
>> successfully joined it to the domain, and set up the shared
>> directories as defined in the aforementioned smb.conf.
>>
>> I followed the AD Member Server setup wiki page, and getent passwd
>> "INTERNAL\<domain user>" works, as does getent group and wbinfo. The
>> SeDiskOperatorPrivilege was granted to the administrator without issue.
>>
>> The file system is ext4, mounted with user_xattr,acl,barrier=1. I have
>> tried to follow the wiki to the letter, with one exception, linking
>> libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition to /lib64.
>>
>> As the domain administrator, from a Win7 member, I was able to give
>> Domain Admins full control in the "Share Permissions" tab (from
>> Computer Management).
>>
>> Upon trying to give Domain Admins full control to the share, I get an
>> Access Denied error (as in the screenshot attached).
>>
>> The log.smbd (level 8) of that interaction is also attached.
>>
>> The "Setup and Configure file shares with Windows ACLs" wiki page has
>> a troubleshooting section which mentions trying:
>>
>> setfacl -R -m default:group:domain\ admins:rwx /srv/sites
>>
>> ... so I did. The result of getfacl is now:
>>
>> shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites
>> getfacl: Removing leading '/' from absolute path names # file:
>> srv/sites #
>> owner: root # group: root user::rwx group::r-x other::r-x
>> default:user::rwx default:group::r-x
>> default:group:domain\040admins:rwx
>> default:mask::rwx
>> default:other::r-x
>>
>> ... but the access denied error persists.
>>
>> As a list subscriber for a few years, I recalled Louis van Belle
>> publishing a samba4 wheezy member script. Within the smb.conf it
>> defines, I find that the username map option.
>>
>> I added the username map option to the smb.conf of FS3, and created
>> the mapping file with:
>>
>> !root = "INTERNAL\Administrator" "INTERNAL\administrator"
>>
>> Upon trying this, I have success. (yay!)
>>
>>
>>
>> SO: The script is now relegated to an "old_set_of_scripts" repository,
>> so I'm not sure if this is still the Right Thing to do.
>>
>> Are there ramifications to this mapping that need to be considered?
>>
>> Is this a debian-specific issue, like the libnss_winbind.so linking?
>>
>> Are there any reasons that I should NOT add these steps to the wiki (I
>> have a logon already, and I'm just itching to use it)?
>>
>>
>> Thank you in advance for any and all help you are able to provide!
>>
>> Shane Robinson
>> Chief Administrative Officer
>> SimpeQ Care Inc.
>> t. 604.988.3103 ext. 104
>> c. 604.506.3311
>> f. 604.988.3105
>> Please consider the environment before printing this email.
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

there is a third way, the one I am coming round to thinking is the best 
way, give Administrator a proper uidNumber and change ownership to 
Administrator not root.

Rowland



More information about the samba mailing list