[Samba] Wheezy member Server - Unable to edit permissions of share without usermapping - shall I add to Wiki?

[Rowland Penny]

On 26/02/15 19:17, Shane Robinson wrote:
> Hello List!
>
> I have a Samba AD domain with two virtualized DC's running 4.1.15 and
> 4.1.17. I have had two member file servers with odd permissions problems
> that I've now given up on, and decided to start fresh.
>
> I have created a File server (FS3) with Debian wheezy, built samba 4.1.17
> from source, with configure options of :
> --with-ads --with-shared-modules=idmap_ad

FYI, 4.1.17 is now in debian backports

>
> ... and placed the attached smb.conf into /usr/local/samba/etc/ . I
> successfully joined it to the domain, and set up the shared directories as
> defined in the aforementioned smb.conf.
>
> I followed the AD Member Server setup wiki page, and getent passwd
> "INTERNAL\<domain user>" works, as does getent group and wbinfo. The
> SeDiskOperatorPrivilege was granted to the administrator without issue.
>
> The file system is ext4, mounted with user_xattr,acl,barrier=1.

You do not need to do all of this, user_xattr & acl are the defaults for 
ext4

> I have tried
> to follow the wiki to the letter, with one exception, linking
> libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition to /lib64.
>
> As the domain administrator, from a Win7 member, I was able to give Domain
> Admins full control in the "Share Permissions" tab (from Computer
> Management).
>
> Upon trying to give Domain Admins full control to the share, I get an Access
> Denied error (as in the screenshot attached).
>
> The log.smbd (level 8) of that interaction is also attached.
>
> The "Setup and Configure file shares with Windows ACLs" wiki page has a
> troubleshooting section which mentions trying:
>
> setfacl -R -m default:group:domain\ admins:rwx /srv/sites
>
> ... so I did. The result of getfacl is now:
>
> shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites
> getfacl: Removing leading '/' from absolute path names
> # file: srv/sites
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
> default:user::rwx
> default:group::r-x
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::r-x
>
> ... but the access denied error persists.
>
> As a list subscriber for a few years, I recalled Louis van Belle publishing
> a samba4 wheezy member script. Within the smb.conf it defines, I find that
> the username map option.
>
> I added the username map option to the smb.conf of FS3, and created the
> mapping file with:
>
> !root = "INTERNAL\Administrator" "INTERNAL\administrator"
>
> Upon trying this, I have success. (yay!)
>
>
>
> SO: The script is now relegated to an "old_set_of_scripts" repository, so
> I'm not sure if this is still the Right Thing to do.
>
> Are there ramifications to this mapping that need to be considered?
>
> Is this a debian-specific issue, like the libnss_winbind.so linking?

No, it is not debian-specific, but because this is Unix, there is more 
than one way of doing this, you could give Administrators an ID number 
that is not '0' and then change ownership of the directory to 
'Administrator'

Rowland

>
> Are there any reasons that I should NOT add these steps to the wiki (I have
> a logon already, and I'm just itching to use it)?
>
>
> Thank you in advance for any and all help you are able to provide!
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care Inc.
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
>