[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.
Howard Fleming
hfleming at moosebird.com
Sat Dec 14 20:00:35 UTC 2019
On 2019-12-08 15:01, Rowland penny via samba wrote:
> On 08/12/2019 18:18, Howard Fleming via samba wrote:
>> I am building a Samba4 setup to replace a Samba3 server I built for
>> small non profit school back in 2012.
>>
>> It is running CentOS 6.x, samba version 3.6.23-52.el6_10. Rather
>> than attempt to upgrade this system to Samba4, it makes more sense
>> (to me at least) to build a new server and move the data.
> Good plan, at least you start without any bad ideas from an NT4-style
> domain
Thanks!
>>
>> Currently I have 2 samba servers running as virtual machines under
>> kvm. One is the AD server, the other is a member server that is
>> running the file shares. The kvm server and the samba servers are
>> all running Debian 10, and I am using the default Debian 10 repos for
>> the samba packages.
>>
>> The current problem I am running into are the rights on the shares
>> for the users. When I create a user via aduc, and set the home
>> directory, it gets created as it should, but all users can see all
>> the home directories, including contents. I am also running into
>> rights issues with the shared directories also.
>
> How are the users home directories being created, are you using
> pam_mkhomedir ?
>
> If so, this could be your problem.
Not that I am aware of, how would I check?
User directories are created by right clicking on the user id in aduc,
properties, and setting the home directory to \\srv\users\<username>
>
>>
>> I can join Windows 10 and 7 computers into AD with out any issues, so
>> I am assuming I set something up wrong, either in AD or when I added
>> the 2nd server for file services.
>
> Just a few notes on your files:
>
> I would remove example.com from the search line in the
> /etc/resolv.conf files
>
> You do not need the template lines in the DC smb.conf, you are not
> allowing anyone to login in.
>
> I would also install the libpam-krb5 package on both machines
>
> On the Member server, you have commented out 'idmap config BREC :
> unix_nss_info = yes' which is correct for your version of Samba, but
> you have 'winbind nss info = rfc2307' which is wrong for your Samba
> version.
> You also have:
> template shell = /bin/bash
> template homedir = /brecdata/user/%U
>
> Which means that you are not using the RFC2307 attributes in AD, so
> you don't need 'idmap config BREC : unix_nss_info = yes' anyway
>
> You do not need to set 'browseable = yes' on the shares, it is the default
>
> It might help if you read this:
>
> https://wiki.samba.org/index.php/User_Home_Folders
>
> Rowland
I did read the User_Home_Folders, but it is not helping me to resolve
the issue.
Made the above changes and I am still having issues with home
directories, but having a different issue now.
When I create a user (user1) using aduc, and once created, right click
the user, select properties, the profile tab, and set Home folder to
\\srv2\users\user1 (in this case), the user's home directory is created.
When I login as that user and attempt to access the above directory, I
am asked to enter the user id and password. When I do, I get "Access
denied".
Checking security on the user1 home directory, I see:
type Principal Access Inherited from Applies to
Allow user1 Full Control None This folder,
subfolders and files
Allow Administrators Full Control None This
folder, subfolders and files
Allow Domain Admins Full Control \\srv2\users\ This folder,
subfolders and files
Allow Domain users Change permissions \\srv2\users\ This folder
subfolders and filles
The user directory is under /brecdata/users/
getfacl brecdata gives:
# file: brecdata
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x
/brecdata/users/
root at srv2: <mailto:root at srv2:>/brecdata# getfacl users
# file: users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---
/brecdata/users/user1
root at srv2: <mailto:root at srv2:>/brecdata/users# getfacl user1
# file: user1
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:domain\040admins:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---
updated smb.conf on srv2:
[global]
bind interfaces only = yes
interfaces = lo enp1S0
realm = BREC.BLUERIDGEEDUCATION.ORG
workgroup = BREC
security = ADS
log level = 3
preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 3000-7000
idmap config BREC : backend = ad
idmap config BREC : schema_mode = rfc2307
idmap config BREC : range = 10000-999999
winbind refresh tickets = yes
winbind offline logon = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 4
username map = /etc/samba/samba_usermapping
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
[users]
path = /brecdata/users/
read only = no
acl_xattr:ignore system acl = yes
acl_xattr:default acl style = windows
Any suggestions are welcome,
Howard
More information about the samba
mailing list