[Samba] classicupgrade
Corrado Ravinetto
corrado.ravinetto at lanificiocerruti.com
Tue Nov 6 15:57:21 UTC 2018
Hello Luis
i followed your email and i created this file with your link:
[root at dc1 samba.PDC]# cat default-rights-sysvol.acl
# file: /home/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000004:rwx
user:3000000:r-x
user:3000001:rwx
user:3000018:r-x
group::rwx
group:3000004:rwx
group:3000000:r-x
group:3000001:rwx
group:3000018:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000004:rwx
default:user:3000000:r-x
default:user:3000001:rwx
default:user:3000018:r-x
default:group::---
default:group:3000004:rwx
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000018:r-x
default:mask::rwx
default:other::---
i applied this with setfacl
i restarded samba; from windows , with gpo, when create a new gpo :
access denied
Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:
> Hai,
>
>
> Ok, i expected a bit different outputs.
> On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
> This is what i expected.
>
> getfacl /home/samba/
>
> getfacl: Removing leading '/' from absolute path names
> # file: home/samba/
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:NT\040AUTHORITY\134system:rwx
> group:NT\040AUTHORITY\134authenticated\040users:r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:NT\040AUTHORITY\134system:rwx
> default:group:NT\040AUTHORITY\134authenticated\040users:r-x
> default:mask::rwx
> default:other::---
>
> Now how am i getting that if im shareing : /home/samba/sysvol
> I've also shared : /home/samba before the setup.
> Ive set the above rights first on /home/samba
> And then i've set the rights on /home/samba/sysvol
>
> Before you do that.
> wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
>
> That generated a file called : default-rights-sysvol.acl
> With this as content:
> # file: sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> And if you use sysvol/netlogon only for windows computers, which you do.
>
> Set these : ( change the path to your setup. )
> [sysvol]
> path = /home/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = yes
>
> [netlogon]
> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
> read only = No
> acl_xattr:ignore system acls = yes
>
> It's, in my opinion, the best way to make your sysvol work without problems.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Corrado Ravinetto via samba
>> Verzonden: dinsdag 6 november 2018 14:35
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] classicupgrade
>>
>> great :-)
>>
>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
>>> This is one time settings.
>>> En yes, for each policy you need to klik on these once. (
>> in the gpo policy objects in GPO editor )
>> ok
>>> Can you post smb.conf
>> [global]
>> netbios name = DC1
>> realm = LXCERRUTI.COM
>> server role = active directory domain controller
>> workgroup = LXCERRUTI
>> idmap_ldb:use rfc2307 = yes
>> log level = 1
>>
>> [netlogon]
>> path =
>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>>> getfacl PATH_TO_SYSVOL
>> i'm not sure these are the original, i do many changes ....
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> user:3000000:rwx
>> user:3000003:r-x
>> group::rwx
>> group:3000000:rwx
>> group:3000001:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL
>>>
>>> Explorer crashes, if 9 out of 10 x a wrong right on the
>> folder below the point your sharing.
>>> Per example.
>>>
>>> getfacl /home
>>> getfacl /home/samba
>>> getfacl /home/samba/share/
>>> getfacl /home/samba/share/data
>>>
>>> Can you post these all also but replace the example path to
>> your setup.
>> my dc is not a file server, no home or share in this server
>> only netlogon and sysvol
>>
>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> user:3000000:rwx
>> user:3000001:rwx
>> user:3000003:r-x
>> group::rwx
>> group:3000000:rwx
>> group:3000001:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx
>> default:user:3000001:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Corrado Ravinetto via samba
>>>> Verzonden: dinsdag 6 november 2018 13:44
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>
>>>> hello
>>>> i read this post, but when i check property tab, explorer
>> crash and i
>>>> cannot changing anything.
>>>> My question is: for each new policy i must change this default ???
>>>> Cannot I change create mask on smb.conf for sysvol share ???
>>>>
>>>> thanks at all
>>>>
>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
>>>>> Hai,
>>>>>
>>>>> I suggest, start reading here, it explains all.
>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html
>>>>>
>>>>> The script in that thread is not changing anything by default.
>>>>>
>>>>> I suggest try it and post the output.
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>> Rowland Penny via samba
>>>>>> Verzonden: dinsdag 6 november 2018 12:33
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>
>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100
>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
>>>>>>>> No, your GPO's will still work.
>>>>>>> ok
>>>>>>> but when i created my gpo in sysvol i cannot access to
>> this share
>>>>>>> because:
>>>>>>>
>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03
>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
>>>>>>>
>>>>>>> Must i, for each new policy, adjiust right e owner ???
>>>>>>>
>>>>>>> mmmmmmmh
>>>>>> '3000002' is coming from idmap.ldb and because '3000002'
>>>> isn't a Unix
>>>>>> user, it isn't mapped to a Unix name, it could in fact be a
>>>>>> group, yes,
>>>>>> groups on Windows can own folders & files.
>>>>>>
>>>>>> There is a wiki page that might help:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma
>>>>>> in_members_via_GPO_restricted_groups
>>>>>>
>>>>>> Further than that, I cannot help, I do not use GPO's, I
>>>> don't have any
>>>>>> Windows clients ;-)
>>>>>>
>>>>>> Perhaps Louis might care to chime in here.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
>> and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> --
>>>>
>>>> *Corrado Ravinetto *
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>>
>> *Corrado Ravinetto *
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
--
*Corrado Ravinetto *
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com
<mailto:corrado.ravinetto at lanificiocerruti.com>
T: +39 015 3591283
Lanificio F.lli CERRUTI
*Lanificio F.lli Cerruti S.p.A. *
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
Twitter <https://twitter.com/Lan_Cerruti> Facebook
<https://www.facebook.com/LanificioCerruti> Instagram
<https://www.instagram.com/lanificiocerruti/>
Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary
More information about the samba
mailing list