[Samba] classicupgrade
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 6 14:52:53 UTC 2018
Hai,
Ok, i expected a bit different outputs.
On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
This is what i expected.
getfacl /home/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---
Now how am i getting that if im shareing : /home/samba/sysvol
I've also shared : /home/samba before the setup.
Ive set the above rights first on /home/samba
And then i've set the rights on /home/samba/sysvol
Before you do that.
wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
That generated a file called : default-rights-sysvol.acl
With this as content:
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
And if you use sysvol/netlogon only for windows computers, which you do.
Set these : ( change the path to your setup. )
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No
acl_xattr:ignore system acls = yes
It's, in my opinion, the best way to make your sysvol work without problems.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Corrado Ravinetto via samba
> Verzonden: dinsdag 6 november 2018 14:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classicupgrade
>
> great :-)
>
> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
> > This is one time settings.
> > En yes, for each policy you need to klik on these once. (
> in the gpo policy objects in GPO editor )
> ok
> > Can you post smb.conf
> [global]
> netbios name = DC1
> realm = LXCERRUTI.COM
> server role = active directory domain controller
> workgroup = LXCERRUTI
> idmap_ldb:use rfc2307 = yes
> log level = 1
>
> [netlogon]
> path =
> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> >
> > getfacl PATH_TO_SYSVOL
> i'm not sure these are the original, i do many changes ....
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> >
> > getent the_Folder_ONE_below-PATH_TO_SYSVOL
> >
> > Explorer crashes, if 9 out of 10 x a wrong right on the
> folder below the point your sharing.
> > Per example.
> >
> > getfacl /home
> > getfacl /home/samba
> > getfacl /home/samba/share/
> > getfacl /home/samba/share/data
> >
> > Can you post these all also but replace the example path to
> your setup.
> my dc is not a file server, no home or share in this server
> only netlogon and sysvol
>
> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
>
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Corrado Ravinetto via samba
> >> Verzonden: dinsdag 6 november 2018 13:44
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] classicupgrade
> >>
> >> hello
> >> i read this post, but when i check property tab, explorer
> crash and i
> >> cannot changing anything.
> >> My question is: for each new policy i must change this default ???
> >> Cannot I change create mask on smb.conf for sysvol share ???
> >>
> >> thanks at all
> >>
> >> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
> >>> Hai,
> >>>
> >>> I suggest, start reading here, it explains all.
> >>> https://lists.samba.org/archive/samba/2018-February/213690.html
> >>>
> >>> The script in that thread is not changing anything by default.
> >>>
> >>> I suggest try it and post the output.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>> Rowland Penny via samba
> >>>> Verzonden: dinsdag 6 november 2018 12:33
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] classicupgrade
> >>>>
> >>>> On Tue, 6 Nov 2018 12:13:31 +0100
> >>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
> >>>>>> No, your GPO's will still work.
> >>>>> ok
> >>>>> but when i created my gpo in sysvol i cannot access to
> this share
> >>>>> because:
> >>>>>
> >>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03
> >>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
> >>>>>
> >>>>> Must i, for each new policy, adjiust right e owner ???
> >>>>>
> >>>>> mmmmmmmh
> >>>> '3000002' is coming from idmap.ldb and because '3000002'
> >> isn't a Unix
> >>>> user, it isn't mapped to a Unix name, it could in fact be a
> >>>> group, yes,
> >>>> groups on Windows can own folders & files.
> >>>>
> >>>> There is a wiki page that might help:
> >>>>
> >>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma
> >>>> in_members_via_GPO_restricted_groups
> >>>>
> >>>> Further than that, I cannot help, I do not use GPO's, I
> >> don't have any
> >>>> Windows clients ;-)
> >>>>
> >>>> Perhaps Louis might care to chime in here.
> >>>>
> >>>> Rowland
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >> --
> >>
> >> *Corrado Ravinetto *
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
>
> --
>
> *Corrado Ravinetto *
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list