[Samba] Windows ACLs
Sonic
sonicsmith at gmail.com
Fri Sep 23 15:58:07 UTC 2022
On Fri, Sep 23, 2022 at 10:04 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Download the script and post the output here.
Output of the script looks good to me, but maybe you'll see something awry.
One issue with the script is that the 'kinit Administrator' check is
hardcoded as "kinit Administrator 2> /dev/null" which fails for me,
but when I changed it to the actual name of the domain administrator
"kinit adminex 2> /dev/null" the check passed just fine. There is no
account named "Administrator".
Without the above change I received this:
===========================
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
===========================
Here's the full output with the script changed as above to reflect the
actual primary domain admin account:
===========================
Config collected --- 2022-09-23-11:11 -----------
Hostname: quinine
DNS Domain: pizza.example.com
Realm: PIZZA.EXAMPLE.COM
FQDN: quinine.pizza.example.com
ipaddress: 192.168.114.15
-----------
This computer is running Debian 11.5 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state
DOWN group default qlen 1000
link/ether 18:66:da:4e:1d:48 brd ff:ff:ff:ff:ff:ff
altname enp1s0f0
3: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
UP group default qlen 1000
link/ether a0:36:9f:a1:cf:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.114.15/23 brd 192.168.115.255 scope global enp2s0f0
inet6 fe80::a236:9fff:fea1:cf18/64 scope link
4: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state
DOWN group default qlen 1000
link/ether 18:66:da:4e:1d:49 brd ff:ff:ff:ff:ff:ff
altname enp1s0f1
5: enp2s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq
state DOWN group default qlen 1000
link/ether a0:36:9f:a1:cf:19 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
127.0.1.1 quinine.pizza.example.com quinine
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain pizza.example.com
nameserver 192.168.114.1
-----------
Kerberos SRV _kerberos._tcp.pizza.example.com record(s) verified ok,
sample output:
Server: 192.168.114.11
Address: 192.168.114.11#53
_kerberos._tcp.pizza.example.com service = 0 100 88
wheat.pizza.example.com.
-----------
'kinit Administrator' checked successfully.
-----------
Samba is running as a Unix domain member
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = PIZZA.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
log level = 3
min domain uid = 0
map to guest = Bad User
printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes
show add printer wizard = No
realm = PIZZA.EXAMPLE.COM
security = ADS
server role = member server
server string = Quinine Data
username map = /etc/samba/user.map
workgroup = PIZZA3
idmap config pizza3 : backend = rid
idmap config pizza3 : range = 10000-999999
idmap config * : range = 3000-7999
idmap config * : backend = tdb
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
disable netbios = yes
[data1]
comment = Data1 on Quinine
path = /srv/terra/terra1
vfs objects = acl_xattr
map acl inherit = Yes
acl_xattr:ignore system acls = yes
[data2]
comment = Data2 on Quinine
path = /srv/terra/terra2
vfs objects = acl_xattr
map acl inherit = Yes
;acl_xattr:ignore system acls = yes
[data3]
comment = Data3 on Quinine
path = /srv/terra/terra3
read only = No
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = PIZZA3\adminex
Server Role is set to : member server
-----------
This Unix domain member is using 'winbind' in /etc/nsswitch.conf.
-----------
Time on the DC with PDC Emulator role is: 2022-09-23T11:11:41
Time on this computer is: 2022-09-23T11:11:41
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.2.53-10
amd64 access control list - utilities
ii attr 1:2.4.48-6
amd64 utilities for manipulating filesystem extended
attributes
ii krb5-config 2.6+nmu1
all Configuration files for Kerberos Version 5
ii krb5-locales 1.18.3-6+deb11u2
all internationalization support for MIT Kerberos
ii krb5-user 1.18.3-6+deb11u2
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u2
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u2
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u2
amd64 MIT Kerberos runtime libraries - Support library
ii libldb2:amd64
2:2.5.2+samba4.16.5-1~bpo11+1 amd64 LDAP-like embedded
database - shared library
ii libnss-winbind:amd64 2:4.16.5+dfsg-1~bpo11+1
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.9-2
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.16.5+dfsg-1~bpo11+1
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.16.5+dfsg-1~bpo11+1
amd64 Samba winbind client library
ii python3-ldb
2:2.5.2+samba4.16.5-1~bpo11+1 amd64 Python 3 bindings for LDB
ii python3-samba 2:4.16.5+dfsg-1~bpo11+1
amd64 Python 3 bindings for Samba
ii samba 2:4.16.5+dfsg-1~bpo11+1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.16.5+dfsg-1~bpo11+1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.16.5+dfsg-1~bpo11+1
amd64 Samba common files used by both the server and the
client
ii samba-dsdb-modules:amd64 2:4.16.5+dfsg-1~bpo11+1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.16.5+dfsg-1~bpo11+1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.16.5+dfsg-1~bpo11+1
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.16.5+dfsg-1~bpo11+1
amd64 service to resolve user and group information from
Windows NT servers
===========================
More information about the samba
mailing list