[Samba] getfacl not have domain name and samba4 not work correctly
Ulisses Féres
uferes2 at gmail.com
Sat Jul 2 13:54:39 UTC 2016
Tks for help me.
I change /etc/hosts!
Others details:
*[root at smb~]# cat /etc/nsswitch.conf*
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
*[root at smb~]# wbinfo -g*
enterprise read-only domain controllers
domain admins
domain users
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain controllers
grupo_tecnologia
*[root at smb~]# cat /etc/security/limits.conf*
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384
*[root at smb~]# cat /etc/krb5.conf*
[libdefaults]
default_realm = ROPA.INTRANET
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
ROPA.INTRANET = {
kdc = smb.ropa.intranet
default_domain = ropa.intranet
admin_server = SMB.ROPA.INTRANET
}
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[domain_realm]
.ROPA.INTRANET = ROPA.INTRANET
.ROPA = ROPA.INTRANET
.ROPA.intranet = ROPA.INTRANET
*[root at smb ~]# net rpc rights list accounts -Uadministrator*
Enter administrator's password:
ROPA\Domain Admins
SeDiskOperatorPrivilege
BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Account Operators
SeInteractiveLogonRight
BUILTIN\Backup Operators
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Administrators
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight
SeDiskOperatorPrivilege
BUILTIN\Server Operators
SeBackupPrivilege
SeSystemtimePrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight
SeChangeNotifyPrivilege
> 2016-06-30 12:10 GMT-03:00
>
>
> I don't think your hosts file should be
>> localhost4.localdomain4 smb smb.ropa.intranet
>>
>> It should be
>> 192.168.1.99 smb smb.ropa.intranet
>>
>> Then I would check if wbinfo -g returns groups?
>>
>> also what does your /etc/nsswitch.conf file look like?
>>
>>
>> On Thu, Jun 30, 2016 at 10:24 AM, Ulisses Féres <uferes2 at gmail.com>
>> wrote:
>>
>>> Hi.
>>>
>>> Sorry. Today I have a big problem with the samba I can not solve!
>>>
>>> My permissions do not work properly. in the RSAT created groups, OU and
>>> users. I configured in Windows the shared directory *TECNOLOGIA* security
>>> settings assigning full permissions to *grupo_tecnologia* (technology
>>> group).
>>>
>>> However users who are with *grupo_tecnologia* (primary) to access the
>>> share
>>> opens a popup asking for the user / password in which does not accept
>>> access.
>>>
>>> I noticed on linux with getfacl that DOMAIN is not properly setted as in
>>> red:
>>>
>>>
>>> *[root at smb ~]# getfacl /shares/c/tecnologia/*
>>> # file: shares/c/tecnologia/
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:root:rwx
>>> user:BUILTIN\134administrators:rwx
>>> user:domain\040admins:rwx
>>> *user:grupo_tecnologia:rwx*
>>> group::---
>>> group:root:---
>>> group:BUILTIN\134administrators:rwx
>>> group:domain\040admins:rwx
>>> *group:grupo_tecnologia:rwx*
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:BUILTIN\134administrators:rwx
>>> default:user:domain\040admins:rwx
>>> *default:user:grupo_tecnologia:rwx*
>>> default:group::---
>>> default:group:root:---
>>> default:group:BUILTIN\134administrators:rwx
>>> default:group:domain\040admins:rwx
>>> *default:group:grupo_tecnologia:rwx*
>>> default:mask::rwx
>>> default:other::---
>>>
>>>
>>> It was not to be:
>>>
>>> *default:group:ROPA\grupo_tecnologia:rwx*
>>>
>>> I believe all my problem may be due to this.
>>>
>>>
>>>
>>>
>>> *IP Server:* 192.168.1.99
>>>
>>> *[root at smb ~]# smbd -V*
>>> Version 4.2.13
>>>
>>> *[root at smb ~]# smbclient -V*
>>> Version 4.2.13
>>>
>>> *I try install version 4.4.4 but this error continues*
>>>
>>>
>>> *[root at smb ~]# cat /etc/samba/smb.conf*
>>> # Global parameters
>>> [global]
>>> workgroup = ROPA
>>> realm = ROPA.INTRANET
>>> netbios name = SMB
>>> server role = active directory domain controller
>>> dns forwarder = 8.8.8.8
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>>
>>> [tecnologia]
>>> comment = tecnologia
>>> path = /shares/c/tecnologia
>>> read only = no
>>>
>>>
>>>
>>> *[root at smb ~]# cat /etc/resolv.conf*
>>> domain ropa.intranet
>>> search ropa.intranet
>>> nameserver 192.168.1.99
>>> nameserver 8.8.8.8
>>>
>>> *[root at smb ~]# cat /etc/hosts*
>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>> localhost4.localdomain4 smb smb.ropa.intranet
>>>
>>>
>>> *[root at smb ~]# testparm*
>>>
>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> Processing section "[tecnologia]"
>>>
>>> Loaded services file OK.
>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>
>>> Press enter to see a dump of your service definitions
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = ROPA
>>> realm = ROPA.INTRANET
>>> server role = active directory domain controller
>>> passdb backend = samba_dsdb
>>> dns forwarder = 8.8.8.8
>>> rpc_server:tcpip = no
>>> rpc_daemon:spoolssd = embedded
>>> rpc_server:spoolss = embedded
>>> rpc_server:winreg = embedded
>>> rpc_server:ntsvcs = embedded
>>> rpc_server:eventlog = embedded
>>> rpc_server:srvsvc = embedded
>>> rpc_server:svcctl = embedded
>>> rpc_server:default = external
>>> winbindd:use external pipes = true
>>> idmap config * : backend = tdb
>>> map archive = No
>>> map readonly = no
>>> store dos attributes = Yes
>>> vfs objects = dfs_samba4 acl_xattr
>>>
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
>>> read only = No
>>>
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>>
>>> [tecnologia]
>>> comment = tecnologia
>>> path = /shares/c/tecnologia
>>> read only = No
>>>
>>> *[root at smb ~]# klist*
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: administrator at ROPA.INTRANET
>>>
>>> Valid starting Expires Service principal
>>> 06/24/2016 01:21:09 06/24/2016 11:21:09
>>> krbtgt/ROPA.INTRANET at ROPA.INTRANET
>>> renew until 06/25/2016 01:21:04
>>>
>>> *[root at smb~]# uname -a*
>>> Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
>>> 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>> Thanks i lot!
>>> Ulisses.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
More information about the samba
mailing list