[Samba] include in smb.conf
Marcio Demetrio Bacci
marciobacci at gmail.com
Fri Jun 12 19:32:00 UTC 2020
Hi Rowland
>> The folders must be mounted on a drive letter, ex: "H" in the windows
>> clients workstations.
>So, you are referring to Windows home Directories, now stored on a Samba
>server. Next question, what sort of Samba server, a DC, Unix domain
>member or what ?
I have 2 DC Samba 4 (migrated from Windows 2008 Server) and the users' Home
folders are stored on the new Samba 4 file server.
>>
>> >>You may be able to use something like rsync, but there might be a
>> better way, it depends where the home folders are now.
>> What would the best way?
>As they are now on the Samba server, you now need to get your windows
>clients to use them. You will need the correct directory structure on
>the Samba server (with the correct permissions) and probably a GPO to
>point your users to them, the latter is more in Louis's knowledge than
mine.
I am using GPO and the existing folders are mapping correctly. New folders
are not being created during the first login.
>> Another problem is that I was comparing the permissions that were in
>> Windows and replicating in Samba 4. As the folders were created
>> manually there was no "CREATE OWNER" permission and this way I removed
>> it. Now, I don't find the "CREATE OWNER" permissions just find "GROUP
>> OWNER", to assign the root folder.
I create a new folder and I can find the "CREATE OWNER" permissions. Looks
like it's correct for me.
>How are you looking at the permissions on the Samba server ?
I'm using getfacl and apparently everything is OK.
# Root Directory
getfacl /STORAGE/Usuarios/
getfacl: Removing leading '/' from absolute path names
# file: STORAGE/Usuarios/
# owner: root
# group: unix_admins
user::rwx
user:root:rwx
group::rwx
group:NT\040Authority\\system:rwx
group:usuariosdominio:r-x
group:unix_admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:unix_admins:rwx
default:mask::rwx
default:other::---
# An example of common user home directory:
getfacl /STORAGE/Usuarios/testeshared/
getfacl: Removing leading '/' from absolute path names
# file: STORAGE/Usuarios/testeshared/
# owner: root
# group: root
user::rwx
user:root:rwx
user:testeshared:rwx
group::---
group:root:---
group:NT\040Authority\\system:rwx
group:unix_admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:testeshared:rwx
default:group::---
default:group:root:---
default:group:NT\040Authority\\system:rwx
default:group:unix_admins:rwx
default:mask::rwx
default:other::---
>An extended attribute stored in Security.NTACL e.g.
Here is my output command:
samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;S-1-22-2-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;
;WD)
>See here:
>https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
>and here:
>
https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings?redirectedfrom=MSDN
Sorry, I accessed the links, read the content and found it very
complicated. I confess that I understood practically nothing.
I checked out another strange situation.
I am applying the same permissions that existed in Windows Server 2008,
however the behavior in Samba4 is different.
For example: I apply a read, write and modify permission, but the user can
only create directories and rename files if I assign permission to exclude
files in folders, subfolders and files.
I also noticed that when I rename a user on my DC Samba 4, this change
takes some time to be viewed on the file server.
I enabled the debug and checked the synchronization between the DC I have
this result:
samba-tool drs showrepl
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_update_send: gssapi_krb5[0x5570e9fc51b0]: subreq: 0x5570e9fd0250
gensec_update_send: spnego[0x5570e9fc4680]: subreq: 0x5570e9fc4c30
gensec_update_done: gssapi_krb5[0x5570e9fc51b0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5570e9fd0250/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5570e9fd0400)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
gensec_update_done: spnego[0x5570e9fc4680]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5570e9fc4c30/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)] state[struct gensec_spnego_update_state (0x5570e9fc4de0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
gensec_update_send: gssapi_krb5[0x5570e9fc51b0]: subreq: 0x5570e9fd3390
gensec_update_send: spnego[0x5570e9fc4680]: subreq: 0x5570e9fc4c30
gensec_update_done: gssapi_krb5[0x5570e9fc51b0]: NT_STATUS_OK
tevent_req[0x5570e9fd3390/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5570e9fd3540)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
gensec_update_done: spnego[0x5570e9fc4680]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5570e9fc4c30/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)] state[struct gensec_spnego_update_state (0x5570e9fc4de0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
gensec_update_send: spnego[0x5570e9fc4680]: subreq: 0x5570e9fd37c0
gensec_update_done: spnego[0x5570e9fc4680]: NT_STATUS_OK
tevent_req[0x5570e9fd37c0/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)] state[struct gensec_spnego_update_state (0x5570e9fd3970)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
Sealed 128 bytes, and got 76 bytes header/signature.
Unsealed 64 bytes, with 76 bytes header/signature.
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for SAMBA4DC2$@EMPRESA.COM.BR will expire in 36000 secs
gensec_update_send: gssapi_krb5[0x5570ea002050]: subreq: 0x5570ea002b50
gensec_update_send: spnego[0x5570ea0009b0]: subreq: 0x5570ea001c50
gensec_update_done: gssapi_krb5[0x5570ea002050]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5570ea002b50/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5570ea002d00)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
gensec_update_done: spnego[0x5570ea0009b0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5570ea001c50/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)] state[struct gensec_spnego_update_state (0x5570ea001e00)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
gensec_update_send: gssapi_krb5[0x5570ea002050]: subreq: 0x5570ea006b10
gensec_update_send: spnego[0x5570ea0009b0]: subreq: 0x5570ea001730
gensec_update_done: gssapi_krb5[0x5570ea002050]: NT_STATUS_OK
tevent_req[0x5570ea006b10/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5570ea006cc0)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
gensec_update_done: spnego[0x5570ea0009b0]: NT_STATUS_OK
tevent_req[0x5570ea001730/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)] state[struct gensec_spnego_update_state (0x5570ea0018e0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 3216 bytes, with 76 bytes header/signature.
Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 3216 bytes, with 76 bytes header/signature.
Default-First-Site-Name\SAMBA4DC2
DSA Options: 0x00000001
DSA object GUID: 45b5b534-9bcc-483c-8f6d-5bbc37dc35e9
DSA invocationId: f621cfd8-7f92-48be-84d9-daa14ef20c05
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Jun 12 16:13:37 2020 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jun 12 16:13:37 2020 -03
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Jun 12 16:13:37 2020 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jun 12 16:13:37 2020 -03
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Jun 12 16:13:37 2020 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jun 12 16:13:37 2020 -03
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Jun 12 16:13:37 2020 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jun 12 16:13:37 2020 -03
DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Jun 12 16:13:37 2020 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jun 12 16:13:37 2020 -03
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 3135cf0d-0109-4a40-be6f-44e1eca5b5d2
Enabled : TRUE
Server DNS name : samba4dc1.empresa.com.br
Server DN name : CN=NTDS
Settings,CN=SAMBA4DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Regards,
Márcio Bacci
Em ter., 9 de jun. de 2020 às 10:07, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 09/06/2020 12:59, Marcio Demetrio Bacci wrote:
> > Hi Rowland
> >
> > >Hi Marcio, we would need more info, where are you migrating the
> > home folders from ? and where to ?
> > I copied Windows Server 2008 folders and permissions with ROBOCOPY to
> > my Samba 4 server.
> >
> > The folders must be mounted on a drive letter, ex: "H" in the windows
> > clients workstations.
> So, you are referring to Windows home Directories, now stored on a Samba
> server. Next question, what sort of Samba server, a DC, Unix domain
> member or what ?
> >
> > >You may be able to use something like rsync, but there might be a
> > better way, it depends where the home folders are now.
> > What would the best way?
> As they are now on the Samba server, you now need to get your windows
> clients to use them. You will need the correct directory structure on
> the Samba server (with the correct permissions) and probably a GPO to
> point your users to them, the latter is more in Louis's knowledge than
> mine.
> >
> > Another problem is that I was comparing the permissions that were in
> > Windows and replicating in Samba 4. As the folders were created
> > manually there was no "CREATE OWNER" permission and this way I removed
> > it. Now, I don't find the "CREATE OWNER" permissions just find "GROUP
> > OWNER", to assign the root folder.
> How are you looking at the permissions on the Samba server ?
>
> The problem is (and I keep pointing this out), there are three places
> that the permissions are stored:
>
> The normal Unix 'ugo' permissions that 'ls' shows e.g. '755' or 'rwxr-xr-x'
>
> The permissions that 'getfacl shows
>
> An extended attribute stored in Security.NTACL e.g.
>
> getfattr -n security.NTACL /var/lib/samba/sysvol
> getfattr: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
>
> security.NTACL=0sBAAEAAAAAgAEAAIAAQCp6am1GotJOBGWqEzbx+jV69lfEcBxseIm2q6pPixE2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAHpBkx0YKNQBTqxeNQHOuh/c/z6YZFTuQjad7CmDVREUbsXeqk0EOGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAFJS0AAAAxAAAAAAAAADQAAAAAQIAAAAAAAUgAAAAIAIAAAEBAAAAAAAFEgAAAAQAzAAJAAAAAAsUAAAADOABAQAAAAAAAwAAAAAACxQAAAAAoAEBAAAAAAAFCwAAAAAAFACpABIAAQEAAAAAAAULAAAAAAsUAAAAABABAQAAAAAABRIAAAAAABQA/wMfAAEBAAAAAAAFEgAAAAALGAAAAAzgAQIAAAAAAAUgAAAAIAIAAAAAGAC/AR4AAQIAAAAAAAUgAAAAIAIAAAALGAAAAACgAQIAAAAAAAUgAAAAJQIAAAAAGACpABIAAQIAAAAAAAUgAAAAJQIAAA==
>
> Big problem though, it is incomprehensible, so try this instead:
>
> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>
> O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f03ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)
>
> Now, provided you have the key, you can easily decipher it, for
> instance, (A;OICIIO;WOWDGRGWGX;;;CO) is:
>
> (ACCESS_ALLOWED_ACE_TYPE;OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
> INHERIT_ONLY_ACE;WRITE_OWNER WRITE_DAC GENERIC_READ GENERIC_WRITE
> GENERIC_EXECUTE;;;SECURITY_CREATOR_OWNER_RID)
>
> See here:
> https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
>
> and here:
>
> https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings?redirectedfrom=MSDN
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list