[Samba] classicupgrade
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 6 16:16:03 UTC 2018
Ok, next,
>From a windows pc connect to the server with computer manager, and now setup the share and folder rights.
As in shown in the link posted ( https://lists.samba.org/archive/samba/2018-February/213690.html )
m leaving the office. So a reply wil probley tomorrow.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Corrado Ravinetto via samba
> Verzonden: dinsdag 6 november 2018 16:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classicupgrade
>
> Hello Luis
> i followed your email and i created this file with your link:
>
> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl
> # file: /home/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000004:rwx
> user:3000000:r-x
> user:3000001:rwx
> user:3000018:r-x
> group::rwx
> group:3000004:rwx
> group:3000000:r-x
> group:3000001:rwx
> group:3000018:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000004:rwx
> default:user:3000000:r-x
> default:user:3000001:rwx
> default:user:3000018:r-x
> default:group::---
> default:group:3000004:rwx
> default:group:3000000:r-x
> default:group:3000001:rwx
> default:group:3000018:r-x
> default:mask::rwx
> default:other::---
>
>
> i applied this with setfacl
> i restarded samba; from windows , with gpo, when create a new gpo :
> access denied
>
> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:
> > Hai,
> >
> >
> > Ok, i expected a bit different outputs.
> > On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
> > This is what i expected.
> >
> > getfacl /home/samba/
> >
> > getfacl: Removing leading '/' from absolute path names
> > # file: home/samba/
> > # owner: root
> > # group: BUILTIN\134administrators
> > user::rwx
> > user:root:rwx
> > group::rwx
> > group:BUILTIN\134administrators:rwx
> > group:BUILTIN\134server\040operators:r-x
> > group:NT\040AUTHORITY\134system:rwx
> > group:NT\040AUTHORITY\134authenticated\040users:r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:BUILTIN\134administrators:rwx
> > default:group:BUILTIN\134server\040operators:r-x
> > default:group:NT\040AUTHORITY\134system:rwx
> > default:group:NT\040AUTHORITY\134authenticated\040users:r-x
> > default:mask::rwx
> > default:other::---
> >
> > Now how am i getting that if im shareing : /home/samba/sysvol
> > I've also shared : /home/samba before the setup.
> > Ive set the above rights first on /home/samba
> > And then i've set the rights on /home/samba/sysvol
> >
> > Before you do that.
> > wget
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
heck-set-sysvol.sh
> >
> > That generated a file called : default-rights-sysvol.acl
> > With this as content:
> > # file: sysvol
> > # owner: root
> > # group: BUILTIN\134administrators
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\134administrators:rwx
> > user:BUILTIN\134server\040operators:r-x
> > user:3000002:rwx
> > user:3000003:r-x
> > group::rwx
> > group:BUILTIN\134administrators:rwx
> > group:BUILTIN\134server\040operators:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\134administrators:rwx
> > default:user:BUILTIN\134server\040operators:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:group::---
> > default:group:BUILTIN\134administrators:rwx
> > default:group:BUILTIN\134server\040operators:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::---
> >
> > And if you use sysvol/netlogon only for windows computers,
> which you do.
> >
> > Set these : ( change the path to your setup. )
> > [sysvol]
> > path = /home/samba/sysvol
> > read only = No
> > acl_xattr:ignore system acls = yes
> >
> > [netlogon]
> > path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
> > read only = No
> > acl_xattr:ignore system acls = yes
> >
> > It's, in my opinion, the best way to make your sysvol work
> without problems.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Corrado Ravinetto via samba
> >> Verzonden: dinsdag 6 november 2018 14:35
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] classicupgrade
> >>
> >> great :-)
> >>
> >> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
> >>> This is one time settings.
> >>> En yes, for each policy you need to klik on these once. (
> >> in the gpo policy objects in GPO editor )
> >> ok
> >>> Can you post smb.conf
> >> [global]
> >> netbios name = DC1
> >> realm = LXCERRUTI.COM
> >> server role = active directory domain controller
> >> workgroup = LXCERRUTI
> >> idmap_ldb:use rfc2307 = yes
> >> log level = 1
> >>
> >> [netlogon]
> >> path =
> >> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> >> read only = No
> >>
> >> [sysvol]
> >> path = /usr/local/samba/var/locks/sysvol
> >> read only = No
> >>
> >>> getfacl PATH_TO_SYSVOL
> >> i'm not sure these are the original, i do many changes ....
> >>
> >> # file: usr/local/samba/var/locks/sysvol
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> user:root:rwx
> >> user:3000000:rwx
> >> user:3000003:r-x
> >> group::rwx
> >> group:3000000:rwx
> >> group:3000001:rwx
> >> group:3000003:r-x
> >> mask::rwx
> >> other::rwx
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:user:3000000:rwx
> >> default:user:3000003:r-x
> >> default:group::---
> >> default:group:3000000:rwx
> >> default:group:3000001:rwx
> >> default:group:3000003:r-x
> >> default:mask::rwx
> >> default:other::---
> >>
> >>> getent the_Folder_ONE_below-PATH_TO_SYSVOL
> >>>
> >>> Explorer crashes, if 9 out of 10 x a wrong right on the
> >> folder below the point your sharing.
> >>> Per example.
> >>>
> >>> getfacl /home
> >>> getfacl /home/samba
> >>> getfacl /home/samba/share/
> >>> getfacl /home/samba/share/data
> >>>
> >>> Can you post these all also but replace the example path to
> >> your setup.
> >> my dc is not a file server, no home or share in this server
> >> only netlogon and sysvol
> >>
> >> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> user:root:rwx
> >> user:3000000:rwx
> >> user:3000001:rwx
> >> user:3000003:r-x
> >> group::rwx
> >> group:3000000:rwx
> >> group:3000001:rwx
> >> group:3000003:r-x
> >> mask::rwx
> >> other::rwx
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:user:3000000:rwx
> >> default:user:3000001:rwx
> >> default:user:3000003:r-x
> >> default:group::---
> >> default:group:3000000:rwx
> >> default:group:3000001:rwx
> >> default:group:3000003:r-x
> >> default:mask::rwx
> >> default:other::---
> >>
> >>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>> Corrado Ravinetto via samba
> >>>> Verzonden: dinsdag 6 november 2018 13:44
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] classicupgrade
> >>>>
> >>>> hello
> >>>> i read this post, but when i check property tab, explorer
> >> crash and i
> >>>> cannot changing anything.
> >>>> My question is: for each new policy i must change this
> default ???
> >>>> Cannot I change create mask on smb.conf for sysvol share ???
> >>>>
> >>>> thanks at all
> >>>>
> >>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
> >>>>> Hai,
> >>>>>
> >>>>> I suggest, start reading here, it explains all.
> >>>>> https://lists.samba.org/archive/samba/2018-February/213690.html
> >>>>>
> >>>>> The script in that thread is not changing anything by default.
> >>>>>
> >>>>> I suggest try it and post the output.
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>>>> Rowland Penny via samba
> >>>>>> Verzonden: dinsdag 6 november 2018 12:33
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] classicupgrade
> >>>>>>
> >>>>>> On Tue, 6 Nov 2018 12:13:31 +0100
> >>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote:
> >>>>>>
> >>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
> >>>>>>>> No, your GPO's will still work.
> >>>>>>> ok
> >>>>>>> but when i created my gpo in sysvol i cannot access to
> >> this share
> >>>>>>> because:
> >>>>>>>
> >>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03
> >>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
> >>>>>>>
> >>>>>>> Must i, for each new policy, adjiust right e owner ???
> >>>>>>>
> >>>>>>> mmmmmmmh
> >>>>>> '3000002' is coming from idmap.ldb and because '3000002'
> >>>> isn't a Unix
> >>>>>> user, it isn't mapped to a Unix name, it could in fact be a
> >>>>>> group, yes,
> >>>>>> groups on Windows can own folders & files.
> >>>>>>
> >>>>>> There is a wiki page that might help:
> >>>>>>
> >>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma
> >>>>>> in_members_via_GPO_restricted_groups
> >>>>>>
> >>>>>> Further than that, I cannot help, I do not use GPO's, I
> >>>> don't have any
> >>>>>> Windows clients ;-)
> >>>>>>
> >>>>>> Perhaps Louis might care to chime in here.
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL
> >> and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>>>>
> >>>> --
> >>>>
> >>>> *Corrado Ravinetto *
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >> --
> >>
> >> *Corrado Ravinetto *
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
>
> --
>
> *Corrado Ravinetto *
> Sistemi informativi
> corrado.ravinetto at lanificiocerruti.com
> <mailto:corrado.ravinetto at lanificiocerruti.com>
> T: +39 015 3591283
> Lanificio F.lli CERRUTI
> *Lanificio F.lli Cerruti S.p.A. *
> Via Cernaia 40, 13900 - Biella (BI) Italy
> www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
>
> Twitter <https://twitter.com/Lan_Cerruti> Facebook
> <https://www.facebook.com/LanificioCerruti> Instagram
> <https://www.instagram.com/lanificiocerruti/>
>
> Rispetta l'ambiente, non stampare questa mail se non necessario
> Respect the environment, don't print unless necessary
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list