[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Fri Oct 14 15:52:33 UTC 2016

Am 14.10.2016 um 16:40 schrieb Rowland Penny via samba:
> On Fri, 14 Oct 2016 16:01:14 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>> Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
>>> On Fri, 14 Oct 2016 14:32:52 +0200
>>> Udo Willke via samba <samba at lists.samba.org> wrote:
>>>> Hello Rowland,
>>>> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
>>>>> It sounds like you don't have IDMU installed, not sure if you can
>>>>> install it on 2012.
>>>> are you trying to say that I should install "Identity Management
>>>> for Unix" on a Windows Server 2012? If yes, I am afraid we have a
>>>> misunderstanding here: I don't use any Windows Server in my set-up.
>>>> I use a Fileserver with two network interfaces, one connected to a
>>>> private network, the other connected to our university network. A
>>>> Samba AD DC is supposed to manage a small Windows Domain in the
>>>> private net. The fileserver also serves as a gateway to the
>>>> Windows 7 workstations in the private net. Fileserver and AD DC
>>>> are both running ubuntu 16.04 and have the respective Samba
>>>> packages installed. For testing I have set up two Windows 7
>>>> Instances on ESXi inside the private net, one with the RSAT Tools
>>>> installed and one as a user PC.
>>>> Update: I spent the morning setting up a fresh member server
>>>> ("FILESERVER2") for testing inside the private net (with 1 NIC
>>>> only, thereby reducing complexity) I think, I have made all the
>>>> necessary steps and did not forget to grant the
>>>> SeDiskOperatorPrivilege rights to the Domain Admins
>>>> root at fileserver2:/var/log/samba# net rpc rights list
>>>> 'MYDOMAIN\Domain Admins' -U'MYDOMAIN\Administrator' -S addc01
>>>> Enter MYDOMAIN\Administrator's password:
>>>> SeDiskOperatorPrivilege
>>>> Now I'm stuck in the RSAT Computer Management Console where I am
>>>> denied access to the share configuration. On the navigation tree in
>>>> the left window "Local users and groups" is shown as locked (and I
>>>> remember this went only away after I assigned a uidNumber to the
>>>> Adminstrator account and made it a member of the Domain Admins Unix
>>>> Group). Can't tell if this is a useful hint.
>>> I could have sworn you mentioned a 2012 server,
>> No problem
>>> so if you are
>>> authenticating the fileserver to a Samba AD DC, did you provision
>>> the DC with '--use-rfc2307' ?
>> Yes, I did. From my shell history
>> samba-tool domain provision  --use-rfc2307 --function-level=2008_R2
>> --dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN
>> --domain=MYDOMAIN --server-role='dc' --
>> adminpass='*******************'
>>> Not a problem if you didn't, see here:
>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
>>> The 'Administrator' is always a member of 'Domain Admins'
>>> Did you remember to add the 'user.map' line to smb.conf ?
>>    Yes I did, but had a typo in the real domain name .... and this was
>> the problem :-[
>> Now I have access to the share configuration :-)
>> What's a little confusing:
>> "Share Permsissions" has the "Everyone" account already filled in
>> with "Full Control".
>> "Security" has "Everyone", "root", "ERSTELLER-BESITZER" (Creator
>> Owner), ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts
>> already filled in
>> ---> What would you suggest? Remove all unwanted accounts first an
>> then follow the wiki? I remember trouble started when I removed the
>> "Everyone" account.
>> Extended attributes on [home] look like this at this point
>> root at fileserver2:/var/log/samba# LANG=en_US
>> getfacl /var/share/samba/homes/ getfacl: Removing leading '/' from
>> absolute path names # file: var/share/samba/homes/
>> # owner: root
>> # group: MYDOMAIN\134domain\040admins
>> user::rwx
>> group::rwx
>> other::r-x
>> BTW: On this server, I changed the id ranges to more modest values
>> root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
>>       ;; Default idmap config used for BUILTIN and local
>> accounts/groups idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999
>>       ;; idmap config for domain MYDOMAIN
>>       idmap config MYDOMAIN : backend = ad
>>       idmap config MYDOMAIN : schema_mode = rfc2307
>>       idmap config MYDOMAIN : range = 10000-99999
> Are you following this wiki page ?
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Yes, the page is linked in the "Preparatory work" section of the "User 
home drives" page <https://wiki.samba.org/index.php/User_home_drives>

However it is not very specific as to what permissions should actually 
be configured: "Go to the "Security" tab, click the "Edit" button and 
configure the desired Windows ACLs".

> Also, when you changed the ranges in smb.conf, have you changed th
> uidNumber & gidNumber attributes in AD ?

Not necessary in my opinion as I only modified the "overkill" range of 
the * domain (100000 -  2^32 -1) .

BTW: There is no range checking in the code. I started with 2^32 = 
4294967296 as the upper limit and the mapping didn't work at all. 
Discovered later in the logs the range was parsed into "range 100000-0".

Two questions:

1) Do you agree with the directions given by L.P.H. van Belle: Create 
new user "Admin" and remove all the already filled in accounts (much 
like in the screenshot on the 
<https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?

2) Can you elaborate on this?

I have removed the rfc2307-IDs now. I guess going to the "Unix
Attributes" tab in ADUC and setting "NIS Domain" to "none" is

--> No, it should show your domain name.

Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
mydomain (in lower case this time) a UID Number is automatically
assigned, when I choose <none> the fields are greyed out. So "no
uidNumber" and "should show your domain name" don't work at the same
time. Or should I choose mydomain and delete the remaining field

Thanks a lot an best regards


> Rowland

More information about the samba mailing list