[Samba] old ACL on member server

me at electronico.nc me at electronico.nc
Fri Sep 30 21:59:41 UTC 2022


Le 2022-10-01 07:33, Rowland Penny via samba a écrit :
> On 30/09/2022 21:12, Nicolas Canonne via samba wrote:
>> Hi all,
>> 
>> 2 ubuntu 20.04 servers : 1 DC, 1 FileServer
>> 
>> DC as been setup with a fresh install
>> 
>> FS was previousely setup as (unrecommanded) FileServer on DC (it was 
>> the only server)
>> 
>> FS uses EXT4
>> 
>> (sorry I don't have smb.conf and links at hand right now)
> 
> Might help to see them.

Thanks Rowland for the answer !

DC1
cat /etc/samba/smb.conf
# Global parameters
[global]
         dns forwarder = 1.1.1.1
         netbios name = DC1
         realm = SMB.RDK.NC
         server role = active directory domain controller
         workgroup = SMB
         idmap_ldb:use rfc2307 = yes
         apply group policies = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[netlogon]
         path = /var/lib/samba/sysvol/smb.rdk.nc/scripts
         read only = No


FS
[global]
         security = ADS
         workgroup = SMB
         realm = SMB.RDK.NC

         log file = /var/log/samba/%m.log
         log level = 1

         # Default ID mapping configuration using the autorid
         # idmap backend. This will work out of the box for simple setups
         # as well as complex setups with trusted domains.
         idmap config * : backend = autorid
         idmap config * : range = 10000-9999999

         vfs objects = acl_xattr
         map acl inherit = yes
         # the next line is only required on Samba versions less than 
4.9.0
         # store dos attributes = yes

         bind interfaces only = yes
         interfaces = lo br0

         winbind enum users = yes
         winbind enum groups = yes

[Profiles]
         path = /media/data/Profiles/
         read only = no
         #browseable = No
         read only = No
         csc policy = disable
         vfs objects = acl_xattr



> 
>> 
>> Old Samba files have been removed prior to re-install Samba on FS 
>> (samba wiki)
>> 
>> FS joigned domain OK, GPO and such are well applied, troubles occurs 
>> with ACLs on FS
>> 
>> Domain users/groups are well listed using getent passwd / group on FS
>> 
>> It seems that old ACLs (with GUID in the 300 000 range used in 
>> previous samba config) are still showing using getfacl
> 
> How did you copy the files to the new Unix domain member ?

The old all-in-one DC+FS had shares on physical drives, so they haven't 
been moved.
(DC+FS) became FS only
> 
> The ID numbers in the 3000000 range are only used on a DC and are
> actually 'xidNumber' attributes stored in idmap.ldb on a DC. Unix
> domain members will use a winbind idmap backend, the 'ad' backend uses
> 'uidNumber' & 'gidNumber' attributes stored in AD, you must add these,
> they are not created automatically. The 'autorid' & 'rid' backends
> calculates the user and group ID's from the user or group RID.
> 

Oops : it is 3 000 000 range, sorry.

FS
getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System 
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
serveur:x:1000:1000:serveur,,,:/home/serveur:/bin/bash
systemd-timesync:x:106:114:systemd Time 
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:107:115:systemd Network 
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:108:116:systemd 
Resolver,,,:/run/systemd/resolve:/bin/false
uuidd:x:100:101::/run/uuidd:/bin/false
_apt:x:110:65534::/nonexistent:/bin/false
postfix:x:111:120::/var/spool/postfix:/usr/sbin/nologin
dhcpd:x:112:122::/var/run:/usr/sbin/nologin
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
libvirt-dnsmasq:x:114:126:Libvirt 
Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
lxc-dnsmasq:x:115:127:LXC dnsmasq,,,:/var/lib/lxc:/usr/sbin/nologin
lxd:x:116:65534::/var/lib/lxd/:/bin/false
mysql:x:117:129:MySQL Server,,,:/nonexistent:/bin/false
ulog:x:118:130::/var/log/ulog:/bin/false
tcpdump:x:109:132::/nonexistent:/usr/sbin/nologin
usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:120:117::/nonexistent:/usr/sbin/nologin
SMB\regie:*:111115:110513:regie:/home/SMB/regie:/bin/false
SMB\serveur:*:111108:110513::/home/SMB/serveur:/bin/false
SMB\guest:*:110501:110513::/home/SMB/guest:/bin/false
SMB\krbtgt:*:110502:110513::/home/SMB/krbtgt:/bin/false
SMB\administrator:*:110500:110513::/home/SMB/administrator:/bin/false

getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:serveur,syslog
tty:x:5:syslog
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:serveur
floppy:x:25:
tape:x:26:
sudo:x:27:serveur
audio:x:29:
dip:x:30:serveur
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:serveur
staff:x:50:
games:x:60:
users:x:100:serveur
nogroup:x:65534:
crontab:x:102:
syslog:x:103:
fuse:x:104:
messagebus:x:105:
whoopsie:x:106:
mlocate:x:107:
ssh:x:108:
landscape:x:109:
netdev:x:110:
serveur:x:1000:
lpadmin:x:111:serveur
sambashare:x:112:serveur
systemd-journal:x:113:
systemd-timesync:x:114:
systemd-network:x:115:
systemd-resolve:x:116:
uuidd:x:101:
input:x:118:
ntp:x:117:serveur
ssl-cert:x:119:
postfix:x:120:
postdrop:x:121:
dhcpd:x:122:
kvm:x:123:
rdma:x:124:
libvirt-dnsmasq:x:126:
lxc-dnsmasq:x:127:
lxd:x:125:serveur
vboxusers:x:128:serveur
mysql:x:129:
ulog:x:130:
render:x:131:
tcpdump:x:132:
systemd-coredump:x:999:
winbindd_priv:x:133:
SMB\read-only domain controllers:x:110521:
SMB\dnsupdateproxy:x:111102:
SMB\unix admins:x:111116:
SMB\domain users:x:110513:
SMB\enterprise admins:x:110519:
SMB\enterprise read-only domain controllers:x:110498:
SMB\dnsadmins:x:111101:
SMB\denied rodc password replication group:x:110572:
SMB\domain admins:x:110512:
SMB\schema admins:x:110518:
SMB\group policy creator owners:x:110520:
SMB\allowed rodc password replication group:x:110571:
SMB\ras and ias servers:x:110553:
SMB\domain controllers:x:110516:
SMB\domain guests:x:110514:
SMB\domain computers:x:110515:
SMB\cert publishers:x:110517:

reading ACLs on an touched folder (previousely shared by the all-in-one 
DC+FS
getfacl /media/data/jingles
getfacl : suppression du premier « / » des noms de chemins absolus
# file: media/data/jingles
# owner: root
# group: users
user::rwx
user:root:rwx
user:3000040:rwx
user:3000041:r-x
group::rwx
group:users:rwx
group:3000040:rwx
group:3000041:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000040:rwx
default:user:3000041:r-x
default:group::rwx
default:group:users:r-x
default:group:3000040:rwx
default:group:3000041:r-x
default:mask::rwx
default:other::---




>> 
>> 1) Is there a 'magic' way to remove these old ACL on file system and 
>> restore default ones ?
> 
> It isn't the ACLs that are incorrect, it is the ownership and there
> aren't really any defaults.
> 
>> 
>> It looks like I should stop the shares on FS, create new folders and 
>> configure them with correct ACLs,  tranfer old files to the new 
>> shares.
> 
> I take it that the files etc are still on the DC, you can probably use
> rsync to copy the files across, provided that the Unix domain member
> is set up correctly.
> 
> Rowland

Nicolas



More information about the samba mailing list