[Samba] Fixing sysvol permissions

Mark Foley mfoley at ohprs.org
Sat Jun 23 19:14:44 UTC 2018


On Tue, 19 Jun 2018 18:29:58 +0100 Rowland Penny wrote:
>
> On Tue, 19 Jun 2018 12:52:46 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
[deleted]
> > One thing I've noticed that is a bit puzzling is the group ownership
> > of these policy files:
> > 
> > -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18
> > 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents
> > & Settings/fdeploy1.ini -rwxrwx---+ 1 3000000 users 64 2018-06-18
> > 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
> > -rwxrwx--- 1 3000000 users 59 2015-05-15
> > 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
> > -rwxrwxrwx 1 root root 199 2015-05-21
> > 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> > -rwxrwx--- 1 3000000 users 104 2015-05-15
> > 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
> > -rwxrwx--- 1 3000000 domusers 142 2016-01-19
> > 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows
> > NT/SecEdit/GptTmpl.inf -rwxrwx---+ 1 3000008 HPRS\domain admins 23
> > 2016-01-23
> > 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
> > 
> > They are variously owned by groups "domusers" (10000),
>
> Where did 'domusers' come from ?
> By default all users are members of 'Domain Users' and this is the
> group you should have given '10000' to.
>
> root at dc4:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000::/home/rowland:/bin/bash
> root at dc4:~# getent group 10000
> SAMDOM\domain users:x:10000:

Well, there *is* a 'Domain Users' group, which is 10000:

# getent passwd mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

However, I also have "domusers:x:10000:" in /etc/group. Why? Two reasons:

1. I haven't quite figured out how to get Outlook to authenticate with domain credentials to
Dovecot.  So, Dovecot is authenticating with /etc/passwd for now.  Yes, some of the the domain
users are also in /etc/passwd with their correct domain UID (the ones with iPhone access). 

2. I'm also wanting to have smartphone email access use a password other than their domain
password -- if someone hacks a smartphone they also get domain credentials.

Neither of these issues are Samba problems and I'll sort them out eventually. Nevertheless,
'Domain Users' grooup is 10000:

(sam.ldb)
# record 189
dn: CN=Domain Users,CN=Users,DC=hprs,DC=local
objectClass: top  
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20140903044615.0Z
uSNCreated: 3541  
name: Domain Users
objectGUID: edb886f3-5829-4b36-805f-3cce7f737d02
objectSid: S-1-5-21-1052267278-1962196458-4119365663-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=hprs,DC=local
msSFU30NisDomain: hprs
gidNumber: 10000
msSFU30Name: Domain Users
whenChanged: 20151012022826.0Z
uSNChanged: 6863
distinguishedName: CN=Domain Users,CN=Users,DC=hprs,DC=local

> > [deleted]
> > The vast majority of these files belong to group 'users' including the
> > specific files that are giving me the 'Access denied' Windows event.
>
> Hmm, I wonder if this because Windows does not know who the Unix group
> 'users' is ?
>
> > 'users' is one of the ubiquitous default groups created when Linux is
> > installed.
>
> As I said above, 'users' is a Unix group.  
>
> [deleted]
>
> >  Almost all of these files belonging to group
> > 'users' have rwxrwx--- permissions (no extended attributes). 
>
> The group 'users' has no meaning to Windows, it is a Unix group that
> appears only on a Samba AD DC, it is better to use 'Domain Users'
> instead, especially in Sysvol.
>
> > 
> > Could this be a problem? Should these files belong to some other
> > group? The users themselves belong to 'domusers' (10000) which is the
> > group assigned to all domain users.
>
> Again I ask why ? there is no need to create such a group in Samba AD,
> just give 'Domain Users' a gidNumber and use this instead.
>
> > [deleted]
>
> No, you should change 'users' and 'domusers' to 'Domain Users' ;-)

Yes, I've done that. All group 'users' in the Sysvol hierarchy have been changed to 'Domain
Users'. This did not fix my Policies access problem. Still getting the access denied message on
Windows.

So, I'm going to take 2 approaches:

1. I'll pursue Louis' latest suggestion about applying permissions to subfolders.

2. I'm also going to stage a from-scratch installation of samba 4.8.2, and provision that. 
I'll see if this helps. 

I've already started #2. I've built a new Linux system and built a 4.8.2 Samba. My next step is
to do the provisioning. To that end, I have a couple of questions ...

My biggest initial headache when I provisioned several years ago was the whole DNS thing.  My
original system was provisioned with --dns-backend=BIND9_FLATFILE because using the recommended
SAMBA_INTERNAL or BIND9_DLZ didn't work for me (that was Samba 4.1).  I'd like this new test
platform to be as vanilla as possible, especially since the documentation says BIND9_FLATFILE
will be removed eventually.  So, I'll try with SAMBA_INTERNAL to start with. 

Q1: Will I be able to also use dhcpd with SAMBA_INTERNAL? There is no mention of dhcpd in
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Setting_up_the_AD_DNS_back_end. 

Q2: If so, I suppose this new AD/DC should do the dhcp'ing, not a separate host or router, right?

Q3: if not, should I use BIND9_DLZ instead?

I'd like to get this right the first time.

Thanks for all the help --Mark



More information about the samba mailing list