[Samba] classicupgrade
Corrado Ravinetto
corrado.ravinetto at lanificiocerruti.com
Tue Nov 6 16:36:50 UTC 2018
Hello Luis
tomorrow i'm not in office, reply to you thursday
One question : who is owner and whats rights for dir
/home
/home/samba
/home/samba/sysvol
because, from windows client, user into domain admins, when i change in
security tab, explorer always crash
bye
Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto:
> Ok, next,
>
> From a windows pc connect to the server with computer manager, and now setup the share and folder rights.
> As in shown in the link posted ( https://lists.samba.org/archive/samba/2018-February/213690.html )
>
> m leaving the office. So a reply wil probley tomorrow.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Corrado Ravinetto via samba
>> Verzonden: dinsdag 6 november 2018 16:57
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] classicupgrade
>>
>> Hello Luis
>> i followed your email and i created this file with your link:
>>
>> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl
>> # file: /home/samba/sysvol
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> user:3000004:rwx
>> user:3000000:r-x
>> user:3000001:rwx
>> user:3000018:r-x
>> group::rwx
>> group:3000004:rwx
>> group:3000000:r-x
>> group:3000001:rwx
>> group:3000018:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000004:rwx
>> default:user:3000000:r-x
>> default:user:3000001:rwx
>> default:user:3000018:r-x
>> default:group::---
>> default:group:3000004:rwx
>> default:group:3000000:r-x
>> default:group:3000001:rwx
>> default:group:3000018:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> i applied this with setfacl
>> i restarded samba; from windows , with gpo, when create a new gpo :
>> access denied
>>
>> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:
>>> Hai,
>>>
>>>
>>> Ok, i expected a bit different outputs.
>>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
>>> This is what i expected.
>>>
>>> getfacl /home/samba/
>>>
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/samba/
>>> # owner: root
>>> # group: BUILTIN\134administrators
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:BUILTIN\134administrators:rwx
>>> group:BUILTIN\134server\040operators:r-x
>>> group:NT\040AUTHORITY\134system:rwx
>>> group:NT\040AUTHORITY\134authenticated\040users:r-x
>>> mask::rwx
>>> other::r-x
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:BUILTIN\134administrators:rwx
>>> default:group:BUILTIN\134server\040operators:r-x
>>> default:group:NT\040AUTHORITY\134system:rwx
>>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Now how am i getting that if im shareing : /home/samba/sysvol
>>> I've also shared : /home/samba before the setup.
>>> Ive set the above rights first on /home/samba
>>> And then i've set the rights on /home/samba/sysvol
>>>
>>> Before you do that.
>>> wget
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> heck-set-sysvol.sh
>>> That generated a file called : default-rights-sysvol.acl
>>> With this as content:
>>> # file: sysvol
>>> # owner: root
>>> # group: BUILTIN\134administrators
>>> user::rwx
>>> user:root:rwx
>>> user:BUILTIN\134administrators:rwx
>>> user:BUILTIN\134server\040operators:r-x
>>> user:3000002:rwx
>>> user:3000003:r-x
>>> group::rwx
>>> group:BUILTIN\134administrators:rwx
>>> group:BUILTIN\134server\040operators:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:BUILTIN\134administrators:rwx
>>> default:user:BUILTIN\134server\040operators:r-x
>>> default:user:3000002:rwx
>>> default:user:3000003:r-x
>>> default:group::---
>>> default:group:BUILTIN\134administrators:rwx
>>> default:group:BUILTIN\134server\040operators:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> And if you use sysvol/netlogon only for windows computers,
>> which you do.
>>> Set these : ( change the path to your setup. )
>>> [sysvol]
>>> path = /home/samba/sysvol
>>> read only = No
>>> acl_xattr:ignore system acls = yes
>>>
>>> [netlogon]
>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>>> read only = No
>>> acl_xattr:ignore system acls = yes
>>>
>>> It's, in my opinion, the best way to make your sysvol work
>> without problems.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Corrado Ravinetto via samba
>>>> Verzonden: dinsdag 6 november 2018 14:35
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>
>>>> great :-)
>>>>
>>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
>>>>> This is one time settings.
>>>>> En yes, for each policy you need to klik on these once. (
>>>> in the gpo policy objects in GPO editor )
>>>> ok
>>>>> Can you post smb.conf
>>>> [global]
>>>> netbios name = DC1
>>>> realm = LXCERRUTI.COM
>>>> server role = active directory domain controller
>>>> workgroup = LXCERRUTI
>>>> idmap_ldb:use rfc2307 = yes
>>>> log level = 1
>>>>
>>>> [netlogon]
>>>> path =
>>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>>> getfacl PATH_TO_SYSVOL
>>>> i'm not sure these are the original, i do many changes ....
>>>>
>>>> # file: usr/local/samba/var/locks/sysvol
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:root:rwx
>>>> user:3000000:rwx
>>>> user:3000003:r-x
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:3000000:rwx
>>>> default:user:3000003:r-x
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL
>>>>>
>>>>> Explorer crashes, if 9 out of 10 x a wrong right on the
>>>> folder below the point your sharing.
>>>>> Per example.
>>>>>
>>>>> getfacl /home
>>>>> getfacl /home/samba
>>>>> getfacl /home/samba/share/
>>>>> getfacl /home/samba/share/data
>>>>>
>>>>> Can you post these all also but replace the example path to
>>>> your setup.
>>>> my dc is not a file server, no home or share in this server
>>>> only netlogon and sysvol
>>>>
>>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:root:rwx
>>>> user:3000000:rwx
>>>> user:3000001:rwx
>>>> user:3000003:r-x
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:3000000:rwx
>>>> default:user:3000001:rwx
>>>> default:user:3000003:r-x
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>> Corrado Ravinetto via samba
>>>>>> Verzonden: dinsdag 6 november 2018 13:44
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>
>>>>>> hello
>>>>>> i read this post, but when i check property tab, explorer
>>>> crash and i
>>>>>> cannot changing anything.
>>>>>> My question is: for each new policy i must change this
>> default ???
>>>>>> Cannot I change create mask on smb.conf for sysvol share ???
>>>>>>
>>>>>> thanks at all
>>>>>>
>>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
>>>>>>> Hai,
>>>>>>>
>>>>>>> I suggest, start reading here, it explains all.
>>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html
>>>>>>>
>>>>>>> The script in that thread is not changing anything by default.
>>>>>>>
>>>>>>> I suggest try it and post the output.
>>>>>>>
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>>>> Rowland Penny via samba
>>>>>>>> Verzonden: dinsdag 6 november 2018 12:33
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>>>
>>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100
>>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote:
>>>>>>>>
>>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
>>>>>>>>>> No, your GPO's will still work.
>>>>>>>>> ok
>>>>>>>>> but when i created my gpo in sysvol i cannot access to
>>>> this share
>>>>>>>>> because:
>>>>>>>>>
>>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03
>>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
>>>>>>>>>
>>>>>>>>> Must i, for each new policy, adjiust right e owner ???
>>>>>>>>>
>>>>>>>>> mmmmmmmh
>>>>>>>> '3000002' is coming from idmap.ldb and because '3000002'
>>>>>> isn't a Unix
>>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a
>>>>>>>> group, yes,
>>>>>>>> groups on Windows can own folders & files.
>>>>>>>>
>>>>>>>> There is a wiki page that might help:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma
>>>>>>>> in_members_via_GPO_restricted_groups
>>>>>>>>
>>>>>>>> Further than that, I cannot help, I do not use GPO's, I
>>>>>> don't have any
>>>>>>>> Windows clients ;-)
>>>>>>>>
>>>>>>>> Perhaps Louis might care to chime in here.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL
>>>> and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Corrado Ravinetto *
>>>>>>
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
>> and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> --
>>>>
>>>> *Corrado Ravinetto *
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>>
>> *Corrado Ravinetto *
>> Sistemi informativi
>> corrado.ravinetto at lanificiocerruti.com
>> <mailto:corrado.ravinetto at lanificiocerruti.com>
>> T: +39 015 3591283
>> Lanificio F.lli CERRUTI
>> *Lanificio F.lli Cerruti S.p.A. *
>> Via Cernaia 40, 13900 - Biella (BI) Italy
>> www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
>>
>> Twitter <https://twitter.com/Lan_Cerruti> Facebook
>> <https://www.facebook.com/LanificioCerruti> Instagram
>> <https://www.instagram.com/lanificiocerruti/>
>>
>> Rispetta l'ambiente, non stampare questa mail se non necessario
>> Respect the environment, don't print unless necessary
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
--
*Corrado Ravinetto *
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com
<mailto:corrado.ravinetto at lanificiocerruti.com>
T: +39 015 3591283
Lanificio F.lli CERRUTI
*Lanificio F.lli Cerruti S.p.A. *
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
Twitter <https://twitter.com/Lan_Cerruti> Facebook
<https://www.facebook.com/LanificioCerruti> Instagram
<https://www.instagram.com/lanificiocerruti/>
Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary
More information about the samba
mailing list