[Samba] Samba user profiles file ownership

Stefan Kania stefan at kania-online.de
Wed Sep 9 13:26:26 UTC 2020 

We moved profiles with this tool

https://www.forensit.com/downloads.html

It worked perfect

Am 13.08.20 um 15:54 schrieb James B. Byrne via samba:
> FreeBSD-12.1p7
> Samba-4.10.15
>
> The user profiles were transferred from the existing Samba AD-DC to a new
> domain running on Samba-4.10.  An ls on the original Samba (4.3.13) domain DC
> shows this:
>
> [root at SAMBA-01 ~]# ls -ld /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
> drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll  BROCKLEY-2016\domain admins  512 Aug
> 12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
>
> [root at SAMBA-01 ~]# ls -ldn /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
> drwxrwx---+ 16 3000025  3000008  512 Aug 12 17:07
> /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
>
> On the new domain ls shows this:
>
> ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
> drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
>
> But on the new domain controller ls shows this:
>
> ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
> drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
>
> This is expected as the uid/gid mapping from one installation to another is not
> expected to match.   However, when I log on to the new domain from a Win10
> workstation this is created:
>
> d---------+ 18 3000027  3000008  27 Aug 12 15:29
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6
>
> Which leads to a few questions:
>
> 1. What configuration is required on the new DC to show uid  3000027 as
> BROCKLEY\lyneak_hll or has this changed in later versions of Samba?
>
> 2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains.  But
> does not display as such on the enw domain.  What configuration setting is
> required to get the group to display using ls?
>
> 3. On the existing domain the gid on user profiles seems to be 20 (staff).  On
> the new domain profiles are created with the gid 3000008.  However, gid 20
> 9staff) exists in /etc/group on both DCs.  Why the difference?  Is this due to
> a configuration setting?
>
> The smb.conf file on the new DC is:
>
> [root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf
> ## Global parameters
> [global]
>   netbios name = SMB4-2
>   disable netbios = yes
>   realm = BROCKLEY.HARTE-LYNE.CA
>   server role = active directory domain controller
>   ## use 'samba-tool testparm -v | grep services' to list active services
>   workgroup = BROCKLEY
>   idmap_ldb:use rfc2307 = yes
>   vfs objects = dfs_samba4 zfsacl
>
>   ## Temp fix for roaming profiles? oplock
> #  veto oplock files = /NTUSER.DAT/
> #  veto oplock files = /ntuser.ini/
>
>   socket options = TCP_NODELAY SO_KEEPALIVE
>
>   ## nbt causes a fatal startup error (or use disable netbios = yes)
> #  server services = -nbt
>
>   ## Eliminate ipv6 errors
>   bind interfaces only = Yes
>   interfaces = localhost smb4-2
>
>   ## DNS
>   dns forwarder = 216.185.71.33 216.185.71.34
>   #additional dns hostnames = smb4-2.brockley.harte-lyne.ca
>
>   ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns
>   dns update command = /usr/local/sbin/samba_dnsupdate
>   ## samba_dnsupdate insists on finding rndc
>   rndc command = /usr/bin/true
>   ## For secure dns dynamic updates use these (but secure does not work):
>   # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g
>   # 1 allow dns updates = secure only
>   ## For insecure dynamic updates use these settings:
>   nsupdate command = /usr/local/bin/samba-nsupdate
>   allow dns updates = nonsecure
>
>   ## Logging
>   log level = 1
> #  log file = /var/log/samba4/smbd.log.%m
>   log file = /var/log/samba4/smbd.log
>   max log size = 10000
>   debug timestamp = yes
>
>   # Disable printing
>   load printers = no
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
>
> ## Shares
> [sysvol]
>   path = /var/db/samba4/sysvol
>   read only = No
>
> [netlogon]
>   path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts
>   read only = No
>
> [PROFILES]
>     comment = Users profiles
>     path = /var/samba4/BROCKLEY/PROFILES/
>     browseable = No
>     read only = No
>     force create mode = 0600
>     force directory mode = 0700
>     csc policy = disable
>     store dos attributes = yes
>     vfs objects = dfs_samba4 zfsacl
>
> [USERS]
>     comment = Users folder redirection
>     path = /var/samba4/BROCKLEY/USERS/
>     browseable = No
>     read only = No
>     force create mode = 0600
>     force directory mode = 0700
>     csc policy = disable
>     store dos attributes = yes
>     vfs objects = dfs_samba4 zfsacl
>
>
>
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html

More information about the samba mailing list