[Samba] cannot set filesystem permissions on shares

Wed Jul 3 11:20:54 UTC 2019

On 03/07/2019 10:49, Pisch Tamás via samba wrote:
> Is there anything in any of the logs, you may have to to turn up the log
> I tried:
> log level = 4 acls 10
> But I didn't find anything interesting. What log level settings would
> you recommend?
Try raising it one number at time, but be aware you will get larger and 
larger logs.
> On the file serever:
> Collected config  --- 2019-07-03-10:27 -----------
>
> Hostname: srv
> DNS Domain: a.b.hu
> FQDN: srv.a.b.hu
> ipaddress: 10.0.3.15 192.168.0.8
> -----------
> Samba is running as a Unix domain member
> -----------
>
> This computer is running Debian 10.0 x86_64
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff
>      inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
>         valid_lft 83319sec preferred_lft 83319sec
>      inet6 fe80::a00:27ff:fec9:960/64 scope link
> 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3
>      inet6 fe80::a00:27ff:fe60:dfa1/64 scope link
> -----------
>         Checking file: /etc/hosts
> 127.0.0.1 localhost
> 192.168.0.8 srv.a.b.hu srv
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> -----------
>         Checking file: /etc/resolv.conf
> search a.b.hu tm.b.hu
> nameserver 192.168.0.4
> -----------
>
>         Checking file: /etc/samba/smb.conf
> [global]
> bind interfaces only = Yes
> dos charset = CP852
> interfaces = lo enp0s3
> log file = /var/log/samba/%m.log
> log level = 1
> name resolve order = lmhosts host bcast
> realm = A.B.HU
> security = ADS
> template homedir = /home/users/%U
> template shell = /bin/bash
> unix charset = UTF8
> username map = /etc/samba/user.map
> workgroup = A
> idmap config a : range = 10000-999999
> idmap config a : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> admin users = admin
> create mask = 0770
> csc policy = disable
> directory mask = 0770
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [users]
> path = /home/users
> read only = No
> ...
>
> [wpkg]
> path = /home/samba/wpkg
> valid users = "@Domain Users"
I wouldn't recommend using 'valid users' , but then I suppose this is 
what you are trying to fix
> -----------
> Running as Unix domain member and user.map detected.
> Contents of /etc/samba/user.map
> !root = A\Administrator
> !root = A\admin

Remove the second line, I would recommend only mapping 'Administrator' 
to 'root'

> On dc1:
> Collected config  --- 2019-07-03-10:46 -----------
>
> Hostname: dc1
> DNS Domain: a.b.hu
> FQDN: dc1.a.b.hu
> ipaddress: 10.0.3.15 192.168.0.4
> -----------
> Samba is running as an AD DC
> -----------
>
> This computer is running Debian 10.0 x86_64
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff
>      inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
>         valid_lft 76592sec preferred_lft 76592sec
>      inet6 fe80::a00:27ff:feb1:35eb/64 scope link
> 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3
>      inet6 fe80::a00:27ff:febf:f975/64 scope link
> -----------
>         Checking file: /etc/hosts
> 127.0.0.1 localhost
> 127.0.1.1 dc1.a.b.hu dc1
Remove the '127.0.1.1' line and what ever requires it.
> 192.168.0.4 dc1.a.b.hu dc1
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> -----------
>         Checking file: /etc/resolv.conf
> #domain b.hu
> search a.b.hu tm.b.hu
Remove the 'tm.b.hu'
> #nameserver 10.0.3.3
> #nameserver 208.67.220.220
> #nameserver 208.67.222.222
> nameserver 192.168.0.4
> -----------
>
>         Checking file: /etc/samba/smb.conf
> [global]
> bind interfaces only = Yes
> dns forwarder = 208.67.220.220
> interfaces = lo enp0s3
The above line are okay
> logon home = \\srv\users\%U
> logon path = ""
> name resolve order = lmhosts host bcast
The above are not.
> netbios name = DC1
> realm = A.B.HU
> server role = active directory domain controller
> time server = Yes
All DC's are time servers, just as long they are running an NTP server, 
it doesn't need setting in a DC smb.conf
> username map = /etc/samba/user.map
No, you do not use a user.map on a DC, Administrator is mapped in idmap.ldb
> workgroup = A
> idmap_ldb:use rfc2307 = yes
> kernel oplocks = Yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/a.b.hu/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> -----------
> You have a user.map set in your smb.conf
> This is not allowed because Samba is running as a DC
> -----------
> BIND_DLZ not detected in smb.conf
>
> Your script says that user.map is not allowed on a dc, but I don't
> read it in the smb.conf manual.

Good point, but you do not use one a Samba AD DC, for the reason given 
above ;-)

Try fixing the above problems.

Rowland