[Samba] include in smb.conf

Rowland penny rpenny at samba.org
Sat Jun 13 09:01:01 UTC 2020


On 12/06/2020 20:32, Marcio Demetrio Bacci wrote:
> Hi Rowland
>
> I have 2 DC Samba 4 (migrated from Windows 2008 Server) and the users' 
> Home folders are stored on the new Samba 4 file server.
But where are they stored, what is the path ?
> I am using GPO and the existing folders are mapping correctly. New 
> folders are not being created during the first login.

If the GPO is doing what is shown here:

https://wiki.samba.org/index.php/User_Home_Folders#In_an_Active_Directory

Then they should be, if all else fails, you could create a 'root 
preexec' script.

> >An extended attribute stored in Security.NTACL e.g.
> Here is my output command:
> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;S-1-22-2-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;; 
> ;WD)
>
>
> Sorry, I accessed the links, read the content and found it very 
> complicated. I confess that I understood practically nothing.
Yes it is a bit daunting, so lets take your example and pull it apart ;-)
The first part 'O:LAG:S-1-22-2-0D:' can be broken down in this way:
O:LA            Owner, in this case, 'LA' is "Local administrator"
G:S-1-22-2-0    Group, in this case, 'S-1-22-2-0', which is a bit 
strange, because this would appear to be a local Unix group
D:              dacl_flags
The rest are ACES, each ACE is inside brackets '()'
First ACE:
A = allow
0x001f01ff = Full control, can also be written as 'FA'
LA = Local administrator

Second ACE:
A = allow
0x001200a9 = (Read and Execute) - (Inherited)
S-1-22-2-0 = ??? a local Unix group

Third ACE:
A = allow
0x001200a9 = (Read and Execute) - (Inherited)
WD = Everyone

Fourth ACE:
A = allow
OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE 
INHERIT_ONLY_ACE
0x001f01ff = Full control, can also be written as 'FA'
CO = Creator owner

Fifth ACE:
A = allow
OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE 
INHERIT_ONLY_ACE
0x001200a9 = (Read and Execute) - (Inherited)
CG = Creator group

Sixth ACE:
A = allow
OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE 
INHERIT_ONLY_ACE
0x001200a9 = (Read and Execute) - (Inherited)
WD = Everyone

Oh and it is wrong ;-)

> I also noticed that when I rename a user on my DC Samba 4, this change 
> takes some time to be viewed on the file server.
> I enabled the debug and checked the synchronization between the DC I 
> have this result:

I cannot actually see anything wrong there.

Rowland





More information about the samba mailing list