[Samba] Windows ACLs

Sonic sonicsmith at gmail.com
Fri Sep 23 15:58:07 UTC 2022

On Fri, Sep 23, 2022 at 10:04 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Download the script and post the output here.

Output of the script looks good to me, but maybe you'll see something awry.
One issue with the script is that the 'kinit Administrator' check is
hardcoded as "kinit Administrator 2> /dev/null" which fails for me,
but when I changed it to the actual name of the domain administrator
"kinit adminex 2> /dev/null" the check passed just fine. There is no
account named "Administrator".
Without the above change I received this:
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.

Here's the full output with the script changed as above to reflect the
actual primary domain admin account:
Config collected --- 2022-09-23-11:11 -----------

Hostname:   quinine
DNS Domain: pizza.example.com
FQDN:       quinine.pizza.example.com
This computer is running Debian 11.5 x86_64
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state
DOWN group default qlen 1000
    link/ether 18:66:da:4e:1d:48 brd ff:ff:ff:ff:ff:ff
    altname enp1s0f0
3: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
UP group default qlen 1000
    link/ether a0:36:9f:a1:cf:18 brd ff:ff:ff:ff:ff:ff
    inet brd scope global enp2s0f0
    inet6 fe80::a236:9fff:fea1:cf18/64 scope link
4: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state
DOWN group default qlen 1000
    link/ether 18:66:da:4e:1d:49 brd ff:ff:ff:ff:ff:ff
    altname enp1s0f1
5: enp2s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq
state DOWN group default qlen 1000
    link/ether a0:36:9f:a1:cf:19 brd ff:ff:ff:ff:ff:ff
Checking file: /etc/hosts       localhost       quinine.pizza.example.com       quinine

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Checking file: /etc/resolv.conf

domain pizza.example.com
Kerberos SRV _kerberos._tcp.pizza.example.com record(s) verified ok,
sample output:

_kerberos._tcp.pizza.example.com        service = 0 100 88
'kinit Administrator' checked successfully.
Samba is running as a Unix domain member
Checking file: /etc/krb5.conf

        default_realm = PIZZA.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
Checking file: /etc/samba/smb.conf

# Global parameters
        log level = 3
        min domain uid = 0
        map to guest = Bad User
        printing = bsd
        printcap name = /dev/null
        load printers = No
        disable spoolss = Yes
        show add printer wizard = No
        realm = PIZZA.EXAMPLE.COM
        security = ADS
        server role = member server
        server string = Quinine Data
        username map = /etc/samba/user.map
        workgroup = PIZZA3
        idmap config pizza3 : backend = rid
        idmap config pizza3 : range = 10000-999999
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind use default domain = yes
        winbind expand groups = 2
        winbind refresh tickets = Yes
        disable netbios = yes

        comment = Data1 on Quinine
        path = /srv/terra/terra1
        vfs objects = acl_xattr
        map acl inherit = Yes
        acl_xattr:ignore system acls = yes

        comment = Data2 on Quinine
        path = /srv/terra/terra2
        vfs objects = acl_xattr
        map acl inherit = Yes
        ;acl_xattr:ignore system acls = yes

        comment = Data3 on Quinine
        path = /srv/terra/terra3
        read only = No
Running as Unix domain member and user.map detected.

Contents of /etc/samba/user.map

!root = PIZZA3\adminex

Server Role is set to : member server
This Unix domain member is using 'winbind' in /etc/nsswitch.conf.
Time on the DC with PDC Emulator role is: 2022-09-23T11:11:41
Time on this computer is:                 2022-09-23T11:11:41
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
Installed packages:
ii  acl                                   2.2.53-10
  amd64        access control list - utilities
ii  attr                                  1:2.4.48-6
  amd64        utilities for manipulating filesystem extended
ii  krb5-config                           2.6+nmu1
  all          Configuration files for Kerberos Version 5
ii  krb5-locales                          1.18.3-6+deb11u2
  all          internationalization support for MIT Kerberos
ii  krb5-user                             1.18.3-6+deb11u2
  amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.53-10
  amd64        access control list - shared library
ii  libattr1:amd64                        1:2.4.48-6
  amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                1.18.3-6+deb11u2
  amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                       1.18.3-6+deb11u2
  amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.18.3-6+deb11u2
  amd64        MIT Kerberos runtime libraries - Support library
ii  libldb2:amd64
2:2.5.2+samba4.16.5-1~bpo11+1  amd64        LDAP-like embedded
database - shared library
ii  libnss-winbind:amd64                  2:4.16.5+dfsg-1~bpo11+1
  amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.9-2
  amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                  2:4.16.5+dfsg-1~bpo11+1
  amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64                    2:4.16.5+dfsg-1~bpo11+1
  amd64        Samba winbind client library
ii  python3-ldb
2:2.5.2+samba4.16.5-1~bpo11+1  amd64        Python 3 bindings for LDB
ii  python3-samba                         2:4.16.5+dfsg-1~bpo11+1
  amd64        Python 3 bindings for Samba
ii  samba                                 2:4.16.5+dfsg-1~bpo11+1
  amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.16.5+dfsg-1~bpo11+1
  all          common files used by both the Samba server and client
ii  samba-common-bin                      2:4.16.5+dfsg-1~bpo11+1
  amd64        Samba common files used by both the server and the
ii  samba-dsdb-modules:amd64              2:4.16.5+dfsg-1~bpo11+1
  amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.16.5+dfsg-1~bpo11+1
  amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.16.5+dfsg-1~bpo11+1
  amd64        Samba Virtual FileSystem plugins
ii  winbind                               2:4.16.5+dfsg-1~bpo11+1
  amd64        service to resolve user and group information from
Windows NT servers

More information about the samba mailing list