[Samba] Acls
Philip Offermans
mail at philipoffermans.nl
Sat Sep 5 16:21:38 UTC 2020
The output is:
getent group 'domain admins’
Copying without understanding what it does is not smart I know. But sometimes you will understand it later. And atm I am using a test setup.
Here are is all the info you need:
Main AD:
Collected config --- 2020-09-05-18:16 -----------
Hostname: gaia
DNS Domain: rompen.local
FQDN: gaia.rompen.local
ipaddress: 192.168.88.2
-----------
Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output:
Server: 192.168.88.2
Address: 192.168.88.2#53
_kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
-----------
This computer is running Debian 10.4 armv7l
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:7f:ad:98 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.2/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0
valid_lft 568sec preferred_lft 493sec
inet6 fe80::bbbd:eb9b:bce9:b088/64 scope link
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:2a:f8:cd brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 gaia.rompen.local gaia
-----------
Checking file: /etc/resolv.conf
# Generated by resolvconf
search rompen.local
nameserver 192.168.88.2
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = ROMPEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = GAIA
realm = ROMPEN.LOCAL
server role = active directory domain controller
workgroup = ROMPEN
idmap_ldb:use rfc2307 = yes
wins support = yes
[netlogon]
path = /var/lib/samba/sysvol/rompen.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos
ii libacl1:armhf 2.2.53-4 armhf access control list - shared library
ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library
ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries
ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library
ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins
ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin
ii libsmbclient:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf shared library for communication with SMB/CIFS servers
ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client
ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database
ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries
ii samba-testsuite 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf test suite from Samba
ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers
Member server:
Collected config --- 2020-09-05-18:15 -----------
Hostname: dna
DNS Domain: rompen.local
FQDN: dna.rompen.local
ipaddress: 192.168.88.3
-----------
Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output:
Server: 192.168.88.2
Address: 192.168.88.2#53
_kerberos._tcp.rompen.local service = 0 100 88 gaia.rompen.local.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
-----------
This computer is running Debian 10.4 armv7l
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:97:db:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.3/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0
valid_lft 562sec preferred_lft 487sec
inet6 fe80::e85c:b84c:8f64:eb20/64 scope link
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:c2:8e:8d brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
192.168.88.3 dna.rompen.local dna
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by resolvconf
domain rompen.local
nameserver 192.168.88.2
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = ROMPEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
netbios name = DNA
workgroup = ROMPEN
security = ADS
realm = ROMPEN.LOCAL
encrypt passwords = yes
acl allow execute always = yes
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config ROMPEN:backend = rid
#idmap config ROMPEN:schema_mode = rfc2307
idmap config ROMPEN:range = 10000-40000
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
admin users = administrator
[share]
path = /nas
read only = no
inherit acls = yes
[users]
path = /usr/home
comment = a comment
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"ROMPEN+Domain Users" <-- define your ADS groups
admin users = @"ROMPEN+Domain Admins" <-- define your ads groups with admin rights
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Checking file: /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-----------
Installed packages:
ii acl 2.2.53-4 armhf access control list - utilities
ii attr 1:2.4.48-4 armhf utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-user 1.17-3 armhf basic programs to authenticate using MIT Kerberos
ii libacl1:armhf 2.2.53-4 armhf access control list - shared library
ii libattr1:armhf 1:2.4.48-4 armhf extended attribute handling - shared library
ii libgssapi-krb5-2:armhf 1.17-3 armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:armhf 1.17-3 armhf MIT Kerberos runtime libraries
ii libkrb5support0:armhf 1.17-3 armhf MIT Kerberos runtime libraries - Support library
ii libnfsidmap2:armhf 0.25-5.1 armhf NFS idmapping library
ii libnss-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba nameservice integration plugins
ii libpam-winbind:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Windows domain authentication integration plugin
ii libwbclient0:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba winbind client library
ii nfs-common 1:1.3.4-2.5+deb10u1 armhf NFS support files common to client and server
ii python-samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1+rpi1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba common files used by both the server and the client
ii samba-dsdb-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Directory Services Database
ii samba-libs:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba core libraries
ii samba-vfs-modules:armhf 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf Samba Virtual FileSystem plugins
ii winbind 2:4.9.5+dfsg-5+deb10u1+rpi1 armhf service to resolve user and group information from Windows NT servers
-----------
Philip
> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at lists.samba.org> wrote:
>
> getent group 'domain admins'
More information about the samba
mailing list