[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command

L.P.H. van Belle belle at bazuin.nl
Tue Dec 4 13:31:50 UTC 2018 

If i may say.. 

In managing your servers/network. Dont use users but user groups. Just a tip. 

Your attempt is ok with :  setfacl -m group:"EIPL\administrator":rwx /Share 
But the use its not correct, you try to set a user for group in linux.. Thats not working. 
Or setfacl -m group:"EIPL\Domain Admins":rwx /Share    ( but this is on the DC ) 
Or setfacl -m group:"BUILTIN\Administrators":rwx /Share  ( domain admins is member of BUILTIN\Administrators )  
Preffered, use BUILTIN\Administrators works always on the DC's. 

Or setfacl -m user:"BUILTIN\Administrator":rwx /Share 

And really try to work with groups the more the better, i never set a user on things always groups. 

About the mail below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> barani tharan via samba
> Verzonden: dinsdag 4 december 2018 13:37
> Aan: samba at lists.samba.org; Rowland Penny
> Onderwerp: Re: [Samba] Fw: AD usres are not show in Domain 
> Controller when apply setfacl command
> 
>  Dear Team
> 1.  I get same error in domain controller when try to set acl 
> in  share the file
> 
> [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
> setfacl: Option -m: Invalid argument near character 7
> 
> [root at samba4dc ~]# id EIPL\administrator
> id: EIPLadministrator: no such user

Yes, correct, user Administrator does not have a UID because Adminsitrator is mapped to root. 

If its correct.  ( most probely solution at the end of the mail. )

id Administrator
uid=0(root) gid=0(root) groups=0(root)

> 2.  My smb.conf file    
I've compared this one with mine, its the same, at least yours is ok/sufficient for what you want. 

>   [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>         netbios name = SAMBA4DC
>         realm = EIPL.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = EIPL
>         idmap_ldb:use rfc2307 = yes
> 
> 
> #       idmap config EIPL:backend = ad
> #       idmap config EIPL:schema_mode = rfc2307
> #       idmap config EIPL:range = 10000-999999
> #       tls enabled = yes
> #       tls keyfile = tls/Domainkey.pem
> #       tls certfile = tls/Mydomain.pem
> 
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [Comon]
>         path = /Share
>         read Only = No
> ~
> 
> 
> 3. When view the ACL in that share folder. I view the user id 
> only not user name
> [root at samba4dc ~]# getfacl /Share
> getfacl: Removing leading '/' from absolute path names
> # file: Share
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::r-x
> group:root:r-x
> group:3000000:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:3000000:rwx
> default:mask::rwx
> default:other::r-x

Whats shown, that is correct. 
What you see is the id off user/groups for the AD DC. 
wbinfo --gid-to-sid 3000000 
wbinfo --uid-to-sid 3000000

Results both in : S-1-5-32-544

wbinfo --sid-to-name S-1-5-32-544
BUILTIN\Administrators 4

> 
> 
> 4. when use the samba-tool to view users it show the users name
> 
>     [root at samba4dc ~]# samba-tool user list
> Administrator
> Ramkumar
> dns-samba4dc
> rhevadmin
> krbtgt
> Guest

Its still correct, all good here.. 


> 5. [root at samba4dc ~]# samba -V
> Version 4.7.11
> 
> 
>         I don't know how to solve this problem. One more 
> thing i view the link Identity Mapping Back Ends - SambaWiki 
> and Setting up RFC2307 in AD - SambaWiki
> 6.  In this links it says that like
>   1. ID mapping back ends are not supported in the smb.conf 
> file on a Samba AD DC  2. On a AD DC there should not be more 
> than the sysvol and netlogon share, so the usage of unified 
> RFC2307 idmappings is not really important. If you want to    
> enable RFC2307 ID mappings on the DC for whatever reason, the 
> you would have to verify on the Samba DC, that the 
> idmap_ldb:use rfc2307
> 

I dont see a problem in your setup, only missing one thing..  ( thats the link below. ) 


> 7.  In other link Updating Samba - SambaWiki
>        In that link i view like this option so please guide 
> me solve this issue i am really in  confusion 
> Failure To Access Shares on Domain Controllers If idmap 
> config Parameters Set in the smb.conf File
> 

Did you configure winbind

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC


Greetz, 

Louis

More information about the samba mailing list