[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
Rowland Penny
rpenny at samba.org
Mon Sep 17 19:49:54 UTC 2018
On Mon, 17 Sep 2018 19:00:38 +0000
Doug Sampson via samba <samba at lists.samba.org> wrote:
> Hello-
>
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can
> access other shares just fine.
>
> I am using the RID backend on this member server that connects to
> Windows-based domain controllers. I apologize for the lengthy
> smb4.conf but here it is:
>
>
> #======================= Global Settings
> ===================================== [global]
> # This would be your AD Domain (kerberos realm)
> realm = DAWNSIGN.COM
> security = ADS
> encrypt passwords = yes
> workgroup = EXAMPLE
> server string =
> hosts allow = 192.168.xxx. 192.168.xxx. 127.
> name resolve order = lmhosts bcast
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>
> # Uncomment this if you want 139 open, but why would you? We're doing
> SMB over # TCP only. No NetBIOS here
> smb ports = 445
> disable netbios = Yes
>
> # ver 4.1 - RID backend
> idmap config EXAMPLE:range = 50001-60000
> idmap config EXAMPLE:default = yes
> idmap config EXAMPLE:backend = rid
> idmap config *:range = 1000-50000
> idmap config *:backend = tdb
>
> winbind separator = -
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind cache time = 10
> winbind offline logon = yes
> winbind refresh tickets = yes
> kerberos method = secrets and keytab
> dedicated keytab file = /usr/local/etc/krb5.keytab
>
> winbind nss info = rfc2307
> winbind scan trusted domains = yes
>
> # ver 4.1
> client ldap sasl wrapping = seal
> directory name cache size = 0
>
> # workaround to constant error messages in log.192.168.xxx.175
> # prevent winbindd from changing machine password
> # https://lists.samba.org/archive/samba/2016-September/203338.html
> machine password timeout = 0
>
> #################
> ### Member Server
> #################
> # Browser settings
> preferred master = no
> local master = no
> domain master = no
>
> #= Disable Printing/Cups =============
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # Change this to where you want the samba log
> log file = /var/log/samba4/log.%m
> # Debug goes from 1 to 10 * 10 way too much info for me to
> understand ;) #debug level = 10
> log level = 2
> #log level = 0
>
>
> # Settings to enhance performance:
> strict locking = no
> read raw = yes
> write raw = yes
> #oplocks = yes
> max xmit = 65535
> deadtime = 15
> getwd cache = yes
> max connections = 65535
> max open files = 65535
>
> use sendfile = true
> aio read size = 16384
> # Use asynchronous I/O for reads bigger than 16KB request size
> aio write size = 16384
> # Use asynchronous I/O for writes bigger than 16KB request size
> #aio write behind = true
> min receivefile size = 16384
> strict sync = no
> sync always = no
> # End of performance section
>
> #assuming you installed bash - change as needed
> template shell = /bin/bash
> guest account = nobody
>
> admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins"
>
> # ZFS stuff
> read only = no
> inherit permissions = Yes
> # allow ZFS to handle inheritance
> inherit acls = No
> inherit owner = Yes
> force unknown acl user = No
> store dos attributes = yes
> map read only = no
> map acl inherit = yes
>
> vfs objects = zfsacl acl_xattr audit netatalk
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = yes
>
> #============================ Share Definitions
> ============================== # Share - man smb.conf for details
>
> [public]
> comment = test share
> # this share resides on an UFS filesystem!
> path = /zdata/public
> public = yes
> writable = yes
> printable = no
> write list = @"EXAMPLE-domain admins"
>
> [apps]
> comment = Folder for applications
> path = /zdata/apps
> valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [clients]
> comment = Folder for Internet client software for domain admins'
> use path = /zdata/clients
> valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [downloads]
> comment = Folder for downloads for domain admins' use
> path = /zdata/downloads
> valid users = @"EXAMPLE-domain admins"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [groups]
> comment = Departmental folders
> path = /zdata/groups
> valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain admins"
> writable = yes
> printable = no
> force create mode = 0770
> force directory mode = 0770
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> # vfs objects = zfsacl, shadow_copy2, full_audit
> vfs objects = zfsacl, shadow_copy2
> shadow: snapdir = .zfs/snapshot
> shadow: format = %Y-%m-%dT%H:%M:%S
> shadow: snapdirseverywhere = yes
> shadow: sort = desc
> shadow: localtime = no
> # full_audit:prefix = %u|%I
> # full_audit:success = chflags chmod chmod_acl chown mkdir rename
> rmdir unlink write pwrite pwrite_send pwrite_recv #
> full_audit:failure = none # full_audit:facility = LOCAL7
> # full_audit:priority = ALERT
>
> [mac_software]
> comment = repository for all Mac OSX-related software
> path = /zdata/mac_software
> valid users = @EXAMPLE-production @"EXAMPLE-domain admins"
> @EXAMPLE-marketing writable = yes
> printable = no
> force create mode = 0770
> force directory mode = 0770
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [ops]
> comment = Folder for the old OPS files
> path = /zdata/ops
> valid users = @EXAMPLE-sales @"EXAMPLE-domain admins"
> writeable = yes
> printable =no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [payroll]
> comment = Folder for sensitive payroll functions
> path = /zdata/payroll
> valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins"
> browseable = yes
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [perform]
> comment = Folder for purchase orders using Perform software
> path = /zdata/apps/PERFORM
> valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
> writeable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [pye]
> comment = Folder for year-end financial backups
> path = /zdata/pye
> valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
> writeable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [reports]
> comment = Folder for CRW reports
> path = /zdata/reports
> valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [shared]
> comment = Folder for intra-company sharing
> path = /zdata/shared
> valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [star]
> comment = Folder for old Starship shipping data
> path = /zdata/star
> valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [tm]
> comment = Folder for old TeleMagic data
> path = /zdata/tm
> valid users = @"EXAMPLE-domain admins"
> # read list = @"EXAMPLE-domain users"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [x-groups]
> comment = Old Groups Folder for intra-company sharing
> path = /zdata/x-groups
> valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
> writable = yes
> printable = no
> hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
> map archive = No
> vfs objects = zfsacl
>
> [profiles]
> comment = Users profiles
> # path = /zdata/profiles/%U
> path = /zdata/profiles
> # guest ok = no
> browseable = no
> read only = no
> force create mode = 0600
> force directory mode = 0700
> create mask = 0600
> directory mask = 0700
> valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> store dos attributes = Yes
> # commenting this out for v4.8
> # profile acls = yes
> csc policy = disable
> # inherit permissions = Yes
> # inherit owner = Yes
> # delete veto files = Yes
> # veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ # hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> # map archive = No vfs objects = zfsacl
> force user = EXAMPLE-%U
>
>
> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
>
> [home]
> comment = Home directories for AD users
> path = /zdata/home
> # browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
> read only = no
> # File creation mask is set to 0700 for security reasons. If you want
> to # create files with group=rw permissions, set next parameter to
> 0775. create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you
> want to # create dirs. with group=rw permissions, set next parameter
> to 0775. directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # This might need tweaking when using external authentication schemes
> ## valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> # inherit permissions = Yes
> # inherit owner = Yes
> delete veto files = Yes
> veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> Items/$RECYCLE.BIN/ # map archive = No # map readonly = no
> vfs objects = zfsacl, shadow_copy2, full_audit
> full_audit:prefix = %u|%I
> full_audit:success = chflags chmod chmod_acl chown mkdir rename
> rmdir unlink write pwrite pwrite_send pwrite_recv full_audit:failure
> = none full_audit:facility = LOCAL7
> full_audit:priority = ALERT
> shadow: snapdir = .zfs/snapshot
> shadow: format = %Y-%m-%dT%H:%M:%S
> shadow: snapdirseverywhere = yes
> shadow: sort = desc
> shadow: localtime = no
>
>
>
> I have several other SMB servers there were upgraded to 4.8 and I am
> able to enumerate users and groups on all of these servers except
> this one. I cannot enumerate groups and I am mystified as to why I
> cannot.
Why do you feel you need to enumerate groups ?
What do you get from enumerating groups ?
I take it that 'getent group agroup' works
Having said all that, there have been changes that may be causing your
problem, a user needs to be logged in before full group membership is
shown.
>
> Also is the variable DSP-%U still supported? I have tried
> "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.
It wouldn't ;-)
The 'U' is short for Username and Domain Users isn't a user.
You could try '%G'
>
> Is the vfs object full_audit still supported by 4.8?
Yes
Rowland
More information about the samba
mailing list