[Samba] "missing security tab" and related ACL issues
Stefan G. Weichinger
lists at xunil.at
Fri Nov 9 08:06:21 UTC 2018
Am 11.09.18 um 10:06 schrieb Rowland Penny via samba:
> On Tue, 11 Sep 2018 09:54:32 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
>> Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:
>>> On Fri, 7 Sep 2018 19:09:37 +0200
>>> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>>
>>>> But
>>>>
>>>> # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U
>>>> "mydomain\administrator"
>>>>
>>>> fails
>>>>
>>>> also for "mydomain\Domänen-Admins"
>>>
>>> Why is it 'Domanen-Admins' ? is the dash normal for the German
>>> version of Windows ?
>>> At least it exists ;-)
>>>
>>> Is the locale set correctly ?
>>
>> tried to set the locale to a german one ...
>>
>> # wbinfo -g
>> dom�nencomputer
>> dom�nen-benutzer
>> dom�nen-g�ste
>> dom�nen-admins
>>
>> still that special char displayed
>>
>> # wbinfo -g | grep -i adm
>> specops endpoint protection report admins
>> dnsadmins
>> schema-admins
>> organisations-admins
>> Übereinstimmungen in Binärdatei (Standardeingabe)
>>
>> this does NOT contain "domänen-admins"
>>
>> why that?
>>
>> -
>>
>> # smb.conf
>>
>> [global]
>> unix charset = iso8859-15
>>
>> security = ads
>> realm = MYDOMAIN.INTRA
>> workgroup = MYDOMAIN
>>
>> netbios aliases = u1MYDOMAIN
>> server string = U1MYDOMAIN
>>
>> winbind cache time = 10
>> winbind use default domain = yes
>> winbind refresh tickets = Yes
>>
>> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
>>
>> restrict anonymous = 2
>> domain master = no
>> local master = no
>> preferred master = no
>> invalid users = root bin daemon adm sync shutdown halt mail news \
>> uucp
>> obey pam restrictions = yes
>>
>> interfaces = 192.168.100.4/24 127.0.0.1
>> bind interfaces only = Yes
>>
>> idmap config * : range = 3000-7999
>> idmap config * : backend = tdb
>> idmap config MYDOMAIN : range = 10000-20000
>> idmap config MYDOMAIN : backend = rid
>>
>> # For ACL support on domain member
>> vfs objects = acl_xattr full_audit
>> map acl inherit = Yes
>> store dos attributes = Yes
>> nt acl support = No
>> force unknown acl user = Yes
>>
>> unix extensions = no
>> follow symlinks= yes
>> wide links= yes
>>
>> load printers = no
>> printcap name = /dev/null
>>
>> # exe files
>>
>> acl allow execute always = True
>>
>> # Audit settings
>> full_audit:prefix = %u|%I|%S
>> full_audit:failure = connect
>> full_audit:success = mkdir rmdir write pwrite rename unlink \
>> chmod fchmod chown fchown ftruncate
>> full_audit:facility = local5
>> full_audit:priority = notice
>>
>> # /etc/nsswitch.conf:
>>
>> passwd: compat winbind files
>> group: compat winbind files
>> shadow: compat files
>>
>
> There doesn't seem to be anything wrong there and has I never had that
> problem, I am a bit stuck now ;-)
>
> Perhaps someone else from Germany has had this problem and would care
> to post ?
I have to revive this thread, yesterday I enabled the kernel options for
ACLs there and can use ACLs on the filesystem itself.
We still saw now security tab fpr samba shares in Windows. Not as
domain-admin, not as member of a user with the needed privilege.
The security tab is there for local drives and windows-server-shares,
only samba-4.8.6-shares miss it.
I will recheck everything ...
More information about the samba
mailing list