[Samba] getfacl not have domain name and samba4 not work correctly

L.P.H. van Belle belle at bazuin.nl
Mon Jul 4 14:56:47 UTC 2016 

Hai, 

>I configured in Windows the shared directory *TECNOLOGIA* security settings >assigning full permissions to *grupo_tecnologia* (technology group).

What are the "share" rights on that share. 
For example did you remove authenticated users or everyone and added a new one?

Is this a share which windows users only accesses.. try adding 
acl_xattr:ignore system acl = yes 
to your share. !! 

DO RE-APLY YOUR SHARE AND SECURITY SETTINGS TO BE SURE ITS SET OK.

You are missing a right somewhere on share or folder or your missing an UID/GID somewhere. 

Look here : 
https://wiki.samba.org/index.php/File_sharing 

and choose 1 of the Setup shares, dont mix them. 



Gr. 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne
> Verzonden: maandag 4 juli 2016 16:34
> Aan: Ulisses Féres
> CC: samba
> Onderwerp: Re: [Samba] getfacl not have domain name and samba4 not work
> correctly
> 
> Hi,
> 
> First I won't read the end. Notepad or something as clever as that tool
> put
> data on big lines, which is unreadable.
> 
> Now and to stop complaining, the fact AD user names are displayed with or
> without WORKGROUP\ is not an issue: the display is local to the system,
> managed by Samba (or Winbind[d]) and so the local Samba should act
> accordingly to what is configured into smb.conf relatively to the fact
> work
> group is displayed or not in user name.
> 
> Not sure it is clear :D
> 
> Anyway: to change that behaviour and get id, getfacl... your system
> showing
> WORKGROUP\username rather than username I think the smb.conf option is
> "winbind use default domain = yes".
> 
> If you are not using Winbind, the replacement tool should also come with
> that option.
> 
> 2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>:
> 
> > sorry , the original message was in error. Follow:
> >
> >
> > Hi. Sorry. Today I have a big problem with the samba I can not solve! My
> > permissions do not work properly. in the RSAT created groups, OU and
> users.
> > I configured in Windows the shared directory *TECNOLOGIA* security
> settings
> > assigning full permissions to *grupo_tecnologia* (technology group).
> > However users who are with *grupo_tecnologia* (primary) to access the
> share
> > opens a popup asking for the user / password in which does not accept
> > access. I noticed on linux with getfacl that DOMAIN is not properly
> setted
> > as in bold:
> >
> >
> >
> > [root at smb ~]# getfacl /shares/c/tecnologia/
> > # file: shares/c/tecnologia/
> > # owner: root
> > # group: root
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\134administrators:rwx
> > user:domain\040admins:rwx
> > *user:grupo_tecnologia:rwx*
> > group::---
> > group:root:---
> > group:BUILTIN\134administrators:rwx
> > group:domain\040admins:rwx
> > *group:grupo_tecnologia:rwx*
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\134administrators:rwx
> > default:user:domain\040admins:rwx
> > *default:user:grupo_tecnologia:rwx*
> > default:group::---
> > default:group:root:---
> > default:group:BUILTIN\134administrators:rwx
> > default:group:domain\040admins:rwx
> > *default:group:grupo_tecnologia:rwx*
> > default:mask::rwx
> > default:other::---
> >
> >
> > It was not to be:
> >
> > *default:group:ROPA\grupo_tecnologia:rwx*
> >
> > I believe all my problem may be due to this.
> >
> >
> >
> > *IP Server:* 192.168.1.99
> >
> > *[root at smb ~]# smbd -V*
> > Version 4.2.13
> >
> > *[root at smb ~]# smbclient -V*
> > Version 4.2.13
> >
> > *I try install version 4.4.4 but this error continues*
> >
> > *[root at smb ~]# cat /etc/samba/smb.conf*
> > # Global parameters
> > [global]
> >         workgroup = ROPA
> >         realm = ROPA.INTRANET
> >         netbios name = SMB
> >         server role = active directory domain controller
> >         dns forwarder = 8.8.8.8
> >
> > [netlogon]
> >         path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> >
> >
> > [tecnologia]
> >         comment = tecnologia
> >         path = /shares/c/tecnologia
> >         read only = no
> >
> >
> > *[root at smb ~]# cat /etc/resolv.conf*
> > domain ropa.intranet
> > search ropa.intranet
> > nameserver 192.168.1.99
> > nameserver 8.8.8.8
> >
> > *[root at smb ~]# cat /etc/hosts*
> > 127.0.0.1   localhost localhost.localdomain localhost4
> > localhost4.localdomain4
> > 192.168.1.99 smb smb.ropa.intranet
> >
> > *[root at smb ~]# testparm*
> >
> > Load smb config files from /usr/local/samba/etc/smb.conf
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Processing section "[tecnologia]"
> > Loaded services file OK.
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> > Press enter to see a dump of your service definitions
> > # Global parameters
> > [global]
> >         workgroup = ROPA
> >         realm = ROPA.INTRANET
> >         server role = active directory domain controller
> >         passdb backend = samba_dsdb
> >         dns forwarder = 8.8.8.8
> >         rpc_server:tcpip = no
> >         rpc_daemon:spoolssd = embedded
> >         rpc_server:spoolss = embedded
> >         rpc_server:winreg = embedded
> >         rpc_server:ntsvcs = embedded
> >         rpc_server:eventlog = embedded
> >         rpc_server:srvsvc = embedded
> >         rpc_server:svcctl = embedded
> >         rpc_server:default = external
> >         winbindd:use external pipes = true
> >         idmap config * : backend = tdb
> >         map archive = No
> >         map readonly = no
> >         store dos attributes = Yes
> >         vfs objects = dfs_samba4 acl_xattr
> > [netlogon]
> >         path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
> >         read only = No
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> > [tecnologia]
> >         comment = tecnologia
> >         path = /shares/c/tecnologia
> >         read only = No
> >
> > *[root at smb ~]# klist*
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administrator at ROPA.INTRANET
> >
> > Valid starting       Expires              Service principal
> > 06/24/2016 01:21:09  06/24/2016 11:21:09
> > krbtgt/ROPA.INTRANET at ROPA.INTRANET
> >         renew until 06/25/2016 01:21:04
> >
> > *[root at smb~]# uname -a*
> > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
> > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow:
> > files
> > sss winbind group: files sss winbind hosts: files dns myhostname
> > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks:
> files
> > networks: files protocols: files rpc: files services: files sss
> netgroup:
> > files sss publickey: nisplus automount: files aliases: files nisplus
> > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain
> > admins domain users domain guests domain computers domain controllers
> > schema admins enterprise admins group policy creator owners read-only
> > domain controllers grupo_tecnologia [root at smb~]# cat
> > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
> > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
> > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET
> dns_lookup_realm
> > = false dns_lookup_kdc = true [logging] default =
> > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server
> =
> > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
> > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
> > [appdefaults] pam = { debug = false ticket_lifetime = 36000
> renew_lifetime
> > = 36000 forwardable = true krb4_convert = false } [domain_realm]
> > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet =
> > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
> > Enter administrator's password: ROPA\Domain Admins
> SeDiskOperatorPrivilege
> > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
> > SeInteractiveLogonRight BUILTIN\Account Operators
> SeInteractiveLogonRight
> > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
> > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
> > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
> > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
> > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
> > SeCreateGlobalPrivilege SeEnableDelegationPrivilege
> SeInteractiveLogonRight
> > SeNetworkLogonRight SeRemoteInteractiveLogonRight
> SeDiskOperatorPrivilege
> > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
> > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
> > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
> > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list