[Samba] "missing security tab" and related ACL issues
Stefan G. Weichinger
lists at xunil.at
Fri Nov 9 08:06:21 UTC 2018
Am 11.09.18 um 10:06 schrieb Rowland Penny via samba:
> On Tue, 11 Sep 2018 09:54:32 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>> Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:
>>> On Fri, 7 Sep 2018 19:09:37 +0200
>>> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>>>> # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U
>>>> also for "mydomain\Domänen-Admins"
>>> Why is it 'Domanen-Admins' ? is the dash normal for the German
>>> version of Windows ?
>>> At least it exists ;-)
>>> Is the locale set correctly ?
>> tried to set the locale to a german one ...
>> # wbinfo -g
>> still that special char displayed
>> # wbinfo -g | grep -i adm
>> specops endpoint protection report admins
>> Übereinstimmungen in Binärdatei (Standardeingabe)
>> this does NOT contain "domänen-admins"
>> why that?
>> # smb.conf
>> unix charset = iso8859-15
>> security = ads
>> realm = MYDOMAIN.INTRA
>> workgroup = MYDOMAIN
>> netbios aliases = u1MYDOMAIN
>> server string = U1MYDOMAIN
>> winbind cache time = 10
>> winbind use default domain = yes
>> winbind refresh tickets = Yes
>> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
>> restrict anonymous = 2
>> domain master = no
>> local master = no
>> preferred master = no
>> invalid users = root bin daemon adm sync shutdown halt mail news \
>> obey pam restrictions = yes
>> interfaces = 192.168.100.4/24 127.0.0.1
>> bind interfaces only = Yes
>> idmap config * : range = 3000-7999
>> idmap config * : backend = tdb
>> idmap config MYDOMAIN : range = 10000-20000
>> idmap config MYDOMAIN : backend = rid
>> # For ACL support on domain member
>> vfs objects = acl_xattr full_audit
>> map acl inherit = Yes
>> store dos attributes = Yes
>> nt acl support = No
>> force unknown acl user = Yes
>> unix extensions = no
>> follow symlinks= yes
>> wide links= yes
>> load printers = no
>> printcap name = /dev/null
>> # exe files
>> acl allow execute always = True
>> # Audit settings
>> full_audit:prefix = %u|%I|%S
>> full_audit:failure = connect
>> full_audit:success = mkdir rmdir write pwrite rename unlink \
>> chmod fchmod chown fchown ftruncate
>> full_audit:facility = local5
>> full_audit:priority = notice
>> # /etc/nsswitch.conf:
>> passwd: compat winbind files
>> group: compat winbind files
>> shadow: compat files
> There doesn't seem to be anything wrong there and has I never had that
> problem, I am a bit stuck now ;-)
> Perhaps someone else from Germany has had this problem and would care
> to post ?
I have to revive this thread, yesterday I enabled the kernel options for
ACLs there and can use ACLs on the filesystem itself.
We still saw now security tab fpr samba shares in Windows. Not as
domain-admin, not as member of a user with the needed privilege.
The security tab is there for local drives and windows-server-shares,
only samba-4.8.6-shares miss it.
I will recheck everything ...
More information about the samba