[Samba] classicupgrade
Corrado Ravinetto
corrado.ravinetto at lanificiocerruti.com
Thu Nov 8 10:09:29 UTC 2018
Hello Luis
i'm in office,
today i try to create a new gpo from windows client, but i cannot for
access denied, then i elevated log level to 3 and i logged this :
[2018/11/08 11:03:48.083966, 3]
../source3/smbd/msdfs.c:1063(get_referred_path)
get_referred_path: |SysVol| in dfs path \dc1.lxcerruti.com\SysVol is
not a dfs root.
[2018/11/08 11:03:48.084043, 3]
../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2018/11/08 11:03:48.084866, 3]
../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_PATH_NOT_FOUND] || at
../source3/smbd/smb2_create.c:296
[2018/11/08 11:03:48.085532, 3]
../source3/smbd/msdfs.c:1063(get_referred_path)
get_referred_path: |SysVol| in dfs path \dc1.lxcerruti.com\SysVol is
not a dfs root.
Il 06/11/2018 17:36, Corrado Ravinetto via samba ha scritto:
> Hello Luis
> tomorrow i'm not in office, reply to you thursday
> One question : who is owner and whats rights for dir
> /home
> /home/samba
> /home/samba/sysvol
>
> because, from windows client, user into domain admins, when i change
> in security tab, explorer always crash
>
> bye
>
> Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto:
>> Ok, next,
>>
>> From a windows pc connect to the server with computer manager, and
>> now setup the share and folder rights.
>> As in shown in the link posted (
>> https://lists.samba.org/archive/samba/2018-February/213690.html )
>>
>> m leaving the office. So a reply wil probley tomorrow.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Corrado Ravinetto via samba
>>> Verzonden: dinsdag 6 november 2018 16:57
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] classicupgrade
>>>
>>> Hello Luis
>>> i followed your email and i created this file with your link:
>>>
>>> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl
>>> # file: /home/samba/sysvol
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:root:rwx
>>> user:3000004:rwx
>>> user:3000000:r-x
>>> user:3000001:rwx
>>> user:3000018:r-x
>>> group::rwx
>>> group:3000004:rwx
>>> group:3000000:r-x
>>> group:3000001:rwx
>>> group:3000018:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:3000004:rwx
>>> default:user:3000000:r-x
>>> default:user:3000001:rwx
>>> default:user:3000018:r-x
>>> default:group::---
>>> default:group:3000004:rwx
>>> default:group:3000000:r-x
>>> default:group:3000001:rwx
>>> default:group:3000018:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>>
>>> i applied this with setfacl
>>> i restarded samba; from windows , with gpo, when create a new gpo :
>>> access denied
>>>
>>> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:
>>>> Hai,
>>>>
>>>>
>>>> Ok, i expected a bit different outputs.
>>>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
>>>> This is what i expected.
>>>>
>>>> getfacl /home/samba/
>>>>
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/samba/
>>>> # owner: root
>>>> # group: BUILTIN\134administrators
>>>> user::rwx
>>>> user:root:rwx
>>>> group::rwx
>>>> group:BUILTIN\134administrators:rwx
>>>> group:BUILTIN\134server\040operators:r-x
>>>> group:NT\040AUTHORITY\134system:rwx
>>>> group:NT\040AUTHORITY\134authenticated\040users:r-x
>>>> mask::rwx
>>>> other::r-x
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:group::---
>>>> default:group:BUILTIN\134administrators:rwx
>>>> default:group:BUILTIN\134server\040operators:r-x
>>>> default:group:NT\040AUTHORITY\134system:rwx
>>>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> Now how am i getting that if im shareing : /home/samba/sysvol
>>>> I've also shared : /home/samba before the setup.
>>>> Ive set the above rights first on /home/samba
>>>> And then i've set the rights on /home/samba/sysvol
>>>>
>>>> Before you do that.
>>>> wget
>>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
>> heck-set-sysvol.sh
>>>> That generated a file called : default-rights-sysvol.acl
>>>> With this as content:
>>>> # file: sysvol
>>>> # owner: root
>>>> # group: BUILTIN\134administrators
>>>> user::rwx
>>>> user:root:rwx
>>>> user:BUILTIN\134administrators:rwx
>>>> user:BUILTIN\134server\040operators:r-x
>>>> user:3000002:rwx
>>>> user:3000003:r-x
>>>> group::rwx
>>>> group:BUILTIN\134administrators:rwx
>>>> group:BUILTIN\134server\040operators:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:BUILTIN\134administrators:rwx
>>>> default:user:BUILTIN\134server\040operators:r-x
>>>> default:user:3000002:rwx
>>>> default:user:3000003:r-x
>>>> default:group::---
>>>> default:group:BUILTIN\134administrators:rwx
>>>> default:group:BUILTIN\134server\040operators:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> And if you use sysvol/netlogon only for windows computers,
>>> which you do.
>>>> Set these : ( change the path to your setup. )
>>>> [sysvol]
>>>> path = /home/samba/sysvol
>>>> read only = No
>>>> acl_xattr:ignore system acls = yes
>>>>
>>>> [netlogon]
>>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>>>> read only = No
>>>> acl_xattr:ignore system acls = yes
>>>>
>>>> It's, in my opinion, the best way to make your sysvol work
>>> without problems.
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>> Corrado Ravinetto via samba
>>>>> Verzonden: dinsdag 6 november 2018 14:35
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>
>>>>> great :-)
>>>>>
>>>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
>>>>>> This is one time settings.
>>>>>> En yes, for each policy you need to klik on these once. (
>>>>> in the gpo policy objects in GPO editor )
>>>>> ok
>>>>>> Can you post smb.conf
>>>>> [global]
>>>>> netbios name = DC1
>>>>> realm = LXCERRUTI.COM
>>>>> server role = active directory domain controller
>>>>> workgroup = LXCERRUTI
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> log level = 1
>>>>>
>>>>> [netlogon]
>>>>> path =
>>>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>>>>> read only = No
>>>>>
>>>>> [sysvol]
>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>> read only = No
>>>>>
>>>>>> getfacl PATH_TO_SYSVOL
>>>>> i'm not sure these are the original, i do many changes ....
>>>>>
>>>>> # file: usr/local/samba/var/locks/sysvol
>>>>> # owner: root
>>>>> # group: root
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:3000000:rwx
>>>>> user:3000003:r-x
>>>>> group::rwx
>>>>> group:3000000:rwx
>>>>> group:3000001:rwx
>>>>> group:3000003:r-x
>>>>> mask::rwx
>>>>> other::rwx
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:3000000:rwx
>>>>> default:user:3000003:r-x
>>>>> default:group::---
>>>>> default:group:3000000:rwx
>>>>> default:group:3000001:rwx
>>>>> default:group:3000003:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL
>>>>>>
>>>>>> Explorer crashes, if 9 out of 10 x a wrong right on the
>>>>> folder below the point your sharing.
>>>>>> Per example.
>>>>>>
>>>>>> getfacl /home
>>>>>> getfacl /home/samba
>>>>>> getfacl /home/samba/share/
>>>>>> getfacl /home/samba/share/data
>>>>>>
>>>>>> Can you post these all also but replace the example path to
>>>>> your setup.
>>>>> my dc is not a file server, no home or share in this server
>>>>> only netlogon and sysvol
>>>>>
>>>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>>>>> # owner: root
>>>>> # group: root
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:3000000:rwx
>>>>> user:3000001:rwx
>>>>> user:3000003:r-x
>>>>> group::rwx
>>>>> group:3000000:rwx
>>>>> group:3000001:rwx
>>>>> group:3000003:r-x
>>>>> mask::rwx
>>>>> other::rwx
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:3000000:rwx
>>>>> default:user:3000001:rwx
>>>>> default:user:3000003:r-x
>>>>> default:group::---
>>>>> default:group:3000000:rwx
>>>>> default:group:3000001:rwx
>>>>> default:group:3000003:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>>> Corrado Ravinetto via samba
>>>>>>> Verzonden: dinsdag 6 november 2018 13:44
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>>
>>>>>>> hello
>>>>>>> i read this post, but when i check property tab, explorer
>>>>> crash and i
>>>>>>> cannot changing anything.
>>>>>>> My question is: for each new policy i must change this
>>> default ???
>>>>>>> Cannot I change create mask on smb.conf for sysvol share ???
>>>>>>>
>>>>>>> thanks at all
>>>>>>>
>>>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
>>>>>>>> Hai,
>>>>>>>>
>>>>>>>> I suggest, start reading here, it explains all.
>>>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html
>>>>>>>>
>>>>>>>> The script in that thread is not changing anything by default.
>>>>>>>>
>>>>>>>> I suggest try it and post the output.
>>>>>>>>
>>>>>>>>
>>>>>>>> Greetz,
>>>>>>>>
>>>>>>>> Louis
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>>>>> Rowland Penny via samba
>>>>>>>>> Verzonden: dinsdag 6 november 2018 12:33
>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>>>>
>>>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100
>>>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote:
>>>>>>>>>
>>>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
>>>>>>>>>>> No, your GPO's will still work.
>>>>>>>>>> ok
>>>>>>>>>> but when i created my gpo in sysvol i cannot access to
>>>>> this share
>>>>>>>>>> because:
>>>>>>>>>>
>>>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03
>>>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
>>>>>>>>>>
>>>>>>>>>> Must i, for each new policy, adjiust right e owner ???
>>>>>>>>>>
>>>>>>>>>> mmmmmmmh
>>>>>>>>> '3000002' is coming from idmap.ldb and because '3000002'
>>>>>>> isn't a Unix
>>>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a
>>>>>>>>> group, yes,
>>>>>>>>> groups on Windows can own folders & files.
>>>>>>>>>
>>>>>>>>> There is a wiki page that might help:
>>>>>>>>>
>>>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma
>>>>>>>>> in_members_via_GPO_restricted_groups
>>>>>>>>>
>>>>>>>>> Further than that, I cannot help, I do not use GPO's, I
>>>>>>> don't have any
>>>>>>>>> Windows clients ;-)
>>>>>>>>>
>>>>>>>>> Perhaps Louis might care to chime in here.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL
>>>>> and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> *Corrado Ravinetto *
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL
>>> and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>> --
>>>>>
>>>>> *Corrado Ravinetto *
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>> --
>>>
>>> *Corrado Ravinetto *
>>> Sistemi informativi
>>> corrado.ravinetto at lanificiocerruti.com
>>> <mailto:corrado.ravinetto at lanificiocerruti.com>
>>> T: +39 015 3591283
>>> Lanificio F.lli CERRUTI
>>> *Lanificio F.lli Cerruti S.p.A. *
>>> Via Cernaia 40, 13900 - Biella (BI) Italy
>>> www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
>>>
>>> Twitter <https://twitter.com/Lan_Cerruti> Facebook
>>> <https://www.facebook.com/LanificioCerruti> Instagram
>>> <https://www.instagram.com/lanificiocerruti/>
>>>
>>> Rispetta l'ambiente, non stampare questa mail se non necessario
>>> Respect the environment, don't print unless necessary
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>
--
*Corrado Ravinetto *
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com
<mailto:corrado.ravinetto at lanificiocerruti.com>
T: +39 015 3591283
Lanificio F.lli CERRUTI
*Lanificio F.lli Cerruti S.p.A. *
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
Twitter <https://twitter.com/Lan_Cerruti> Facebook
<https://www.facebook.com/LanificioCerruti> Instagram
<https://www.instagram.com/lanificiocerruti/>
Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary
More information about the samba
mailing list