[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
Doug Sampson
dougs at dawnsign.com
Mon Sep 17 19:00:38 UTC 2018
Hello-
I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the upgrade, users cannot access the HOME folder share but they can access other shares just fine.
I am using the RID backend on this member server that connects to Windows-based domain controllers. I apologize for the lengthy smb4.conf but here it is:
#======================= Global Settings =====================================
[global]
# This would be your AD Domain (kerberos realm)
realm = DAWNSIGN.COM
security = ADS
encrypt passwords = yes
workgroup = EXAMPLE
server string =
hosts allow = 192.168.xxx. 192.168.xxx. 127.
name resolve order = lmhosts bcast
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
# Uncomment this if you want 139 open, but why would you? We're doing SMB over
# TCP only. No NetBIOS here
smb ports = 445
disable netbios = Yes
# ver 4.1 - RID backend
idmap config EXAMPLE:range = 50001-60000
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:backend = rid
idmap config *:range = 1000-50000
idmap config *:backend = tdb
winbind separator = -
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind cache time = 10
winbind offline logon = yes
winbind refresh tickets = yes
kerberos method = secrets and keytab
dedicated keytab file = /usr/local/etc/krb5.keytab
winbind nss info = rfc2307
winbind scan trusted domains = yes
# ver 4.1
client ldap sasl wrapping = seal
directory name cache size = 0
# workaround to constant error messages in log.192.168.xxx.175
# prevent winbindd from changing machine password
# https://lists.samba.org/archive/samba/2016-September/203338.html
machine password timeout = 0
#################
### Member Server
#################
# Browser settings
preferred master = no
local master = no
domain master = no
#= Disable Printing/Cups =============
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Change this to where you want the samba log
log file = /var/log/samba4/log.%m
# Debug goes from 1 to 10 * 10 way too much info for me to understand ;)
#debug level = 10
log level = 2
#log level = 0
# Settings to enhance performance:
strict locking = no
read raw = yes
write raw = yes
#oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
max connections = 65535
max open files = 65535
use sendfile = true
aio read size = 16384
# Use asynchronous I/O for reads bigger than 16KB request size
aio write size = 16384
# Use asynchronous I/O for writes bigger than 16KB request size
#aio write behind = true
min receivefile size = 16384
strict sync = no
sync always = no
# End of performance section
#assuming you installed bash - change as needed
template shell = /bin/bash
guest account = nobody
admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins"
# ZFS stuff
read only = no
inherit permissions = Yes
# allow ZFS to handle inheritance
inherit acls = No
inherit owner = Yes
force unknown acl user = No
store dos attributes = yes
map read only = no
map acl inherit = yes
vfs objects = zfsacl acl_xattr audit netatalk
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
#============================ Share Definitions ==============================
# Share - man smb.conf for details
[public]
comment = test share
# this share resides on an UFS filesystem!
path = /zdata/public
public = yes
writable = yes
printable = no
write list = @"EXAMPLE-domain admins"
[apps]
comment = Folder for applications
path = /zdata/apps
valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[clients]
comment = Folder for Internet client software for domain admins' use
path = /zdata/clients
valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[downloads]
comment = Folder for downloads for domain admins' use
path = /zdata/downloads
valid users = @"EXAMPLE-domain admins"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[groups]
comment = Departmental folders
path = /zdata/groups
valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain admins"
writable = yes
printable = no
force create mode = 0770
force directory mode = 0770
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
# vfs objects = zfsacl, shadow_copy2, full_audit
vfs objects = zfsacl, shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: format = %Y-%m-%dT%H:%M:%S
shadow: snapdirseverywhere = yes
shadow: sort = desc
shadow: localtime = no
# full_audit:prefix = %u|%I
# full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv
# full_audit:failure = none
# full_audit:facility = LOCAL7
# full_audit:priority = ALERT
[mac_software]
comment = repository for all Mac OSX-related software
path = /zdata/mac_software
valid users = @EXAMPLE-production @"EXAMPLE-domain admins" @EXAMPLE-marketing
writable = yes
printable = no
force create mode = 0770
force directory mode = 0770
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[ops]
comment = Folder for the old OPS files
path = /zdata/ops
valid users = @EXAMPLE-sales @"EXAMPLE-domain admins"
writeable = yes
printable =no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[payroll]
comment = Folder for sensitive payroll functions
path = /zdata/payroll
valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins"
browseable = yes
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[perform]
comment = Folder for purchase orders using Perform software
path = /zdata/apps/PERFORM
valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
writeable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[pye]
comment = Folder for year-end financial backups
path = /zdata/pye
valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
writeable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[reports]
comment = Folder for CRW reports
path = /zdata/reports
valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[shared]
comment = Folder for intra-company sharing
path = /zdata/shared
valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[star]
comment = Folder for old Starship shipping data
path = /zdata/star
valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[tm]
comment = Folder for old TeleMagic data
path = /zdata/tm
valid users = @"EXAMPLE-domain admins"
# read list = @"EXAMPLE-domain users"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[x-groups]
comment = Old Groups Folder for intra-company sharing
path = /zdata/x-groups
valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
writable = yes
printable = no
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
inherit permissions = Yes
inherit owner = Yes
map archive = No
vfs objects = zfsacl
[profiles]
comment = Users profiles
# path = /zdata/profiles/%U
path = /zdata/profiles
# guest ok = no
browseable = no
read only = no
force create mode = 0600
force directory mode = 0700
create mask = 0600
directory mask = 0700
valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
store dos attributes = Yes
# commenting this out for v4.8
# profile acls = yes
csc policy = disable
# inherit permissions = Yes
# inherit owner = Yes
# delete veto files = Yes
# veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
# hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
# map archive = No
vfs objects = zfsacl
force user = EXAMPLE-%U
# uncomment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
[home]
comment = Home directories for AD users
path = /zdata/home
# browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = no
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes
## valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
# inherit permissions = Yes
# inherit owner = Yes
delete veto files = Yes
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/$RECYCLE.BIN/
# map archive = No
# map readonly = no
vfs objects = zfsacl, shadow_copy2, full_audit
full_audit:prefix = %u|%I
full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = ALERT
shadow: snapdir = .zfs/snapshot
shadow: format = %Y-%m-%dT%H:%M:%S
shadow: snapdirseverywhere = yes
shadow: sort = desc
shadow: localtime = no
I have several other SMB servers there were upgraded to 4.8 and I am able to enumerate users and groups on all of these servers except this one. I cannot enumerate groups and I am mystified as to why I cannot.
Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.
Is the vfs object full_audit still supported by 4.8?
~Doug
More information about the samba
mailing list