[Samba] Samba user profiles file ownership

James B. Byrne byrnejb at harte-lyne.ca
Thu Aug 13 13:54:56 UTC 2020


FreeBSD-12.1p7
Samba-4.10.15

The user profiles were transferred from the existing Samba AD-DC to a new
domain running on Samba-4.10.  An ls on the original Samba (4.3.13) domain DC
shows this:

[root at SAMBA-01 ~]# ls -ld /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll  BROCKLEY-2016\domain admins  512 Aug
12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2

[root at SAMBA-01 ~]# ls -ldn /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
drwxrwx---+ 16 3000025  3000008  512 Aug 12 17:07
/var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2

On the new domain ls shows this:

ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
/var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2

But on the new domain controller ls shows this:

ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
/var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2

This is expected as the uid/gid mapping from one installation to another is not
expected to match.   However, when I log on to the new domain from a Win10
workstation this is created:

d---------+ 18 3000027  3000008  27 Aug 12 15:29
/var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6

Which leads to a few questions:

1. What configuration is required on the new DC to show uid  3000027 as
BROCKLEY\lyneak_hll or has this changed in later versions of Samba?

2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains.  But
does not display as such on the enw domain.  What configuration setting is
required to get the group to display using ls?

3. On the existing domain the gid on user profiles seems to be 20 (staff).  On
the new domain profiles are created with the gid 3000008.  However, gid 20
9staff) exists in /etc/group on both DCs.  Why the difference?  Is this due to
a configuration setting?

The smb.conf file on the new DC is:

[root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf
## Global parameters
[global]
  netbios name = SMB4-2
  disable netbios = yes
  realm = BROCKLEY.HARTE-LYNE.CA
  server role = active directory domain controller
  ## use 'samba-tool testparm -v | grep services' to list active services
  workgroup = BROCKLEY
  idmap_ldb:use rfc2307 = yes
  vfs objects = dfs_samba4 zfsacl

  ## Temp fix for roaming profiles? oplock
#  veto oplock files = /NTUSER.DAT/
#  veto oplock files = /ntuser.ini/

  socket options = TCP_NODELAY SO_KEEPALIVE

  ## nbt causes a fatal startup error (or use disable netbios = yes)
#  server services = -nbt

  ## Eliminate ipv6 errors
  bind interfaces only = Yes
  interfaces = localhost smb4-2

  ## DNS
  dns forwarder = 216.185.71.33 216.185.71.34
  #additional dns hostnames = smb4-2.brockley.harte-lyne.ca

  ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns
  dns update command = /usr/local/sbin/samba_dnsupdate
  ## samba_dnsupdate insists on finding rndc
  rndc command = /usr/bin/true
  ## For secure dns dynamic updates use these (but secure does not work):
  # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g
  # 1 allow dns updates = secure only
  ## For insecure dynamic updates use these settings:
  nsupdate command = /usr/local/bin/samba-nsupdate
  allow dns updates = nonsecure

  ## Logging
  log level = 1
#  log file = /var/log/samba4/smbd.log.%m
  log file = /var/log/samba4/smbd.log
  max log size = 10000
  debug timestamp = yes

  # Disable printing
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes

## Shares
[sysvol]
  path = /var/db/samba4/sysvol
  read only = No

[netlogon]
  path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts
  read only = No

[PROFILES]
    comment = Users profiles
    path = /var/samba4/BROCKLEY/PROFILES/
    browseable = No
    read only = No
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable
    store dos attributes = yes
    vfs objects = dfs_samba4 zfsacl

[USERS]
    comment = Users folder redirection
    path = /var/samba4/BROCKLEY/USERS/
    browseable = No
    read only = No
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable
    store dos attributes = yes
    vfs objects = dfs_samba4 zfsacl



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the samba mailing list