[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6

Doug Sampson dougs at dawnsign.com
Mon Sep 17 19:00:38 UTC 2018


Hello-

I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the upgrade, users cannot access the HOME folder share but they can access other shares just fine.

I am using the RID backend on this member server that connects to Windows-based domain controllers. I apologize for the lengthy smb4.conf but here it is:


#======================= Global Settings =====================================
[global]
# This would be your AD Domain (kerberos realm)
realm = DAWNSIGN.COM
security = ADS
encrypt passwords = yes
workgroup = EXAMPLE
server string = 
hosts allow = 192.168.xxx. 192.168.xxx. 127.
name resolve order = lmhosts bcast

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

# Uncomment this if you want 139 open, but why would you? We're doing SMB over
# TCP only. No NetBIOS here
smb ports = 445
disable netbios = Yes

# ver 4.1 - RID backend
idmap config EXAMPLE:range = 50001-60000
idmap config EXAMPLE:default = yes 
idmap config EXAMPLE:backend = rid 
idmap config *:range = 1000-50000
idmap config *:backend = tdb

winbind separator = -
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind cache time = 10
winbind offline logon = yes
winbind refresh tickets = yes 
kerberos method = secrets and keytab
dedicated keytab file = /usr/local/etc/krb5.keytab

winbind nss info = rfc2307
winbind scan trusted domains = yes

# ver 4.1
client ldap sasl wrapping = seal
directory name cache size = 0

# workaround to constant error messages in log.192.168.xxx.175
# prevent winbindd from changing machine password
# https://lists.samba.org/archive/samba/2016-September/203338.html
machine password timeout = 0

#################
### Member Server
#################
# Browser settings
preferred master = no
local master = no
domain master = no

#= Disable Printing/Cups =============
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# Change this to where you want the samba log
log file = /var/log/samba4/log.%m
# Debug goes from 1 to 10 * 10 way too much info for me to understand ;)
#debug level = 10
log level = 2
#log level = 0 


# Settings to enhance performance:
strict locking = no
read raw = yes
write raw = yes
#oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
max connections = 65535
max open files = 65535

use sendfile = true 
aio read size = 16384
# Use asynchronous I/O for reads bigger than 16KB request size
aio write size = 16384           
# Use asynchronous I/O for writes bigger than 16KB request size
#aio write behind = true
min receivefile size = 16384
strict sync = no
sync always = no
# End of performance section
	
#assuming you installed bash - change as needed
template shell = /bin/bash
guest account = nobody 

admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins"

# ZFS stuff
read only = no
inherit permissions = Yes
# allow ZFS to handle inheritance
inherit acls = No
inherit owner = Yes
force unknown acl user = No
store dos attributes = yes
map read only = no
map acl inherit = yes
 
vfs objects  = zfsacl acl_xattr audit netatalk
nfs4:mode    = special
nfs4:acedup  = merge
nfs4:chown   = yes

#============================ Share Definitions ==============================
# Share - man smb.conf for details

[public]
   comment = test share
#	this share resides on an UFS filesystem!
   path = /zdata/public
   public = yes
   writable = yes
   printable = no
   write list = @"EXAMPLE-domain admins"

[apps]
   comment = Folder for applications
   path = /zdata/apps
   valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[clients]
   comment = Folder for Internet client software for domain admins' use
   path = /zdata/clients
   valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[downloads]
   comment = Folder for downloads for domain admins' use
   path = /zdata/downloads
   valid users = @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[groups]
   comment = Departmental folders
   path = /zdata/groups
   valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   force create mode = 0770
   force directory mode = 0770
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
#   vfs objects = zfsacl, shadow_copy2, full_audit
   vfs objects = zfsacl, shadow_copy2
   shadow: snapdir = .zfs/snapshot
   shadow: format = %Y-%m-%dT%H:%M:%S
   shadow: snapdirseverywhere = yes 
   shadow: sort = desc
   shadow: localtime = no
#   full_audit:prefix = %u|%I
#   full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv
#   full_audit:failure = none
#   full_audit:facility = LOCAL7
#   full_audit:priority = ALERT

[mac_software]
   comment = repository for all Mac OSX-related software
   path = /zdata/mac_software
   valid users = @EXAMPLE-production @"EXAMPLE-domain admins" @EXAMPLE-marketing
   writable = yes
   printable = no
   force create mode = 0770
   force directory mode = 0770
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[ops]
   comment = Folder for the old OPS files
   path = /zdata/ops
   valid users = @EXAMPLE-sales @"EXAMPLE-domain admins"
   writeable = yes
   printable =no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[payroll]
   comment = Folder for sensitive payroll functions
   path = /zdata/payroll
   valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins"
   browseable = yes
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[perform]
   comment = Folder for purchase orders using Perform software
   path = /zdata/apps/PERFORM
   valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
   writeable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[pye]
   comment = Folder for year-end financial backups
   path = /zdata/pye
   valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
   writeable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[reports]
   comment = Folder for CRW reports
   path = /zdata/reports
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[shared]
   comment = Folder for intra-company sharing
   path = /zdata/shared
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[star]
   comment = Folder for old Starship shipping data
   path = /zdata/star
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[tm]
   comment = Folder for old TeleMagic data
   path = /zdata/tm
   valid users = @"EXAMPLE-domain admins"
#   read list = @"EXAMPLE-domain users"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[x-groups]
   comment = Old Groups Folder for intra-company sharing
   path = /zdata/x-groups
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[profiles]
   comment = Users profiles
#   path = /zdata/profiles/%U
   path = /zdata/profiles
#   guest ok = no
   browseable = no
   read only = no
   force create mode = 0600
   force directory mode = 0700
   create mask = 0600
   directory mask = 0700
   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
   store dos attributes = Yes
# commenting this out for v4.8
#   profile acls = yes
   csc policy = disable
#   inherit permissions = Yes
#   inherit owner = Yes
#   delete veto files = Yes
#   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
#   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
#   map archive = No
   vfs objects = zfsacl
   force user = EXAMPLE-%U


# uncomment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username

[home]
   comment = Home directories for AD users
   path = /zdata/home
#   browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = no   
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes
##   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
#   inherit permissions = Yes
#   inherit owner = Yes
   delete veto files = Yes
   veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/$RECYCLE.BIN/
#   map archive = No  
#   map readonly = no 
   vfs objects = zfsacl, shadow_copy2, full_audit
   full_audit:prefix = %u|%I
   full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv
   full_audit:failure = none
   full_audit:facility = LOCAL7
   full_audit:priority = ALERT
   shadow: snapdir = .zfs/snapshot
   shadow: format = %Y-%m-%dT%H:%M:%S
   shadow: snapdirseverywhere = yes 
   shadow: sort = desc
   shadow: localtime = no



I have several other SMB servers there were upgraded to 4.8 and I am able to enumerate users and groups on all of these servers except this one. I cannot enumerate groups and I am mystified as to why I cannot.

Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.

Is the vfs object full_audit still supported by 4.8?

~Doug







More information about the samba mailing list