[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Mon Oct 17 15:14:43 UTC 2016 

Hello Rowland,

Am 14.10.2016 um 18:18 schrieb Rowland Penny via samba:
> On Fri, 14 Oct 2016 17:52:33 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>
>> However it is not very specific as to what permissions should
>> actually be configured: "Go to the "Security" tab, click the "Edit"
>> button and configure the desired Windows ACLs".
>>
> What it means is, you need to add/change the users and groups and set
> permissions to meet your requirements.
>
>>> Also, when you changed the ranges in smb.conf, have you changed th
>>> uidNumber & gidNumber attributes in AD ?
>> Not necessary in my opinion as I only modified the "overkill" range
>> of the * domain (100000 -  2^32 -1) .
>>
>> BTW: There is no range checking in the code. I started with 2^32 =
>> 4294967296 as the upper limit and the mapping didn't work at all.
>> Discovered later in the logs the range was parsed into "range
>> 100000-0".
>>
>> Two questions:
>>
>> 1) Do you agree with the directions given by L.P.H. van Belle: Create
>> new user "Admin" and remove all the already filled in accounts (much
>> like in the screenshot on the
>> <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?
> This is up to you, by doing what Louis is suggesting, is security
> through obscurity. It means that anybody trying to get into your system
> has to know (or obtain by whatever means) not only the password, they
> also have to know the username to go with it.
> As for removing the accounts, you need to decide just who has access
> and how much access they have, this may mean removing, altering or
> adding accounts.
>
>
>> 2) Can you elaborate on this?
>>
> i think I just did ;-)
>   
>> I have removed the rfc2307-IDs now. I guess going to the "Unix
>> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
>> sufficient?
>>
>> --> No, it should show your domain name.
>>
>> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
>> mydomain (in lower case this time) a UID Number is automatically
>> assigned, when I choose <none> the fields are greyed out. So "no
>> uidNumber" and "should show your domain name" don't work at the same
>> time. Or should I choose mydomain and delete the remaining field
>> entries?
> If the windows machine that ADUC is running on is joined to the domain,
> it normally allows you to set the domain on the 'Unix Attributes' tab
> and setting this, fills in all the other boxes (uidNumber etc)

Sorry for asking this twice, I just wanted to see if I understood 
everything correctly.

So, to summarize the discussion:

System accounts should not have rfc2307 IDs, only (unprivileged) users 
should. The Administrator account is the exception. It can be mapped to 
root trough the "username map" directive

Today, I followed the wiki page 
<https://wiki.samba.org/index.php/User_home_drives> with all the 
prerequisites. Unfortunately, the automatic home folder creation still 
does not work. So I checked all my logs and I guess I have another 
problem with DDNS and DHCP:

Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction on 
zone 6.168.192.in-addr.arpa
Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed
Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key rndc-key: 
updating zone '6.168.192.in-addr.arpa/NONE': update failed: rejected by 
secure update (REFUSED)
Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction on 
zone 6.168.192.in-addr.arpa
Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from 
00:0c:29:3c:4c:bc (Admin-PC) via ens32
Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to 
00:0c:29:3c:4c:bc (Admin-PC) via ens32
Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from 
56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED


This translates into missing PTR records of my two virtual PCs in the 
DNS (configured to get their IPs over DHCP). Can this be related to my 
first problem or has this other side effects?

When I run the command

samba_dnsupdate --verbose --all-names

everything looks fine.

Is this an known issue/mistake in the configuration?

Best regards

Udo

>
> Rowland
>

More information about the samba mailing list