[Samba] getfacl not have domain name and samba4 not work correctly

Ulisses Féres uferes2 at gmail.com
Mon Jul 4 13:54:25 UTC 2016 

sorry , the original message was in error. Follow:


Hi. Sorry. Today I have a big problem with the samba I can not solve! My
permissions do not work properly. in the RSAT created groups, OU and users.
I configured in Windows the shared directory *TECNOLOGIA* security settings
assigning full permissions to *grupo_tecnologia* (technology group).
However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access. I noticed on linux with getfacl that DOMAIN is not properly setted
as in bold:



[root at smb ~]# getfacl /shares/c/tecnologia/
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---


It was not to be:

*default:group:ROPA\grupo_tecnologia:rwx*

I believe all my problem may be due to this.



*IP Server:* 192.168.1.99

*[root at smb ~]# smbd -V*
Version 4.2.13

*[root at smb ~]# smbclient -V*
Version 4.2.13

*I try install version 4.4.4 but this error continues*

*[root at smb ~]# cat /etc/samba/smb.conf*
# Global parameters
[global]
        workgroup = ROPA
        realm = ROPA.INTRANET
        netbios name = SMB
        server role = active directory domain controller
        dns forwarder = 8.8.8.8

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


[tecnologia]
        comment = tecnologia
        path = /shares/c/tecnologia
        read only = no


*[root at smb ~]# cat /etc/resolv.conf*
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8

*[root at smb ~]# cat /etc/hosts*
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
192.168.1.99 smb smb.ropa.intranet

*[root at smb ~]# testparm*

Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
        workgroup = ROPA
        realm = ROPA.INTRANET
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder = 8.8.8.8
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4 acl_xattr
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
[tecnologia]
        comment = tecnologia
        path = /shares/c/tecnologia
        read only = No

*[root at smb ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ROPA.INTRANET

Valid starting       Expires              Service principal
06/24/2016 01:21:09  06/24/2016 11:21:09  krbtgt/ROPA.INTRANET at ROPA.INTRANET
        renew until 06/25/2016 01:21:04

*[root at smb~]# uname -a*
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files
sss winbind group: files sss winbind hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
networks: files protocols: files rpc: files services: files sss netgroup:
files sss publickey: nisplus automount: files aliases: files nisplus
[root at smb~]# wbinfo -g enterprise read-only domain controllers domain
admins domain users domain guests domain computers domain controllers
schema admins enterprise admins group policy creator owners read-only
domain controllers grupo_tecnologia [root at smb~]# cat
/etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
/etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
= false dns_lookup_kdc = true [logging] default =
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server =
FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
= 36000 forwardable = true krb4_convert = false } [domain_realm]
.ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet =
ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege
BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege

More information about the samba mailing list