[Samba] Unable to set up home share correctly
Rowland Penny
rpenny at samba.org
Fri Oct 14 14:40:06 UTC 2016
On Fri, 14 Oct 2016 16:01:14 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
> > On Fri, 14 Oct 2016 14:32:52 +0200
> > Udo Willke via samba <samba at lists.samba.org> wrote:
> >
> >> Hello Rowland,
> >>
> >> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
> >>> It sounds like you don't have IDMU installed, not sure if you can
> >>> install it on 2012.
> >> are you trying to say that I should install "Identity Management
> >> for Unix" on a Windows Server 2012? If yes, I am afraid we have a
> >> misunderstanding here: I don't use any Windows Server in my set-up.
> >>
> >> I use a Fileserver with two network interfaces, one connected to a
> >> private network, the other connected to our university network. A
> >> Samba AD DC is supposed to manage a small Windows Domain in the
> >> private net. The fileserver also serves as a gateway to the
> >> Windows 7 workstations in the private net. Fileserver and AD DC
> >> are both running ubuntu 16.04 and have the respective Samba
> >> packages installed. For testing I have set up two Windows 7
> >> Instances on ESXi inside the private net, one with the RSAT Tools
> >> installed and one as a user PC.
> >>
> >> Update: I spent the morning setting up a fresh member server
> >> ("FILESERVER2") for testing inside the private net (with 1 NIC
> >> only, thereby reducing complexity) I think, I have made all the
> >> necessary steps and did not forget to grant the
> >> SeDiskOperatorPrivilege rights to the Domain Admins
> >>
> >> root at fileserver2:/var/log/samba# net rpc rights list
> >> 'MYDOMAIN\Domain Admins' -U'MYDOMAIN\Administrator' -S addc01
> >> Enter MYDOMAIN\Administrator's password:
> >> SeDiskOperatorPrivilege
> >>
> >> Now I'm stuck in the RSAT Computer Management Console where I am
> >> denied access to the share configuration. On the navigation tree in
> >> the left window "Local users and groups" is shown as locked (and I
> >> remember this went only away after I assigned a uidNumber to the
> >> Adminstrator account and made it a member of the Domain Admins Unix
> >> Group). Can't tell if this is a useful hint.
> >>
> > I could have sworn you mentioned a 2012 server,
> No problem
> > so if you are
> > authenticating the fileserver to a Samba AD DC, did you provision
> > the DC with '--use-rfc2307' ?
> Yes, I did. From my shell history
>
> samba-tool domain provision --use-rfc2307 --function-level=2008_R2
> --dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN
> --domain=MYDOMAIN --server-role='dc' --
> adminpass='*******************'
>
> > Not a problem if you didn't, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
> >
> > The 'Administrator' is always a member of 'Domain Admins'
> >
> > Did you remember to add the 'user.map' line to smb.conf ?
> Yes I did, but had a typo in the real domain name .... and this was
> the problem :-[
>
> Now I have access to the share configuration :-)
>
> What's a little confusing:
> "Share Permsissions" has the "Everyone" account already filled in
> with "Full Control".
> "Security" has "Everyone", "root", "ERSTELLER-BESITZER" (Creator
> Owner), ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts
> already filled in
>
> ---> What would you suggest? Remove all unwanted accounts first an
> then follow the wiki? I remember trouble started when I removed the
> "Everyone" account.
>
> Extended attributes on [home] look like this at this point
>
> root at fileserver2:/var/log/samba# LANG=en_US
> getfacl /var/share/samba/homes/ getfacl: Removing leading '/' from
> absolute path names # file: var/share/samba/homes/
> # owner: root
> # group: MYDOMAIN\134domain\040admins
> user::rwx
> group::rwx
> other::r-x
>
> BTW: On this server, I changed the id ranges to more modest values
>
> root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
> ;; Default idmap config used for BUILTIN and local
> accounts/groups idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> ;; idmap config for domain MYDOMAIN
> idmap config MYDOMAIN : backend = ad
> idmap config MYDOMAIN : schema_mode = rfc2307
> idmap config MYDOMAIN : range = 10000-99999
>
Are you following this wiki page ?
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Also, when you changed the ranges in smb.conf, have you changed th
uidNumber & gidNumber attributes in AD ?
Rowland
More information about the samba
mailing list