[Samba] Domain Administrator and shares problems

Thu Oct 11 07:58:06 UTC 2018

On 10.10.2018 11:18, L.P.H. van Belle via samba wrote:
> I suggest to the op check my settings and try it.
> Should work.
> Not showing the security tab is often an wrong right in the underlaying folder.
>
> So in case of this one, i would check this first.
> ls -al /data/
> ls -al /data/samba
> ls -al /data/samba/profiles
>
> chmod 775 /data/  ! In case of a chmod 770 or 750 make sure you have a group set that is known in windows.
> Same for /data/samba
>
> chmod 1777 for /data/samba/profiles
> Then when createing/settings the profiles in windows tools, first set the UNIX UID, klik apply.
> Now set the profiles path, it should result in
>
> # file: home/samba/profiles/username.V6
> # owner: username
> # group: domain\040users
> user::rwx
> user:username:rwx
> group::---
> group:2005:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:obell:rwx
> default:group::---
> default:group:2005:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---
>
> Do note the UID 2005, that is the one that created the folder. ( user : SYSTEM )
>
> Greetz,
>
> Louis
>
Hi Louis and Rowland,

A big thank you for pushing me to continue this. Thanks to your help, 
things are working as they should, and that one would expect. For the 
curious, the final smb.conf for the Samba member server is below this 
message.

What I did, was to implement the smb.conf I got from Rowland. As I do 
not want *any* Samba users logging on with ssh, the template homedir = 
/dev/null, and template shell = /bin/nologin.

After that, I created the /data/samba/profiles directory, set the 
ownership, and permissions according to Louis' instructions above. I 
also checked up and made sure that only BUILTIN\Administrators 
SeDiskOperatorPrivilege, SeSecurityPrivilege, and 
SeTakeOwnershipPrivilege had got those privileges set. Domain Admins 
inherit this from BUILTIN\Administrators, so there is no point in 
setting this for Domain Admins.

The rest was made through Windows Computer Management.

What is different from the Samba Wiki, is the default share permission. 
It's set to Everyone with full privileges. It definitely has got 
implications, if something else is set (probably for the worse).

Further on, in the security tab, everything was setup according to the 
Wiki. Testing the share, it behaves exactly as expected. After that, I 
assigned roaming profiles to a couple of users through the Profile tab 
in the ADUC tool (\\smbtest\Profiles$\<username>). Worked according to 
the book. The profile folder is not displayed when browsing the server 
(the $ sign), and if it's an advanced user who knows the trick with the 
$-sign, no other folder than the user's own profile folder is displayed. 
Profiles are correctly created, retrieved and stored at logon and logoff.

When checking the folders, all ownerships are set correctly. There is 
just one crucial point, however. Always keep the default share owner 
(unix root). Never mix in the Administrator account in the shares. At 
least in my setup, it seems Samba sometimes uses Administrator, and 
sometimes root when setting ownership, and permissions. Stick to root 
keeping ownership of the share.

Thanks a lot to those who have contributed to the success! Great work!

Best regards,

Peter

smb.conf
========

[global]
    workgroup = PRIVATE
    realm = PRIVATE.LOCAL
    security = ADS
    server string = Private server %h

    username map = /etc/samba/user.map

    winbind use default domain = true
    winbind expand groups = 2
    winbind refresh tickets = Yes
    winbind offline logon = true

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config PRIVATE:backend = rid
    idmap config PRIVATE:range = 10000-99999
#   template homedir = /home/%U
    template homedir = /dev/null
#   template shell = /bin/bash
    template shell = /bin/nologin

    local master = no
    domain master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

#   winbind enum users = yes
#   winbind enum groups = yes

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    acl_xattr:ignore system acl = yes

    hide unreadable = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    unix extensions = no
    reset on zero vc = yes

[Profiles$]
         readonly = no
         path = /data/samba/profiles
         acl_xattr:ignore system acl = yes

[Users$]
         readonly = no
         path = /home/%U

[Wanda]
         readonly = no
         path = /data/samba/wandafish