[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.

Rowland penny rpenny at samba.org
Sat Dec 14 20:35:52 UTC 2019 

On 14/12/2019 20:00, Howard Fleming via samba wrote:
> On 2019-12-08 15:01, Rowland penny via samba wrote:
>> On 08/12/2019 18:18, Howard Fleming via samba wrote:
>>> I am building a Samba4 setup to replace a Samba3 server I built for 
>>> small non profit school back in 2012.
>>>
>>> It is running CentOS 6.x, samba version 3.6.23-52.el6_10.  Rather 
>>> than attempt to upgrade this system to Samba4, it makes more sense 
>>> (to me at least) to build a new server and move the data.
>> Good plan, at least you start without any bad ideas from an NT4-style 
>> domain
>
> Thanks!
>>>
>>> Currently I have 2 samba servers running as virtual machines under 
>>> kvm.  One is the AD server, the other is a member server that is 
>>> running the file shares.  The kvm server and the samba servers are 
>>> all running Debian 10, and I am using the default Debian 10 repos 
>>> for the samba packages.
>>>
>>> The current problem I am running into are the rights on the shares 
>>> for the users.  When I create a user via aduc, and set the home 
>>> directory, it gets created as it should, but all users can see all 
>>> the home directories, including contents.  I am also running into 
>>> rights issues with the shared directories also.
>>
>> How are the users home directories being created, are you using 
>> pam_mkhomedir ?
>>
>> If so, this could be your problem.
>
> Not that I am aware of, how would I check?
>
> User directories are created by right clicking on the user id in aduc, 
> properties, and setting the home directory to \\srv\users\<username>
>>
>>>
>>> I can join Windows 10 and 7 computers into AD with out any issues, 
>>> so I am assuming I set something up wrong, either in AD or when I 
>>> added the 2nd server for file services.
>>
>> Just a few notes on your files:
>>
>> I would remove example.com from the search line in the 
>> /etc/resolv.conf files
>>
>> You do not need the template lines in the DC smb.conf, you are not
>> allowing anyone to login in.
>>
>> I would also install the libpam-krb5 package on both machines
>>
>> On the Member server, you have commented out 'idmap config BREC :
>> unix_nss_info = yes' which is correct for your version of Samba, but
>> you have 'winbind nss info = rfc2307' which is wrong for your Samba
>> version.
>> You also have:
>>         template shell = /bin/bash
>>         template homedir = /brecdata/user/%U
>>
>> Which means that you are not using the RFC2307 attributes in AD, so
>> you don't need 'idmap config BREC : unix_nss_info = yes' anyway
>>
>> You do not need to set 'browseable = yes' on the shares, it is the 
>> default
>>
>> It might help if you read this:
>>
>> https://wiki.samba.org/index.php/User_Home_Folders
>>
>> Rowland
>
> I did read the User_Home_Folders, but it is not helping me to resolve 
> the issue.
>
>
> Made the above changes and I am still having issues with home 
> directories, but having a different issue now.
>
> When I create a user (user1) using aduc, and once created, right click 
> the user, select properties, the profile tab, and set Home folder to 
> \\srv2\users\user1 (in this case), the user's home directory is created.

Ah, but is it ?

Connecting via SMB to a users share on a Samba machine will not create it.

If you try to log into a Unix domain member where the users home 
directory does not already exist, then, unless you have pam_mkhomedir 
set up, you will not be able to log in. The same goes for attempting to 
connect to the users share via Samba, you will not be able to connect to 
a share that doesn't already exist, unless you use a 'root prex' script.

>
> When I login as that user and attempt to access the above directory, I 
> am asked to enter the user id and password.  When I do, I get "Access 
> denied".
You would get that error if the users home directory share doesn't exist.
>
> Checking security on the user1 home directory, I see:
>
> type     Principal         Access          Inherited from  Applies to
>
> Allow   user1              Full Control   None              This 
> folder, subfolders and files
>
> Allow   Administrators     Full Control    None              This 
> folder, subfolders and files
>
> Allow  Domain Admins       Full Control   \\srv2\users\   This folder, 
> subfolders and files
>
> Allow  Domain users        Change permissions \\srv2\users\ This 
> folder subfolders and filles
>
> The user directory is under /brecdata/users/

Yes, but the users directory would be /brecdata/users/username

Rowland

More information about the samba mailing list