[Samba] File Server member DC ACL permissions

Rowland Penny rpenny at samba.org
Thu Aug 11 18:55:27 UTC 2016 

On Thu, 11 Aug 2016 18:39:14 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:

> 
> 
> Dear Rowland, 
> 
> This Samba 4 domain was not provisioned from scratch. 
> Here in the company we had a DC Windows 2008. The Samba was provided
> to secondary DC. Then, the primary DC remains Windows, but will be
> removed this weekend. Samba DC will be the primary DC. In the file
> server file krb5.conf, I informed the KDC servers pointing to the
> Samba DC. 
> 
> Follows the smb.conf my DC Samba 4:
> 
> 
> # Global parameters 
> [global] 
> #bind interfaces only = Yes 
> interfaces = lo eth0 
> netbios name = SRV14 
> realm = DOMAIN.LOCAL 
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN 
> server role = active directory domain controller 
> comment = 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> idmap_ldb:use rfc2307 = yes 
> 
> [netlogon] 
> path = /usr/local/samba/var/locks/sysvol/lojacorr.local/scripts 
> read only = No 
> 
> [sysvol] 
> path = /usr/local/samba/var/locks/sysvol 
> read only = No 
> 
> 
> 
> 
> > How have you set the libnss_winbind links ?
> 
> I set the links to libnss_winbind this: 
> My system is a Centos 7 x86_64:
> 
> # ln
> -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
> # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so2# ldconfig 
> 
> Now I can see the id of the User, with the command:
> # wbinfo -i iuser 
> iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false

Yes wbinfo shows the user but does 'getent passwd iuser' show anything ?

> 
> Follow the file server smb.conf:
> 
> 
> # Global parameters 
> [global] 
> netbios name = SRV16 
> server string = Samba4 Server 
> security = ADS 
> encrypt passwords = yes 
> realm = lojacorr.local 
> workgroup = DOMAIN 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> winbind enum users = yes 
> winbind enum groups = yes 
> winbind use default domain = Yes 
> winbind nss info = RFC2307 
> #idmap_ldb: Use 
> vfs objects = acl_xattr 
> map acl inherit = Yes 
> store dos attributes = Yes 
> # Idmap config for domain DOMAIN 
> idmap config DOMAIN: backend = ad 
> idmap config DOMAIN: schema_mode = RFC2307 
> idmap config DOMAIN: range = 10000-99999 
> guest account = guest 
>

You need to add:
  idmap config * : backend = tdb
  idmap config * : range = 2000-9999
 
> [data] 
> comment = Folder data 
> path = /mnt/dados 
> read only = No 
> browseable = yes 
> inherit acls = Yes 
> inherit permissions = Yes
> guest account = guest 
> guest ok=yes 
>   
> 
> 
> Follow the file server nsswitch.conf:
> 
> 
> passwd:     files winbind 
> shadow:     files 
> group:      files winbind 
> 
> hosts:      files dns 
> bootparams: nisplus [NOTFOUND=return] files 
> ethers:     files 
> netmasks:   files 
> networks:   files 
> protocols:  files 
> rpc:        files 
> services:   files 
> netgroup:   files 
> publickey:  nisplus 
> automount:  files 
> aliases:    files nisplus 
> 
> 
> 
> 
> I configured this permission for SeDiskOperatorPrivilege: 
> # net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
> -U'domain\administrator'
> 
> When I try to set the permissions via shell, I get the same error:
> 
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados 
> 
> setfacl: /mnt/dados: Malformed access ACL
> `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx':
> Missing or wrong entry at entry 5 
> 
>

It looks like Domain Admins isn't being recognised by the OS, does Domain
 Admins have a gidNumber attribute

 
Rowland

More information about the samba mailing list