[Samba] cannot set filesystem permissions on shares
Pisch Tamás
pischta at gmail.com
Wed Jul 3 09:49:08 UTC 2019
> >>>> Who are you logged into the Windows PC as ?
> >>> I log in az A\Administrator. I created an admin user, put in Domain
> >>> Admins group, but the result was the same (ok, it would be strange, if
> >>> it would work with it, instead of Administrator)
> >> Then you need to ensure that 'Domain Admins' has the same privilege as
> >> 'A\Administrator'
> > Ok, I granted the following privileges to Administrator, (and to
> > Domain Admins too) :
> > net rpc rights list "Administrator" -UAdministrator
> > Enter Administrator's password:
> > SeDiskOperatorPrivilege
> > SeMachineAccountPrivilege
> > SeTakeOwnershipPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeRemoteShutdownPrivilege
> > SePrintOperatorPrivilege
> > SeAddUsersPrivilege
> > SeSecurityPrivilege
> > SeSystemtimePrivilege
> > SeShutdownPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege
> > SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege
> > SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege
> > SeIncreaseQuotaPrivilege
> > SeChangeNotifyPrivilege
> > SeUndockPrivilege
> > SeManageVolumePrivilege
> > SeImpersonatePrivilege
> > SeCreateGlobalPrivilege
> > SeEnableDelegationPrivilege
> > But I still cannot change the permissions.
> >
> Is Apparmor running on the Samba computer ?
No.
> Is a firewall getting in the way ?
On the server, the iptable chains are empty.
> Is there anything in any of the logs, you may have to to turn up the log
> level.
I tried:
log level = 4 acls 10
But I didn't find anything interesting. What log level settings would
you recommend?
> Can you go here: https://github.com/thctlo/samba4
> Download this script: samba-collect-debug-info.sh
> Run it your Samba server and post the output here.
On the file serever:
Collected config --- 2019-07-03-10:27 -----------
Hostname: srv
DNS Domain: a.b.hu
FQDN: srv.a.b.hu
ipaddress: 10.0.3.15 192.168.0.8
-----------
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.0 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
valid_lft 83319sec preferred_lft 83319sec
inet6 fe80::a00:27ff:fec9:960/64 scope link
3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3
inet6 fe80::a00:27ff:fe60:dfa1/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
##127.0.1.1 srv.a.b.hu srv
192.168.0.8 srv.a.b.hu srv
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
#domain a.b.hu
search a.b.hu tm.b.hu
##nameserver 10.0.3.3
nameserver 192.168.0.4
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = A.B.HU
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
##passwd: files systemd
passwd: files winbind
##group: files systemd
group: files winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
bind interfaces only = Yes
dos charset = CP852
interfaces = lo enp0s3
log file = /var/log/samba/%m.log
log level = 1
name resolve order = lmhosts host bcast
realm = A.B.HU
security = ADS
template homedir = /home/users/%U
template shell = /bin/bash
unix charset = UTF8
username map = /etc/samba/user.map
workgroup = A
idmap config a : range = 10000-999999
idmap config a : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
admin users = admin
create mask = 0770
csc policy = disable
directory mask = 0770
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[users]
path = /home/users
read only = No
...
[wpkg]
path = /home/samba/wpkg
valid users = "@Domain Users"
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = A\Administrator
!root = A\admin
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-2 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-2 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-2 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-2 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-2 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-4 amd64
Samba nameservice integration plugins
ii libwbclient0:amd64 2:4.9.5+dfsg-4 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-4 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-4 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-4 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-4 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-4 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-4 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-4 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-4 amd64
service to resolve user and group information from Windows NT
servers
-----------
On dc1:
Collected config --- 2019-07-03-10:46 -----------
Hostname: dc1
DNS Domain: a.b.hu
FQDN: dc1.a.b.hu
ipaddress: 10.0.3.15 192.168.0.4
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.0 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff
inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
valid_lft 76592sec preferred_lft 76592sec
inet6 fe80::a00:27ff:feb1:35eb/64 scope link
3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3
inet6 fe80::a00:27ff:febf:f975/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
127.0.1.1 dc1.a.b.hu dc1
192.168.0.4 dc1.a.b.hu dc1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
#domain b.hu
search a.b.hu tm.b.hu
#nameserver 10.0.3.3
#nameserver 208.67.220.220
#nameserver 208.67.222.222
nameserver 192.168.0.4
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = A.B.HU
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
#passwd: files systemd
passwd: files winbind
#group: files systemd
group: files winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
bind interfaces only = Yes
dns forwarder = 208.67.220.220
interfaces = lo enp0s3
logon home = \\srv\users\%U
logon path = ""
name resolve order = lmhosts host bcast
netbios name = DC1
realm = A.B.HU
server role = active directory domain controller
time server = Yes
username map = /etc/samba/user.map
workgroup = A
idmap_ldb:use rfc2307 = yes
kernel oplocks = Yes
[netlogon]
path = /var/lib/samba/sysvol/a.b.hu/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
You have a user.map set in your smb.conf
This is not allowed because Samba is running as a DC
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5 amd64
Samba nameservice integration plugins
ii libsmbclient:amd64 2:4.9.5+dfsg-5 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5 amd64
Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5 amd64
Python bindings for Samba
ii samba 2:4.9.5+dfsg-5 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5 amd64
service to resolve user and group information from Windows NT
servers
-----------
Your script says that user.map is not allowed on a dc, but I don't
read it in the smb.conf manual.
More information about the samba
mailing list