[Samba] include in smb.conf
Rowland penny
rpenny at samba.org
Tue Jun 9 13:06:04 UTC 2020
On 09/06/2020 12:59, Marcio Demetrio Bacci wrote:
> Hi Rowland
>
> >Hi Marcio, we would need more info, where are you migrating the
> home folders from ? and where to ?
> I copied Windows Server 2008 folders and permissions with ROBOCOPY to
> my Samba 4 server.
>
> The folders must be mounted on a drive letter, ex: "H" in the windows
> clients workstations.
So, you are referring to Windows home Directories, now stored on a Samba
server. Next question, what sort of Samba server, a DC, Unix domain
member or what ?
>
> >You may be able to use something like rsync, but there might be a
> better way, it depends where the home folders are now.
> What would the best way?
As they are now on the Samba server, you now need to get your windows
clients to use them. You will need the correct directory structure on
the Samba server (with the correct permissions) and probably a GPO to
point your users to them, the latter is more in Louis's knowledge than mine.
>
> Another problem is that I was comparing the permissions that were in
> Windows and replicating in Samba 4. As the folders were created
> manually there was no "CREATE OWNER" permission and this way I removed
> it. Now, I don't find the "CREATE OWNER" permissions just find "GROUP
> OWNER", to assign the root folder.
How are you looking at the permissions on the Samba server ?
The problem is (and I keep pointing this out), there are three places
that the permissions are stored:
The normal Unix 'ugo' permissions that 'ls' shows e.g. '755' or 'rwxr-xr-x'
The permissions that 'getfacl shows
An extended attribute stored in Security.NTACL e.g.
getfattr -n security.NTACL /var/lib/samba/sysvol
getfattr: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
security.NTACL=0sBAAEAAAAAgAEAAIAAQCp6am1GotJOBGWqEzbx+jV69lfEcBxseIm2q6pPixE2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAHpBkx0YKNQBTqxeNQHOuh/c/z6YZFTuQjad7CmDVREUbsXeqk0EOGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAFJS0AAAAxAAAAAAAAADQAAAAAQIAAAAAAAUgAAAAIAIAAAEBAAAAAAAFEgAAAAQAzAAJAAAAAAsUAAAADOABAQAAAAAAAwAAAAAACxQAAAAAoAEBAAAAAAAFCwAAAAAAFACpABIAAQEAAAAAAAULAAAAAAsUAAAAABABAQAAAAAABRIAAAAAABQA/wMfAAEBAAAAAAAFEgAAAAALGAAAAAzgAQIAAAAAAAUgAAAAIAIAAAAAGAC/AR4AAQIAAAAAAAUgAAAAIAIAAAALGAAAAACgAQIAAAAAAAUgAAAAJQIAAAAAGACpABIAAQIAAAAAAAUgAAAAJQIAAA==
Big problem though, it is incomprehensible, so try this instead:
samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f03ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)
Now, provided you have the key, you can easily decipher it, for
instance, (A;OICIIO;WOWDGRGWGX;;;CO) is:
(ACCESS_ALLOWED_ACE_TYPE;OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
INHERIT_ONLY_ACE;WRITE_OWNER WRITE_DAC GENERIC_READ GENERIC_WRITE
GENERIC_EXECUTE;;;SECURITY_CREATOR_OWNER_RID)
See here:
https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
and here:
https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings?redirectedfrom=MSDN
Rowland
More information about the samba
mailing list