[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.
Howard Fleming
hfleming at moosebird.com
Sun Dec 8 18:18:06 UTC 2019
I am building a Samba4 setup to replace a Samba3 server I built for
small non profit school back in 2012.
It is running CentOS 6.x, samba version 3.6.23-52.el6_10. Rather than
attempt to upgrade this system to Samba4, it makes more sense (to me at
least) to build a new server and move the data.
Currently I have 2 samba servers running as virtual machines under kvm.
One is the AD server, the other is a member server that is running the
file shares. The kvm server and the samba servers are all running
Debian 10, and I am using the default Debian 10 repos for the samba
packages.
The current problem I am running into are the rights on the shares for
the users. When I create a user via aduc, and set the home directory,
it gets created as it should, but all users can see all the home
directories, including contents. I am also running into rights issues
with the shared directories also.
I can join Windows 10 and 7 computers into AD with out any issues, so I
am assuming I set something up wrong, either in AD or when I added the
2nd server for file services.
Config info for the 2 servers follow:
AD server
Collected config --- 2019-11-30-09:05 -----------
Hostname: srv1
DNS Domain: brec.example.org
FQDN: srv1.brec.example.org
ipaddress: 192.168.15.4
-----------
Kerberos SRV _kerberos._tcp.brec.example.org record verified ok, sample
output:
Server: 192.168.15.4
Address: 192.168.15.4#53
_kerberos._tcp.brec.example.org service = 0 100 88 srv1.brec.example.org.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:0e:ca:e6 brd ff:ff:ff:ff:ff:ff
inet 192.168.15.4/24 brd 192.168.15.255 scope global enp1s0
inet6 fe80::5054:ff:fe0e:cae6/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.15.4 srv1.brec.example.org srv1
# The following lines are desirable for IPv6 capable hosts
# ::1 localhost ip6-localhost ip6-loopback
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain brec.example.org
search brec.example.org. example.org.
nameserver 192.168.15.4
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = BREC.EXAMPLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat files systemd
group: compat files systemd
shadow: compat files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 192.168.15.1
netbios name = SRV1
realm = BREC.EXAMPLE.ORG
server role = active directory domain controller
workgroup = BREC
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
[netlogon]
path = /var/lib/samba/sysvol/brec.example.org/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii attr 1:2.4.48-4 amd64 utilities for
manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files
for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64 basic programs to
authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control
list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended
attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
-----------
Member server, for file services:
Collected config --- 2019-11-30-10:16 -----------
Hostname: srv2
DNS Domain: brec.example.org
FQDN: srv2.brec.example.org
ipaddress: 192.168.15.5
-----------
Kerberos SRV _kerberos._tcp.brec.example.org record verified ok, sample
output:
Server: 192.168.15.4
Address: 192.168.15.4#53
_kerberos._tcp.brec.example.org service = 0 100 88 srv1.brec.example.org.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:73:02:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.15.5/24 brd 192.168.15.255 scope global enp1s0
inet6 fe80::5054:ff:fe73:24b/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.15.5 srv2.brec.example.org srv2
# The following lines are desirable for IPv6 capable hosts
# ::1 localhost ip6-localhost ip6-loopback
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain example.org
search brec.example.org. example.org.
nameserver 192.168.15.4
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = BREC.EXAMPLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
proxiable = true
; ticket_lifetime = 24h
; renew_lifetime = 7d
; ccache_type = 4
;
; Enable this one if you have a tight setup where only the user can
enter the user home dir.
; You might need it with cifs mounts, nfs mounts
; ignore_k5login = true
; A note: This is not used for nfs4 but cifs uses it.
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat files systemd winbind
group: compat files systemd winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
realm = BREC.EXAMPLE.ORG
workgroup = BREC
security = ADS
#
preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
#
idmap config * : backend = tdb
idmap config * : range = 3000-7000
#
idmap config BREC : backend = ad
idmap config BREC : schema_mode = rfc2307
idmap config BREC : range = 10000-999999
# idmap config BREC : unix_nss_info = yes # Only in Samba 4.6+
template shell = /bin/bash
template homedir = /brecdata/user/%U
# Renew the kerberos tickets
winbind refresh tickets = yes
# Enable offline logins
winbind offline logon = yes
# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307
#
# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
# winbind trusted domains only = no
# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users = no
winbind enum groups = no
# Check depth of nested groups, ! slows down you samba, if to much
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4
# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local
UID 0 of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
#
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
#
######## SHARE DEFINITIONS ##################
[samba$]
# Used for Administrative things only.
browseable = yes
path = /brecdata/samba
read only = no
[profiles]
# user profiles folder
browseable = yes
path = /brecdata/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
[users]
# user homedirs
browseable = yes
path = /brecdata/users
read only = no
acl_xattr:ignore system acl = yes
[staff]
# data share for domain/company
browseable = yes
path = /brecdata/staff
read only = no
[hr]
# data share for hr files
browseable = yes
path = /brecdata/hr
read only = no
[sysadmin]
# sysadmin related files
browseable = yes
path = /brecdata/sysadmin
read only = no
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/samba_usermapping
!root = BREC\Administrator BREC\administrator
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control
list - utilities
ii attr 1:2.4.48-4 amd64 utilities for
manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files
for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64 basic programs to
authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control
list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended
attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
-----------
The intent is to manage the system using rsat, and all clients machines
will be running windows 10 once this is done.
All user data, home directories and shared directories are on srv2,
located under \brecdata.
If you need any more info, let me know, I am sure I left something
out.... :o).
Thanks,
Howard
More information about the samba
mailing list