[Samba] File Server member DC ACL permissions

Ricardo Pardim Claus ricardo.claus at yahoo.com.br
Thu Aug 11 18:39:14 UTC 2016 


Dear Rowland, 

This Samba 4 domain was not provisioned from scratch. 
Here in the company we had a DC Windows 2008. The Samba was provided to secondary DC. 
Then, the primary DC remains Windows, but will be removed this weekend. Samba DC will be the primary DC. 
In the file server file krb5.conf, I informed the KDC servers pointing to the Samba DC. 

Follows the smb.conf my DC Samba 4:


# Global parameters 
[global] 
#bind interfaces only = Yes 
interfaces = lo eth0 
netbios name = SRV14 
realm = DOMAIN.LOCAL 
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
workgroup = DOMAIN 
server role = active directory domain controller 
comment = 
log file = /var/log/samba/%m.log 
log level = 1 
# 
idmap_ldb:use rfc2307 = yes 

[netlogon] 
path = /usr/local/samba/var/locks/sysvol/lojacorr.local/scripts 
read only = No 

[sysvol] 
path = /usr/local/samba/var/locks/sysvol 
read only = No 




> How have you set the libnss_winbind links ?

I set the links to libnss_winbind this: 
My system is a Centos 7 x86_64:

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so 
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so2# ldconfig 

Now I can see the id of the User, with the command:
# wbinfo -i iuser 
iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false

Follow the file server smb.conf:


# Global parameters 
[global] 
netbios name = SRV16 
server string = Samba4 Server 
security = ADS 
encrypt passwords = yes 
realm = lojacorr.local 
workgroup = DOMAIN 
log file = /var/log/samba/%m.log 
log level = 1 
# 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = Yes 
winbind nss info = RFC2307 
#idmap_ldb: Use 
vfs objects = acl_xattr 
map acl inherit = Yes 
store dos attributes = Yes 
# Idmap config for domain DOMAIN 
idmap config DOMAIN: backend = ad 
idmap config DOMAIN: schema_mode = RFC2307 
idmap config DOMAIN: range = 10000-99999 
guest account = guest 

[data] 
comment = Folder data 
path = /mnt/dados 
read only = No 
browseable = yes 
inherit acls = Yes 
inherit permissions = Yes
guest account = guest 
guest ok=yes 
  


Follow the file server nsswitch.conf:


passwd:     files winbind 
shadow:     files 
group:      files winbind 

hosts:      files dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers:     files 
netmasks:   files 
networks:   files 
protocols:  files 
rpc:        files 
services:   files 
netgroup:   files 
publickey:  nisplus 
automount:  files 
aliases:    files nisplus 




I configured this permission for SeDiskOperatorPrivilege: 
# net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'domain\administrator'

When I try to set the permissions via shell, I get the same error:

# setfacl -R -m g:"Domain Admins":rwx /mnt/dados 

setfacl: /mnt/dados: Malformed access ACL `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or wrong entry at entry 5 


The disc I am sharing was formatted with XFS file system.
Still denied access when trying to set permissions on the shared folder.

More information about the samba mailing list