[Samba] include in smb.conf
Marcio Demetrio Bacci
marciobacci at gmail.com
Sat Jun 13 13:59:40 UTC 2020
Hi Rowland
>> I have 2 DC Samba 4 (migrated from Windows 2008 Server) and the users'
>> Home folders are stored on the new Samba 4 file server.
But where are they stored, what is the path ?
/STORAGE/Usuarios$
Here is my smb.conf:
cat /etc/samba/smb.conf
[global]
netbios name = FILESERVER1
workgroup = EMPRESA
security = ADS
realm = EMPRESA.COM.BR
username map = /etc/samba/user.map
log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-999999
idmap config EMPRESA:unix_nss_info = yes
idmap config EMPRESA:unix_primary_group = yes
winbind refresh tickets = Yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = /bin/bash
template homedir = /home/%U
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
#DISABLE PRINTERS
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[Usuarios$]
path = /STORAGE/Usuarios
read only = no
###############################
getfacl /STORAGE/Usuarios/
getfacl: Removing leading '/' from absolute path names
# file: STORAGE/Usuarios/
# owner: root
# group: unix_admins
user::rwx
user:root:rwx
group::rwx
group:NT\040Authority\\system:rwx
group:usuariosdominio:r-x
group:unix_admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:unix_admins:rwx
default:mask::rwx
default:other::---
>I checked out another strange situation.
>I am applying the same permissions that existed in Windows Server 2008,
however the behavior in Samba4 is different.
>For example: I apply a read, write and modify permission, but the user can
only create directories and rename files if I assign permission to exclude
files in folders, subfolders and files.
This is normal?
>Sixth ACE:
>A = allow
>OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
>INHERIT_ONLY_ACE
>0x001200a9 = (Read and Execute) - (Inherited)
>WD = Everyone
>Oh and it is wrong ;-)
How could I fix this problem?
Regards,
Márcio Bacci
Em sáb., 13 de jun. de 2020 às 06:01, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 12/06/2020 20:32, Marcio Demetrio Bacci wrote:
> > Hi Rowland
> >
> > I have 2 DC Samba 4 (migrated from Windows 2008 Server) and the users'
> > Home folders are stored on the new Samba 4 file server.
> But where are they stored, what is the path ?
> > I am using GPO and the existing folders are mapping correctly. New
> > folders are not being created during the first login.
>
> If the GPO is doing what is shown here:
>
> https://wiki.samba.org/index.php/User_Home_Folders#In_an_Active_Directory
>
> Then they should be, if all else fails, you could create a 'root
> preexec' script.
>
> > >An extended attribute stored in Security.NTACL e.g.
> > Here is my output command:
> > samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> >
> O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;S-1-22-2-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;
>
> > ;WD)
> >
> >
> > Sorry, I accessed the links, read the content and found it very
> > complicated. I confess that I understood practically nothing.
> Yes it is a bit daunting, so lets take your example and pull it apart ;-)
> The first part 'O:LAG:S-1-22-2-0D:' can be broken down in this way:
> O:LA Owner, in this case, 'LA' is "Local administrator"
> G:S-1-22-2-0 Group, in this case, 'S-1-22-2-0', which is a bit
> strange, because this would appear to be a local Unix group
> D: dacl_flags
> The rest are ACES, each ACE is inside brackets '()'
> First ACE:
> A = allow
> 0x001f01ff = Full control, can also be written as 'FA'
> LA = Local administrator
>
> Second ACE:
> A = allow
> 0x001200a9 = (Read and Execute) - (Inherited)
> S-1-22-2-0 = ??? a local Unix group
>
> Third ACE:
> A = allow
> 0x001200a9 = (Read and Execute) - (Inherited)
> WD = Everyone
>
> Fourth ACE:
> A = allow
> OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
> INHERIT_ONLY_ACE
> 0x001f01ff = Full control, can also be written as 'FA'
> CO = Creator owner
>
> Fifth ACE:
> A = allow
> OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
> INHERIT_ONLY_ACE
> 0x001200a9 = (Read and Execute) - (Inherited)
> CG = Creator group
>
> Sixth ACE:
> A = allow
> OICIIO = OI CI IO = OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
> INHERIT_ONLY_ACE
> 0x001200a9 = (Read and Execute) - (Inherited)
> WD = Everyone
>
> Oh and it is wrong ;-)
>
> > I also noticed that when I rename a user on my DC Samba 4, this change
> > takes some time to be viewed on the file server.
> > I enabled the debug and checked the synchronization between the DC I
> > have this result:
>
> I cannot actually see anything wrong there.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list