[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
barani tharan
aru_barani at yahoo.com
Fri Nov 30 06:16:42 UTC 2018
Dear Rowland Penny
I follow your mentioned step still i am face the same problem
I have 1 Domain Controller [sambadc] and 1 Domain member for Samba Share and backup [backupserver]
1.when try view the ACL rights is backup server i can able view the domain user name
[root at backupserver Rishinox]# getfacl /ADHDD/Rishinox/
getfacl: Removing leading '/' from absolute path names
# file: ADHDD/Rishinox/
# owner: administrator
# group: domain\040users
user::rwx
user:administrator:rwx #effective:r-x
group::rwx #effective:r-x
group:domain\040users:r-x
group:domain\040admins:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:administrator:rwx
default:group::rwx
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x
2. My smb.conf file in backup server
[root at backupserver Rishinox]# vi /etc/samba/smb.conf
[global]
#--authconfig--start-line--
# Generated by authconfig on 2017/10/27 10:57:19
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = RISHI
password server = sambadc.rishi.com
realm = RISHI.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = yes
winbind offline logon = true
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
#--authconfig--end-line--
; workgroup = SAMBA
; security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[Rishinox] ---> This my Samba Share
path = /ADHDD/Rishinox
read only = no
inherit acls = yes
browseable = yes
valid users = +rishi\"Domain Users"
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
3. I can able to view the Domain user id in backupserver
[root at backupserver Rishinox]# id RISHI\\administrator
uid=16777216(administrator) gid=16777220(domain users) groups=16777220(domain users),16777221(group policy creator owners),16777222(denied rodc password replication group),16777223(enterprise admins),16777224(schema admins),16777225(domain admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)
4.When try to check the domain user id, set the acl and change the owner of file i get the following error in Domain controller
[root at sambadc Rishinox_Share]# chown root:"Domain Admins" /ADD_Drive/Rishinox_Share/COMMON/
chown: invalid group: ‘root:Domain Admins’
[root at sambadc Rishinox_Share]# setfacl -m "u:RISHI\Administrator:rwx" /ADD_Drive/Rishinox_Share/
setfacl: Option -m: Invalid argument near character 3
[root at sambadc Rishinox_Share]# id RISHI\\administrator
id: RISHI\administrator: no such user
5.When try the view the ACL rights i get following message not shown the Domain user name, it shows the user id ?
[root at sambadc Rishinox_Share]# getfacl /ADD_Drive/Rishinox_Share/
getfacl: Removing leading '/' from absolute path names
# file: ADD_Drive/Rishinox_Share/
# owner: 16777216
# group: 16777220
user::rwx
user:root:rwx #effective:r-x
group::---
group:root:---
group:users:r-x
group:3000000:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::r-x
default:group:root:r-x
default:group:users:r-x
default:group:3000000:rwx
default:mask::rwx
default:other::---
6. MY smb.conf file for Domain Controller
[root at sambadc Rishinox_Share]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = RISHI
realm = RISHI.COM
netbios name = SAMBADC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Rishinox]
path = /ADD_Drive/Rishinox_Share
read only = no
7. I am already check the Libs file link and ACL setup in Domain Controller
# smbd -b | grep HAVE_LIBACL
HAVE_LIBACL
[root at sambadc Rishinox_Share]# net rpc rights list privileges SeDiskOperatorPrivilege -U
"RISHI\administrator"
[root at sambadc Rishinox_Share]# net rpc rights grant "RISHI\Domain Admins" SeDiskOperatorPrivilege -U
"RISHI\administrator"
[root at sambadc Rishinox_Share]# ls -ll /lib64
lrwxrwxrwx. 1 root root 9 Oct 26 2017 /lib64 -> usr/lib64
[root at sambadc Rishinox_Share]# ls -ll /lib64/libnss_winbind.so
lrwxrwxrwx 1 root root 26 Nov 28 18:27 /lib64/libnss_winbind.so -> /lib64/libnss_winbind.so.2
I don't know what i am make the wrong thing in configuration
Thanks & RegardsBaranitharan
On Wednesday, 28 November 2018, 2:45:40 PM GMT+5:30, Rowland Penny via samba <samba at lists.samba.org> wrote:
On Wed, 28 Nov 2018 08:36:47 +0000 (UTC)
barani tharan via samba <samba at lists.samba.org> wrote:
>
> Dear Team I show below my problem when try to apply setfacl to share
> directory in domain controller
>
>
> My Problem is:
> I have one Samba AD [4.1] it work fine. I create common share folder
Samba 4.1.x is EOL, you really should upgrade.
> in domain controller when try to apply ACL permission it show the
> following message [root at sambadc ~]# setfacl -m
> "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m:
> Invalid argument near character 3 After that i try to find usres id
>
> [root at sambadc ~]# id RISHI\\administrator
> id: RISHI\administrator: no such user
> But when i try the below command it shows the users
> [root at sambadc ~]# samba-tool user list
>
> AvijitGhosh
> RanjitRaman
> TeernaChatterjee
> AnkitJaiswal
> Priyaranjan
> DeepJoy
> NirajKishorSingh
> RajKumarMaurya
> Test
> HimanshuSinghi
> SoumyaKanjilal
> AshishJaiswal
> PoushaliSengupta
> BanditaRoy
> RohitAgarwal
> TuhinSaha
> Subramaniam
'samba-tool user list' works in the same way as 'wbinfo -u', it goes
direct to AD.
If getent doesn't work, it is usually because the libnss-winbind links
are not set up, see here:
https://wiki.samba.org/index.php/Libnss_winbind_Links
>
> My Samba file smb.conf
>
> [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> workgroup = RISHI
> realm = RISHI.COM
> netbios name = SAMBADC
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [Rishinox]
> path = /ADD_Drive/Rishinox_Share
> read only = no
Make the share look like the above and then read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
You must use Windows ACLs on a share on a DC.
> At Same time try ACL permission in Domain member server it can be
> apply and show the user Id
>
> [root at backupserver ~]# id RISHI\\administrator
> uid=16777216(administrator) gid=16777220(domain users)
> groups=16777220(domain users),16777221(group policy creator
> owners),16777222(denied rodc password replication
> group),16777223(enterprise admins),16777224(schema
> admins),16777225(domain
> admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)
>
It looks like you are using sssd, if so, can I suggest you use winbind
instead, see here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list