[Samba] getfacl not have domain name and samba4 not work correctly
Rowland penny
rpenny at samba.org
Mon Jul 4 14:20:50 UTC 2016
On 04/07/16 14:54, Ulisses Féres wrote:
> sorry , the original message was in error. Follow:
>
>
> Hi. Sorry. Today I have a big problem with the samba I can not solve! My
> permissions do not work properly. in the RSAT created groups, OU and users.
> I configured in Windows the shared directory *TECNOLOGIA* security settings
> assigning full permissions to *grupo_tecnologia* (technology group).
> However users who are with *grupo_tecnologia* (primary) to access the share
> opens a popup asking for the user / password in which does not accept
> access. I noticed on linux with getfacl that DOMAIN is not properly setted
> as in bold:
>
>
>
> [root at smb ~]# getfacl /shares/c/tecnologia/
> # file: shares/c/tecnologia/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:domain\040admins:rwx
> *user:grupo_tecnologia:rwx*
> group::---
> group:root:---
> group:BUILTIN\134administrators:rwx
> group:domain\040admins:rwx
> *group:grupo_tecnologia:rwx*
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:domain\040admins:rwx
> *default:user:grupo_tecnologia:rwx*
> default:group::---
> default:group:root:---
> default:group:BUILTIN\134administrators:rwx
> default:group:domain\040admins:rwx
> *default:group:grupo_tecnologia:rwx*
> default:mask::rwx
> default:other::---
>
>
> It was not to be:
>
> *default:group:ROPA\grupo_tecnologia:rwx*
>
> I believe all my problem may be due to this.
>
>
>
> *IP Server:* 192.168.1.99
>
> *[root at smb ~]# smbd -V*
> Version 4.2.13
>
> *[root at smb ~]# smbclient -V*
> Version 4.2.13
>
> *I try install version 4.4.4 but this error continues*
>
> *[root at smb ~]# cat /etc/samba/smb.conf*
> # Global parameters
> [global]
> workgroup = ROPA
> realm = ROPA.INTRANET
> netbios name = SMB
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> [tecnologia]
> comment = tecnologia
> path = /shares/c/tecnologia
> read only = no
>
>
> *[root at smb ~]# cat /etc/resolv.conf*
> domain ropa.intranet
> search ropa.intranet
> nameserver 192.168.1.99
> nameserver 8.8.8.8
>
> *[root at smb ~]# cat /etc/hosts*
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> 192.168.1.99 smb smb.ropa.intranet
>
> *[root at smb ~]# testparm*
>
> Load smb config files from /usr/local/samba/etc/smb.conf
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[tecnologia]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> Press enter to see a dump of your service definitions
> # Global parameters
> [global]
> workgroup = ROPA
> realm = ROPA.INTRANET
> server role = active directory domain controller
> passdb backend = samba_dsdb
> dns forwarder = 8.8.8.8
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
> read only = No
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> [tecnologia]
> comment = tecnologia
> path = /shares/c/tecnologia
> read only = No
>
> *[root at smb ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at ROPA.INTRANET
>
> Valid starting Expires Service principal
> 06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/ROPA.INTRANET at ROPA.INTRANET
> renew until 06/25/2016 01:21:04
>
> *[root at smb~]# uname -a*
> Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
> 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
>
> [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files
> sss winbind group: files sss winbind hosts: files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
> networks: files protocols: files rpc: files services: files sss netgroup:
> files sss publickey: nisplus automount: files aliases: files nisplus
> [root at smb~]# wbinfo -g enterprise read-only domain controllers domain
> admins domain users domain guests domain computers domain controllers
> schema admins enterprise admins group policy creator owners read-only
> domain controllers grupo_tecnologia [root at smb~]# cat
> /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
> mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
> /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
> = false dns_lookup_kdc = true [logging] default =
> FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server =
> FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
> default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
> [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
> = 36000 forwardable = true krb4_convert = false } [domain_realm]
> .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet =
> ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
> Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege
> BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
> SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
> BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
> SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
> SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
> SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
> SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
> SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
> SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
> SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
> BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
> SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
> SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
> SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
OK, lets start with why getfacl doesn't show the domain name for
'grupo_tecnologia'
I have no idea, why don't you ask on the sssd mailing list, because this
is what is returning your group name:
/etc/nsswitch.conf
...........
........
group: files sss winbind
'winbind' in /etc/nsswitch.conf will very probably be ignored, because
'sss' is in front of it.
I found your post to be pretty much unreadable, could you try another
mail client, preferably one that doesn't squash all the text together. :-)
Rowland
More information about the samba
mailing list