[Samba] include in smb.conf
Rowland penny
rpenny at samba.org
Sat Jun 13 09:01:01 UTC 2020
On 12/06/2020 20:32, Marcio Demetrio Bacci wrote:
> Hi Rowland
>
> I have 2 DC Samba 4 (migrated from Windows 2008 Server) and the users'
> Home folders are stored on the new Samba 4 file server.
But where are they stored, what is the path ?
> I am using GPO and the existing folders are mapping correctly. New
> folders are not being created during the first login.
If the GPO is doing what is shown here:
https://wiki.samba.org/index.php/User_Home_Folders#In_an_Active_Directory
Then they should be, if all else fails, you could create a 'root
preexec' script.
> >An extended attribute stored in Security.NTACL e.g.
> Here is my output command:
> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;S-1-22-2-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;
> ;WD)
>
>
> Sorry, I accessed the links, read the content and found it very
> complicated. I confess that I understood practically nothing.
Yes it is a bit daunting, so lets take your example and pull it apart ;-)
The first part 'O:LAG:S-1-22-2-0D:' can be broken down in this way:
O:LA Owner, in this case, 'LA' is "Local administrator"
G:S-1-22-2-0 Group, in this case, 'S-1-22-2-0', which is a bit
strange, because this would appear to be a local Unix group
D: dacl_flags
The rest are ACES, each ACE is inside brackets '()'
First ACE:
A = allow
0x001f01ff = Full control, can also be written as 'FA'
LA = Local administrator
Second ACE:
A = allow
0x001200a9 = (Read and Execute) - (Inherited)
S-1-22-2-0 = ??? a local Unix group
Third ACE:
A = allow
0x001200a9 = (Read and Execute) - (Inherited)
WD = Everyone
Fourth ACE:
A = allow
OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
INHERIT_ONLY_ACE
0x001f01ff = Full control, can also be written as 'FA'
CO = Creator owner
Fifth ACE:
A = allow
OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
INHERIT_ONLY_ACE
0x001200a9 = (Read and Execute) - (Inherited)
CG = Creator group
Sixth ACE:
A = allow
OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
INHERIT_ONLY_ACE
0x001200a9 = (Read and Execute) - (Inherited)
WD = Everyone
Oh and it is wrong ;-)
> I also noticed that when I rename a user on my DC Samba 4, this change
> takes some time to be viewed on the file server.
> I enabled the debug and checked the synchronization between the DC I
> have this result:
I cannot actually see anything wrong there.
Rowland
More information about the samba
mailing list