[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6

Rowland Penny rpenny at samba.org
Mon Sep 17 19:49:54 UTC 2018


On Mon, 17 Sep 2018 19:00:38 +0000
Doug Sampson via samba <samba at lists.samba.org> wrote:

> Hello-
> 
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can
> access other shares just fine.
> 
> I am using the RID backend on this member server that connects to
> Windows-based domain controllers. I apologize for the lengthy
> smb4.conf but here it is:
> 
> 
> #======================= Global Settings
> ===================================== [global]
> # This would be your AD Domain (kerberos realm)
> realm = DAWNSIGN.COM
> security = ADS
> encrypt passwords = yes
> workgroup = EXAMPLE
> server string = 
> hosts allow = 192.168.xxx. 192.168.xxx. 127.
> name resolve order = lmhosts bcast
> 
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> 
> # Uncomment this if you want 139 open, but why would you? We're doing
> SMB over # TCP only. No NetBIOS here
> smb ports = 445
> disable netbios = Yes
> 
> # ver 4.1 - RID backend
> idmap config EXAMPLE:range = 50001-60000
> idmap config EXAMPLE:default = yes 
> idmap config EXAMPLE:backend = rid 
> idmap config *:range = 1000-50000
> idmap config *:backend = tdb
> 
> winbind separator = -
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind cache time = 10
> winbind offline logon = yes
> winbind refresh tickets = yes 
> kerberos method = secrets and keytab
> dedicated keytab file = /usr/local/etc/krb5.keytab
> 
> winbind nss info = rfc2307
> winbind scan trusted domains = yes
> 
> # ver 4.1
> client ldap sasl wrapping = seal
> directory name cache size = 0
> 
> # workaround to constant error messages in log.192.168.xxx.175
> # prevent winbindd from changing machine password
> # https://lists.samba.org/archive/samba/2016-September/203338.html
> machine password timeout = 0
> 
> #################
> ### Member Server
> #################
> # Browser settings
> preferred master = no
> local master = no
> domain master = no
> 
> #= Disable Printing/Cups =============
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> # Change this to where you want the samba log
> log file = /var/log/samba4/log.%m
> # Debug goes from 1 to 10 * 10 way too much info for me to
> understand ;) #debug level = 10
> log level = 2
> #log level = 0 
> 
> 
> # Settings to enhance performance:
> strict locking = no
> read raw = yes
> write raw = yes
> #oplocks = yes
> max xmit = 65535
> deadtime = 15
> getwd cache = yes
> max connections = 65535
> max open files = 65535
> 
> use sendfile = true 
> aio read size = 16384
> # Use asynchronous I/O for reads bigger than 16KB request size
> aio write size = 16384           
> # Use asynchronous I/O for writes bigger than 16KB request size
> #aio write behind = true
> min receivefile size = 16384
> strict sync = no
> sync always = no
> # End of performance section
> 	
> #assuming you installed bash - change as needed
> template shell = /bin/bash
> guest account = nobody 
> 
> admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins"
> 
> # ZFS stuff
> read only = no
> inherit permissions = Yes
> # allow ZFS to handle inheritance
> inherit acls = No
> inherit owner = Yes
> force unknown acl user = No
> store dos attributes = yes
> map read only = no
> map acl inherit = yes
>  
> vfs objects  = zfsacl acl_xattr audit netatalk
> nfs4:mode    = special
> nfs4:acedup  = merge
> nfs4:chown   = yes
> 
> #============================ Share Definitions
> ============================== # Share - man smb.conf for details
> 
> [public]
>    comment = test share
> #	this share resides on an UFS filesystem!
>    path = /zdata/public
>    public = yes
>    writable = yes
>    printable = no
>    write list = @"EXAMPLE-domain admins"
> 
> [apps]
>    comment = Folder for applications
>    path = /zdata/apps
>    valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [clients]
>    comment = Folder for Internet client software for domain admins'
> use path = /zdata/clients
>    valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [downloads]
>    comment = Folder for downloads for domain admins' use
>    path = /zdata/downloads
>    valid users = @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [groups]
>    comment = Departmental folders
>    path = /zdata/groups
>    valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    force create mode = 0770
>    force directory mode = 0770
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
> #   vfs objects = zfsacl, shadow_copy2, full_audit
>    vfs objects = zfsacl, shadow_copy2
>    shadow: snapdir = .zfs/snapshot
>    shadow: format = %Y-%m-%dT%H:%M:%S
>    shadow: snapdirseverywhere = yes 
>    shadow: sort = desc
>    shadow: localtime = no
> #   full_audit:prefix = %u|%I
> #   full_audit:success = chflags chmod chmod_acl chown mkdir rename
> rmdir unlink write pwrite pwrite_send pwrite_recv #
> full_audit:failure = none #   full_audit:facility = LOCAL7
> #   full_audit:priority = ALERT
> 
> [mac_software]
>    comment = repository for all Mac OSX-related software
>    path = /zdata/mac_software
>    valid users = @EXAMPLE-production @"EXAMPLE-domain admins"
> @EXAMPLE-marketing writable = yes
>    printable = no
>    force create mode = 0770
>    force directory mode = 0770
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [ops]
>    comment = Folder for the old OPS files
>    path = /zdata/ops
>    valid users = @EXAMPLE-sales @"EXAMPLE-domain admins"
>    writeable = yes
>    printable =no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [payroll]
>    comment = Folder for sensitive payroll functions
>    path = /zdata/payroll
>    valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins"
>    browseable = yes
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [perform]
>    comment = Folder for purchase orders using Perform software
>    path = /zdata/apps/PERFORM
>    valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
>    writeable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [pye]
>    comment = Folder for year-end financial backups
>    path = /zdata/pye
>    valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
>    writeable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [reports]
>    comment = Folder for CRW reports
>    path = /zdata/reports
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [shared]
>    comment = Folder for intra-company sharing
>    path = /zdata/shared
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [star]
>    comment = Folder for old Starship shipping data
>    path = /zdata/star
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [tm]
>    comment = Folder for old TeleMagic data
>    path = /zdata/tm
>    valid users = @"EXAMPLE-domain admins"
> #   read list = @"EXAMPLE-domain users"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [x-groups]
>    comment = Old Groups Folder for intra-company sharing
>    path = /zdata/x-groups
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [profiles]
>    comment = Users profiles
> #   path = /zdata/profiles/%U
>    path = /zdata/profiles
> #   guest ok = no
>    browseable = no
>    read only = no
>    force create mode = 0600
>    force directory mode = 0700
>    create mask = 0600
>    directory mask = 0700
>    valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
>    store dos attributes = Yes
> # commenting this out for v4.8
> #   profile acls = yes
>    csc policy = disable
> #   inherit permissions = Yes
> #   inherit owner = Yes
> #   delete veto files = Yes
> #   veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ #   hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> #   map archive = No vfs objects = zfsacl
>    force user = EXAMPLE-%U
> 
> 
> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
> 
> [home]
>    comment = Home directories for AD users
>    path = /zdata/home
> #   browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
>    read only = no   
> # File creation mask is set to 0700 for security reasons. If you want
> to # create files with group=rw permissions, set next parameter to
> 0775. create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you
> want to # create dirs. with group=rw permissions, set next parameter
> to 0775. directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # This might need tweaking when using external authentication schemes
> ##   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
>    valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> #   inherit permissions = Yes
> #   inherit owner = Yes
>    delete veto files = Yes
>    veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> Items/$RECYCLE.BIN/ #   map archive = No #   map readonly = no 
>    vfs objects = zfsacl, shadow_copy2, full_audit
>    full_audit:prefix = %u|%I
>    full_audit:success = chflags chmod chmod_acl chown mkdir rename
> rmdir unlink write pwrite pwrite_send pwrite_recv full_audit:failure
> = none full_audit:facility = LOCAL7
>    full_audit:priority = ALERT
>    shadow: snapdir = .zfs/snapshot
>    shadow: format = %Y-%m-%dT%H:%M:%S
>    shadow: snapdirseverywhere = yes 
>    shadow: sort = desc
>    shadow: localtime = no
> 
> 
> 
> I have several other SMB servers there were upgraded to 4.8 and I am
> able to enumerate users and groups on all of these servers except
> this one. I cannot enumerate groups and I am mystified as to why I
> cannot.

Why do you feel you need to enumerate groups ?
What do you get from enumerating groups ?
I take it that 'getent group agroup' works

Having said all that, there have been changes that may be causing your
problem, a user needs to be logged in before full group membership is
shown. 

> 
> Also is the variable DSP-%U still supported? I have tried
> "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.

It wouldn't ;-)
The 'U' is short for Username and Domain Users isn't a user.
You could try '%G'

> 
> Is the vfs object full_audit still supported by 4.8?

Yes

Rowland



More information about the samba mailing list