[Samba] classicupgrade

Corrado Ravinetto corrado.ravinetto at lanificiocerruti.com
Thu Nov 8 14:31:15 UTC 2018


SORRY

i have add a user to domain admins and used this to create gpo.
Now i used administrator and gpo are created corrected: how can i 
elevate my user to domain admins ???

tnx

Il 08/11/2018 14:05, Corrado Ravinetto via samba ha scritto:
> hello
>> One question : who is owner and whats rights for dir
>
>> /home
> drwxr-xr-x.   5 root root   49  6 nov 16.21 home
>> /home/samba
> drwxr-xr-x. 3 root root  20  6 nov 16.21 samba
>> /home/samba/sysvol
> drwxrwx---+ 4 root root 52  8 nov 12.47 sysvol
>>
>> because, from windows client, user into domain admins, when i change 
>> in security tab, explorer always crash
>>
>> bye
>>
>> Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto:
>>> Ok, next,
>>>
>>>  From a windows pc connect to the server with computer manager, and 
>>> now setup the share and folder rights.
>>> As in shown in the link posted ( 
>>> https://lists.samba.org/archive/samba/2018-February/213690.html )
>>>
>>> m leaving the office. So a reply wil probley tomorrow.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Corrado Ravinetto via samba
>>>> Verzonden: dinsdag 6 november 2018 16:57
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>
>>>> Hello Luis
>>>> i followed your email and i created this file with your link:
>>>>
>>>> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl
>>>> # file: /home/samba/sysvol
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:root:rwx
>>>> user:3000004:rwx
>>>> user:3000000:r-x
>>>> user:3000001:rwx
>>>> user:3000018:r-x
>>>> group::rwx
>>>> group:3000004:rwx
>>>> group:3000000:r-x
>>>> group:3000001:rwx
>>>> group:3000018:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:3000004:rwx
>>>> default:user:3000000:r-x
>>>> default:user:3000001:rwx
>>>> default:user:3000018:r-x
>>>> default:group::---
>>>> default:group:3000004:rwx
>>>> default:group:3000000:r-x
>>>> default:group:3000001:rwx
>>>> default:group:3000018:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>> i applied this with setfacl
>>>> i restarded samba; from windows , with gpo, when create a new gpo :
>>>> access denied
>>>>
>>>> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:
>>>>> Hai,
>>>>>
>>>>>
>>>>> Ok, i expected a bit different outputs.
>>>>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
>>>>> This is what i expected.
>>>>>
>>>>> getfacl /home/samba/
>>>>>
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/samba/
>>>>> # owner: root
>>>>> # group: BUILTIN\134administrators
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> group::rwx
>>>>> group:BUILTIN\134administrators:rwx
>>>>> group:BUILTIN\134server\040operators:r-x
>>>>> group:NT\040AUTHORITY\134system:rwx
>>>>> group:NT\040AUTHORITY\134authenticated\040users:r-x
>>>>> mask::rwx
>>>>> other::r-x
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:group::---
>>>>> default:group:BUILTIN\134administrators:rwx
>>>>> default:group:BUILTIN\134server\040operators:r-x
>>>>> default:group:NT\040AUTHORITY\134system:rwx
>>>>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> Now how am i getting that if im shareing : /home/samba/sysvol
>>>>> I've also shared  :   /home/samba  before the setup.
>>>>> Ive set the above rights first on /home/samba
>>>>> And then i've set the rights on /home/samba/sysvol
>>>>>
>>>>> Before you do that.
>>>>> wget
>>>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
>>> heck-set-sysvol.sh
>>>>> That generated a file called : default-rights-sysvol.acl
>>>>> With this as content:
>>>>> # file: sysvol
>>>>> # owner: root
>>>>> # group: BUILTIN\134administrators
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:BUILTIN\134administrators:rwx
>>>>> user:BUILTIN\134server\040operators:r-x
>>>>> user:3000002:rwx
>>>>> user:3000003:r-x
>>>>> group::rwx
>>>>> group:BUILTIN\134administrators:rwx
>>>>> group:BUILTIN\134server\040operators:r-x
>>>>> group:3000002:rwx
>>>>> group:3000003:r-x
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:BUILTIN\134administrators:rwx
>>>>> default:user:BUILTIN\134server\040operators:r-x
>>>>> default:user:3000002:rwx
>>>>> default:user:3000003:r-x
>>>>> default:group::---
>>>>> default:group:BUILTIN\134administrators:rwx
>>>>> default:group:BUILTIN\134server\040operators:r-x
>>>>> default:group:3000002:rwx
>>>>> default:group:3000003:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> And if you use sysvol/netlogon only for windows computers,
>>>> which you do.
>>>>> Set these : ( change the path to your setup. )
>>>>> [sysvol]
>>>>>           path = /home/samba/sysvol
>>>>>           read only = No
>>>>>           acl_xattr:ignore system acls = yes
>>>>>
>>>>> [netlogon]
>>>>>           path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>>>>>           read only = No
>>>>>           acl_xattr:ignore system acls = yes
>>>>>
>>>>> It's, in my opinion, the best way to make your sysvol work
>>>> without problems.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>> Corrado Ravinetto via samba
>>>>>> Verzonden: dinsdag 6 november 2018 14:35
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>
>>>>>> great :-)
>>>>>>
>>>>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
>>>>>>> This is one time settings.
>>>>>>> En yes, for each policy you need to klik on these once. (
>>>>>> in the gpo policy objects in GPO editor )
>>>>>> ok
>>>>>>> Can you post smb.conf
>>>>>> [global]
>>>>>>            netbios name = DC1
>>>>>>            realm = LXCERRUTI.COM
>>>>>>            server role = active directory domain controller
>>>>>>            workgroup = LXCERRUTI
>>>>>>            idmap_ldb:use rfc2307 = yes
>>>>>>            log level = 1
>>>>>>
>>>>>> [netlogon]
>>>>>>            path =
>>>>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>>>>>>            read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>>            path = /usr/local/samba/var/locks/sysvol
>>>>>>            read only = No
>>>>>>
>>>>>>> getfacl PATH_TO_SYSVOL
>>>>>> i'm not sure these are the original, i do many changes ....
>>>>>>
>>>>>> # file: usr/local/samba/var/locks/sysvol
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:3000000:rwx
>>>>>> user:3000003:r-x
>>>>>> group::rwx
>>>>>> group:3000000:rwx
>>>>>> group:3000001:rwx
>>>>>> group:3000003:r-x
>>>>>> mask::rwx
>>>>>> other::rwx
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:3000000:rwx
>>>>>> default:user:3000003:r-x
>>>>>> default:group::---
>>>>>> default:group:3000000:rwx
>>>>>> default:group:3000001:rwx
>>>>>> default:group:3000003:r-x
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL
>>>>>>>
>>>>>>> Explorer crashes, if 9 out of 10 x a wrong right on the
>>>>>> folder below the point your sharing.
>>>>>>> Per example.
>>>>>>>
>>>>>>> getfacl /home
>>>>>>> getfacl /home/samba
>>>>>>> getfacl /home/samba/share/
>>>>>>> getfacl /home/samba/share/data
>>>>>>>
>>>>>>> Can you post these all also but replace the example path to
>>>>>> your setup.
>>>>>> my dc is not a file server, no home or share in this server
>>>>>> only netlogon and sysvol
>>>>>>
>>>>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:3000000:rwx
>>>>>> user:3000001:rwx
>>>>>> user:3000003:r-x
>>>>>> group::rwx
>>>>>> group:3000000:rwx
>>>>>> group:3000001:rwx
>>>>>> group:3000003:r-x
>>>>>> mask::rwx
>>>>>> other::rwx
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:3000000:rwx
>>>>>> default:user:3000001:rwx
>>>>>> default:user:3000003:r-x
>>>>>> default:group::---
>>>>>> default:group:3000000:rwx
>>>>>> default:group:3000001:rwx
>>>>>> default:group:3000003:r-x
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>>>> Corrado Ravinetto via samba
>>>>>>>> Verzonden: dinsdag 6 november 2018 13:44
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>>>
>>>>>>>> hello
>>>>>>>> i read this post, but when i check property tab, explorer
>>>>>> crash and i
>>>>>>>> cannot changing anything.
>>>>>>>> My question is: for each new policy i must change this
>>>> default ???
>>>>>>>> Cannot I change create mask on smb.conf for sysvol share ???
>>>>>>>>
>>>>>>>> thanks at all
>>>>>>>>
>>>>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
>>>>>>>>> Hai,
>>>>>>>>>
>>>>>>>>> I suggest, start reading here, it explains all.
>>>>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html
>>>>>>>>>
>>>>>>>>> The script in that thread is not changing anything by default.
>>>>>>>>>
>>>>>>>>> I suggest try it and post the output.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>>>>>> Rowland Penny via samba
>>>>>>>>>> Verzonden: dinsdag 6 november 2018 12:33
>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>> Onderwerp: Re: [Samba] classicupgrade
>>>>>>>>>>
>>>>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100
>>>>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote:
>>>>>>>>>>
>>>>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
>>>>>>>>>>>> No, your GPO's will still work.
>>>>>>>>>>> ok
>>>>>>>>>>> but when i created my gpo in sysvol i cannot access to
>>>>>> this share
>>>>>>>>>>> because:
>>>>>>>>>>>
>>>>>>>>>>> drwxrwx---+ 4 3000002 3000002 48  6 nov 12.03
>>>>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
>>>>>>>>>>>
>>>>>>>>>>> Must i, for each new policy, adjiust right e owner  ???
>>>>>>>>>>>
>>>>>>>>>>> mmmmmmmh
>>>>>>>>>> '3000002' is coming from idmap.ldb and because '3000002'
>>>>>>>> isn't a Unix
>>>>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a
>>>>>>>>>> group, yes,
>>>>>>>>>> groups on Windows can own folders & files.
>>>>>>>>>>
>>>>>>>>>> There is a wiki page that might help:
>>>>>>>>>>
>>>>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma
>>>>>>>>>> in_members_via_GPO_restricted_groups
>>>>>>>>>>
>>>>>>>>>> Further than that, I cannot help, I do not use GPO's, I
>>>>>>>> don't have any
>>>>>>>>>> Windows clients ;-)
>>>>>>>>>>
>>>>>>>>>> Perhaps Louis might care to chime in here.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> To unsubscribe from this list go to the following URL
>>>>>> and read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>>
>>>>>>>> *Corrado Ravinetto *
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL
>>>> and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>> -- 
>>>>>>
>>>>>> *Corrado Ravinetto *
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> -- 
>>>>
>>>> *Corrado Ravinetto *
>>>> Sistemi informativi
>>>> corrado.ravinetto at lanificiocerruti.com
>>>> <mailto:corrado.ravinetto at lanificiocerruti.com>
>>>> T: +39 015 3591283
>>>> Lanificio F.lli CERRUTI
>>>> *Lanificio F.lli Cerruti S.p.A. *
>>>> Via Cernaia 40, 13900 - Biella (BI) Italy
>>>> www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
>>>>
>>>> Twitter <https://twitter.com/Lan_Cerruti> Facebook
>>>> <https://www.facebook.com/LanificioCerruti> Instagram
>>>> <https://www.instagram.com/lanificiocerruti/>
>>>>
>>>> Rispetta l'ambiente, non stampare questa mail se non necessario
>>>> Respect the environment, don't print unless necessary
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>
>

-- 

*Corrado Ravinetto *
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com 
<mailto:corrado.ravinetto at lanificiocerruti.com>
T: +39 015 3591283
Lanificio F.lli CERRUTI
*Lanificio F.lli Cerruti S.p.A. *
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>

Twitter <https://twitter.com/Lan_Cerruti> Facebook 
<https://www.facebook.com/LanificioCerruti> Instagram 
<https://www.instagram.com/lanificiocerruti/>

Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary




More information about the samba mailing list