[Samba] "missing security tab" and related ACL issues

Rowland Penny rpenny at samba.org
Tue Sep 11 08:06:48 UTC 2018


On Tue, 11 Sep 2018 09:54:32 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 19:09:37 +0200
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
> >> But
> >>
> >> # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U
> >> "mydomain\administrator"
> >>
> >> fails
> >>
> >> also for "mydomain\Domänen-Admins"
> > 
> > Why is it 'Domanen-Admins' ? is the dash normal for the German
> > version of Windows ?
> > At least it exists ;-)
> > 
> > Is the locale set correctly ?
> 
> tried to set the locale to a german one ... 	
> 
> # wbinfo -g
> dom�nencomputer
> dom�nen-benutzer
> dom�nen-g�ste
> dom�nen-admins
> 
> still that special char displayed
> 
> # wbinfo -g | grep -i adm
> specops endpoint protection report admins
> dnsadmins
> schema-admins
> organisations-admins
> Übereinstimmungen in Binärdatei (Standardeingabe)
> 
> this does NOT contain "domänen-admins"
> 
> why that?
> 
> -
> 
> # smb.conf
> 
> [global]
> unix charset = iso8859-15
> 
> security = ads
> realm = MYDOMAIN.INTRA
> workgroup = MYDOMAIN
> 
> netbios aliases = u1MYDOMAIN
> server string = U1MYDOMAIN
> 
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> 
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> 
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> 		uucp
> obey pam restrictions = yes
> 
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
> 
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config MYDOMAIN : range = 10000-20000
> idmap config MYDOMAIN : backend = rid
> 
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> nt acl support = No
> force unknown acl user = Yes
> 
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> 
> load printers = no
> printcap name = /dev/null
> 
> # exe files
> 
> acl allow execute always = True
> 
> # Audit settings
> full_audit:prefix = %u|%I|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir write pwrite rename unlink \
> 		     chmod fchmod chown fchown ftruncate
> full_audit:facility = local5
> full_audit:priority = notice
> 
> # /etc/nsswitch.conf:
> 
> passwd:      compat winbind files
> group:       compat winbind files
> shadow:      compat files
> 

There doesn't seem to be anything wrong there and has I never had that
problem, I am a bit stuck now ;-)

Perhaps someone else from Germany has had this problem and would care
to post ?

Rowland



More information about the samba mailing list