[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Fri Oct 14 14:01:14 UTC 2016 

Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
> On Fri, 14 Oct 2016 14:32:52 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
>>> It sounds like you don't have IDMU installed, not sure if you can
>>> install it on 2012.
>> are you trying to say that I should install "Identity Management for
>> Unix" on a Windows Server 2012? If yes, I am afraid we have a
>> misunderstanding here: I don't use any Windows Server in my set-up.
>>
>> I use a Fileserver with two network interfaces, one connected to a
>> private network, the other connected to our university network. A
>> Samba AD DC is supposed to manage a small Windows Domain in the
>> private net. The fileserver also serves as a gateway to the Windows 7
>> workstations in the private net. Fileserver and AD DC are both
>> running ubuntu 16.04 and have the respective Samba packages
>> installed. For testing I have set up two Windows 7 Instances on ESXi
>> inside the private net, one with the RSAT Tools installed and one as
>> a user PC.
>>
>> Update: I spent the morning setting up a fresh member server
>> ("FILESERVER2") for testing inside the private net (with 1 NIC only,
>> thereby reducing complexity) I think, I have made all the necessary
>> steps and did not forget to grant the SeDiskOperatorPrivilege rights
>> to the Domain Admins
>>
>> root at fileserver2:/var/log/samba# net rpc rights list 'MYDOMAIN\Domain
>> Admins' -U'MYDOMAIN\Administrator' -S addc01
>> Enter MYDOMAIN\Administrator's password:
>> SeDiskOperatorPrivilege
>>
>> Now I'm stuck in the RSAT Computer Management Console where I am
>> denied access to the share configuration. On the navigation tree in
>> the left window "Local users and groups" is shown as locked (and I
>> remember this went only away after I assigned a uidNumber to the
>> Adminstrator account and made it a member of the Domain Admins Unix
>> Group). Can't tell if this is a useful hint.
>>
> I could have sworn you mentioned a 2012 server,
No problem
> so if you are
> authenticating the fileserver to a Samba AD DC, did you provision the
> DC with '--use-rfc2307' ?
Yes, I did. From my shell history

samba-tool domain provision  --use-rfc2307 --function-level=2008_R2 
--dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN 
--domain=MYDOMAIN --server-role='dc' --
adminpass='*******************'

> Not a problem if you didn't, see here:
>
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
>
> The 'Administrator' is always a member of 'Domain Admins'
>
> Did you remember to add the 'user.map' line to smb.conf ?
  Yes I did, but had a typo in the real domain name .... and this was 
the problem :-[

Now I have access to the share configuration :-)

What's a little confusing:
"Share Permsissions" has the "Everyone" account already filled in with 
"Full Control".
"Security" has "Everyone", "root", "ERSTELLER-BESITZER" (Creator Owner), 
ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts already 
filled in

---> What would you suggest? Remove all unwanted accounts first an then 
follow the wiki? I remember trouble started when I removed the 
"Everyone" account.

Extended attributes on [home] look like this at this point

root at fileserver2:/var/log/samba# LANG=en_US getfacl /var/share/samba/homes/
getfacl: Removing leading '/' from absolute path names
# file: var/share/samba/homes/
# owner: root
# group: MYDOMAIN\134domain\040admins
user::rwx
group::rwx
other::r-x

BTW: On this server, I changed the id ranges to more modest values

root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
     ;; Default idmap config used for BUILTIN and local accounts/groups
     idmap config * : backend = tdb
     idmap config * : range = 2000-9999
     ;; idmap config for domain MYDOMAIN
     idmap config MYDOMAIN : backend = ad
     idmap config MYDOMAIN : schema_mode = rfc2307
     idmap config MYDOMAIN : range = 10000-99999

This is correctly reflected in the id mappings

root at fileserver2:/var/log/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 2004 S-1-5-11
USER HWM 2000
GID 2002 S-1-1-0
GID 2003 S-1-5-2
GROUP HWM 2005

Thanks an best regards

Udo


>
> Rowland
>

More information about the samba mailing list