[Samba] old ACL on member server
me at electronico.nc
me at electronico.nc
Fri Sep 30 22:12:02 UTC 2022
Le 2022-10-01 08:59, electronico via samba a écrit :
> Le 2022-10-01 07:33, Rowland Penny via samba a écrit :
>> On 30/09/2022 21:12, Nicolas Canonne via samba wrote:
>>> Hi all,
>>>
>>> 2 ubuntu 20.04 servers : 1 DC, 1 FileServer
>>>
>>> DC as been setup with a fresh install
>>>
>>> FS was previousely setup as (unrecommanded) FileServer on DC (it was
>>> the only server)
>>>
>>> FS uses EXT4
>>>
>>> (sorry I don't have smb.conf and links at hand right now)
>>
>> Might help to see them.
>
> Thanks Rowland for the answer !
>
> DC1
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> dns forwarder = 1.1.1.1
> netbios name = DC1
> realm = SMB.RDK.NC
> server role = active directory domain controller
> workgroup = SMB
> idmap_ldb:use rfc2307 = yes
> apply group policies = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/smb.rdk.nc/scripts
> read only = No
>
>
> FS
> [global]
> security = ADS
> workgroup = SMB
> realm = SMB.RDK.NC
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Default ID mapping configuration using the autorid
> # idmap backend. This will work out of the box for simple
> setups
> # as well as complex setups with trusted domains.
> idmap config * : backend = autorid
> idmap config * : range = 10000-9999999
>
> vfs objects = acl_xattr
> map acl inherit = yes
> # the next line is only required on Samba versions less than
> 4.9.0
> # store dos attributes = yes
>
> bind interfaces only = yes
> interfaces = lo br0
>
> winbind enum users = yes
> winbind enum groups = yes
>
> [Profiles]
> path = /media/data/Profiles/
> read only = no
> #browseable = No
> read only = No
> csc policy = disable
> vfs objects = acl_xattr
>
>
>
>>
>>>
>>> Old Samba files have been removed prior to re-install Samba on FS
>>> (samba wiki)
>>>
>>> FS joigned domain OK, GPO and such are well applied, troubles occurs
>>> with ACLs on FS
>>>
>>> Domain users/groups are well listed using getent passwd / group on FS
>>>
>>> It seems that old ACLs (with GUID in the 300 000 range used in
>>> previous samba config) are still showing using getfacl
>>
>> How did you copy the files to the new Unix domain member ?
>
> The old all-in-one DC+FS had shares on physical drives, so they
> haven't been moved.
> (DC+FS) became FS only
>>
>> The ID numbers in the 3000000 range are only used on a DC and are
>> actually 'xidNumber' attributes stored in idmap.ldb on a DC. Unix
>> domain members will use a winbind idmap backend, the 'ad' backend uses
>> 'uidNumber' & 'gidNumber' attributes stored in AD, you must add these,
>> they are not created automatically. The 'autorid' & 'rid' backends
>> calculates the user and group ID's from the user or group RID.
>>
>
> Oops : it is 3 000 000 range, sorry.
>
> FS
> getent passwd
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System
> (admin):/var/lib/gnats:/usr/sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> syslog:x:101:103::/home/syslog:/bin/false
> messagebus:x:102:105::/var/run/dbus:/bin/false
> whoopsie:x:103:106::/nonexistent:/bin/false
> landscape:x:104:109::/var/lib/landscape:/bin/false
> sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
> serveur:x:1000:1000:serveur,,,:/home/serveur:/bin/bash
> systemd-timesync:x:106:114:systemd Time
> Synchronization,,,:/run/systemd:/bin/false
> systemd-network:x:107:115:systemd Network
> Management,,,:/run/systemd/netif:/bin/false
> systemd-resolve:x:108:116:systemd
> Resolver,,,:/run/systemd/resolve:/bin/false
> uuidd:x:100:101::/run/uuidd:/bin/false
> _apt:x:110:65534::/nonexistent:/bin/false
> postfix:x:111:120::/var/spool/postfix:/usr/sbin/nologin
> dhcpd:x:112:122::/var/run:/usr/sbin/nologin
> dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
> libvirt-dnsmasq:x:114:126:Libvirt
> Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
> lxc-dnsmasq:x:115:127:LXC dnsmasq,,,:/var/lib/lxc:/usr/sbin/nologin
> lxd:x:116:65534::/var/lib/lxd/:/bin/false
> mysql:x:117:129:MySQL Server,,,:/nonexistent:/bin/false
> ulog:x:118:130::/var/log/ulog:/bin/false
> tcpdump:x:109:132::/nonexistent:/usr/sbin/nologin
> usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
> systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
> ntp:x:120:117::/nonexistent:/usr/sbin/nologin
> SMB\regie:*:111115:110513:regie:/home/SMB/regie:/bin/false
> SMB\serveur:*:111108:110513::/home/SMB/serveur:/bin/false
> SMB\guest:*:110501:110513::/home/SMB/guest:/bin/false
> SMB\krbtgt:*:110502:110513::/home/SMB/krbtgt:/bin/false
> SMB\administrator:*:110500:110513::/home/SMB/administrator:/bin/false
>
> getent group
> root:x:0:
> daemon:x:1:
> bin:x:2:
> sys:x:3:
> adm:x:4:serveur,syslog
> tty:x:5:syslog
> disk:x:6:
> lp:x:7:
> mail:x:8:
> news:x:9:
> uucp:x:10:
> man:x:12:
> proxy:x:13:
> kmem:x:15:
> dialout:x:20:
> fax:x:21:
> voice:x:22:
> cdrom:x:24:serveur
> floppy:x:25:
> tape:x:26:
> sudo:x:27:serveur
> audio:x:29:
> dip:x:30:serveur
> www-data:x:33:
> backup:x:34:
> operator:x:37:
> list:x:38:
> irc:x:39:
> src:x:40:
> gnats:x:41:
> shadow:x:42:
> utmp:x:43:
> video:x:44:
> sasl:x:45:
> plugdev:x:46:serveur
> staff:x:50:
> games:x:60:
> users:x:100:serveur
> nogroup:x:65534:
> crontab:x:102:
> syslog:x:103:
> fuse:x:104:
> messagebus:x:105:
> whoopsie:x:106:
> mlocate:x:107:
> ssh:x:108:
> landscape:x:109:
> netdev:x:110:
> serveur:x:1000:
> lpadmin:x:111:serveur
> sambashare:x:112:serveur
> systemd-journal:x:113:
> systemd-timesync:x:114:
> systemd-network:x:115:
> systemd-resolve:x:116:
> uuidd:x:101:
> input:x:118:
> ntp:x:117:serveur
> ssl-cert:x:119:
> postfix:x:120:
> postdrop:x:121:
> dhcpd:x:122:
> kvm:x:123:
> rdma:x:124:
> libvirt-dnsmasq:x:126:
> lxc-dnsmasq:x:127:
> lxd:x:125:serveur
> vboxusers:x:128:serveur
> mysql:x:129:
> ulog:x:130:
> render:x:131:
> tcpdump:x:132:
> systemd-coredump:x:999:
> winbindd_priv:x:133:
> SMB\read-only domain controllers:x:110521:
> SMB\dnsupdateproxy:x:111102:
> SMB\unix admins:x:111116:
> SMB\domain users:x:110513:
> SMB\enterprise admins:x:110519:
> SMB\enterprise read-only domain controllers:x:110498:
> SMB\dnsadmins:x:111101:
> SMB\denied rodc password replication group:x:110572:
> SMB\domain admins:x:110512:
> SMB\schema admins:x:110518:
> SMB\group policy creator owners:x:110520:
> SMB\allowed rodc password replication group:x:110571:
> SMB\ras and ias servers:x:110553:
> SMB\domain controllers:x:110516:
> SMB\domain guests:x:110514:
> SMB\domain computers:x:110515:
> SMB\cert publishers:x:110517:
>
> reading ACLs on an touched folder (previousely shared by the all-in-one
> DC+FS
> getfacl /media/data/jingles
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file: media/data/jingles
> # owner: root
> # group: users
> user::rwx
> user:root:rwx
> user:3000040:rwx
> user:3000041:r-x
> group::rwx
> group:users:rwx
> group:3000040:rwx
> group:3000041:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000040:rwx
> default:user:3000041:r-x
> default:group::rwx
> default:group:users:r-x
> default:group:3000040:rwx
> default:group:3000041:r-x
> default:mask::rwx
> default:other::---
>
>
>
>
>>>
>>> 1) Is there a 'magic' way to remove these old ACL on file system and
>>> restore default ones ?
>>
>> It isn't the ACLs that are incorrect, it is the ownership and there
>> aren't really any defaults.
>>
>>>
>>> It looks like I should stop the shares on FS, create new folders and
>>> configure them with correct ACLs, tranfer old files to the new
>>> shares.
>>
>> I take it that the files etc are still on the DC, you can probably use
>> rsync to copy the files across, provided that the Unix domain member
>> is set up correctly.
>>
>> Rowland
>
> Nicolas
Sorry,
I forgot to precise :
samba -V
Version 4.13.17-Ubuntu
Nicolas
More information about the samba
mailing list