[Samba] Unable to set up home share correctly

Rowland Penny rpenny at samba.org
Fri Oct 14 14:40:06 UTC 2016 

On Fri, 14 Oct 2016 16:01:14 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:

> Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
> > On Fri, 14 Oct 2016 14:32:52 +0200
> > Udo Willke via samba <samba at lists.samba.org> wrote:
> >
> >> Hello Rowland,
> >>
> >> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
> >>> It sounds like you don't have IDMU installed, not sure if you can
> >>> install it on 2012.
> >> are you trying to say that I should install "Identity Management
> >> for Unix" on a Windows Server 2012? If yes, I am afraid we have a
> >> misunderstanding here: I don't use any Windows Server in my set-up.
> >>
> >> I use a Fileserver with two network interfaces, one connected to a
> >> private network, the other connected to our university network. A
> >> Samba AD DC is supposed to manage a small Windows Domain in the
> >> private net. The fileserver also serves as a gateway to the
> >> Windows 7 workstations in the private net. Fileserver and AD DC
> >> are both running ubuntu 16.04 and have the respective Samba
> >> packages installed. For testing I have set up two Windows 7
> >> Instances on ESXi inside the private net, one with the RSAT Tools
> >> installed and one as a user PC.
> >>
> >> Update: I spent the morning setting up a fresh member server
> >> ("FILESERVER2") for testing inside the private net (with 1 NIC
> >> only, thereby reducing complexity) I think, I have made all the
> >> necessary steps and did not forget to grant the
> >> SeDiskOperatorPrivilege rights to the Domain Admins
> >>
> >> root at fileserver2:/var/log/samba# net rpc rights list
> >> 'MYDOMAIN\Domain Admins' -U'MYDOMAIN\Administrator' -S addc01
> >> Enter MYDOMAIN\Administrator's password:
> >> SeDiskOperatorPrivilege
> >>
> >> Now I'm stuck in the RSAT Computer Management Console where I am
> >> denied access to the share configuration. On the navigation tree in
> >> the left window "Local users and groups" is shown as locked (and I
> >> remember this went only away after I assigned a uidNumber to the
> >> Adminstrator account and made it a member of the Domain Admins Unix
> >> Group). Can't tell if this is a useful hint.
> >>
> > I could have sworn you mentioned a 2012 server,
> No problem
> > so if you are
> > authenticating the fileserver to a Samba AD DC, did you provision
> > the DC with '--use-rfc2307' ?
> Yes, I did. From my shell history
> 
> samba-tool domain provision  --use-rfc2307 --function-level=2008_R2 
> --dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN 
> --domain=MYDOMAIN --server-role='dc' --
> adminpass='*******************'
> 
> > Not a problem if you didn't, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
> >
> > The 'Administrator' is always a member of 'Domain Admins'
> >
> > Did you remember to add the 'user.map' line to smb.conf ?
>   Yes I did, but had a typo in the real domain name .... and this was 
> the problem :-[
> 
> Now I have access to the share configuration :-)
> 
> What's a little confusing:
> "Share Permsissions" has the "Everyone" account already filled in
> with "Full Control".
> "Security" has "Everyone", "root", "ERSTELLER-BESITZER" (Creator
> Owner), ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts
> already filled in
> 
> ---> What would you suggest? Remove all unwanted accounts first an
> then follow the wiki? I remember trouble started when I removed the 
> "Everyone" account.
> 
> Extended attributes on [home] look like this at this point
> 
> root at fileserver2:/var/log/samba# LANG=en_US
> getfacl /var/share/samba/homes/ getfacl: Removing leading '/' from
> absolute path names # file: var/share/samba/homes/
> # owner: root
> # group: MYDOMAIN\134domain\040admins
> user::rwx
> group::rwx
> other::r-x
> 
> BTW: On this server, I changed the id ranges to more modest values
> 
> root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
>      ;; Default idmap config used for BUILTIN and local
> accounts/groups idmap config * : backend = tdb
>      idmap config * : range = 2000-9999
>      ;; idmap config for domain MYDOMAIN
>      idmap config MYDOMAIN : backend = ad
>      idmap config MYDOMAIN : schema_mode = rfc2307
>      idmap config MYDOMAIN : range = 10000-99999
> 

Are you following this wiki page ?

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Also, when you changed the ranges in smb.conf, have you changed th
uidNumber & gidNumber attributes in AD ?

Rowland

More information about the samba mailing list