[Samba] Fwd: Copy ACL to samba domain member file server

Steffen Dettmer steffen.dettmer+samba at gmail.com
Tue Jul 18 21:00:59 UTC 2023 

Hi,

I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
domain controller Windows 2012R2 to migrate to Samba, but according to
reading I had to downgrade to Windows Server 2008 first. I saw no way
and bought a Windows Server 2019 license. Now I would like to have at
least a file server with ACL support.

I started with a fresh container and followed the Samba Wiki
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
I was able to join and did create a share as in
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
It states to use Windows to configure permissions. However, on
Windows, I only get permission denied and "failed to enumerate objects
in the container". I saw in some log surprising permission issues with
tbd file and since the container has no shell access for users I
simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
Interestingly, the permissions seem to be set according to windows
file properties. I can create folders and its owner matches. I can
write into, but always get errors with ACLs.I also can delete the
folders (from Windows).

What I would like to safely (=robust, stable, reliable) have is move
my windows files to my ZFS datasets (nas1/mp0) like:

c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
/R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak

[many of:
         Neues Verz.     362    d:\stor1\f1\tmp\
2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
Zugriff verweigert
]

(This is "NTFS security will be copied to destination directory:
permission denied")

What am I doing wrong?

Any help appreciated!

Steffen


root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf | sed
"s|$DOM|DOM|"
[global]
security = ADS
workgroup = DOM
realm = DOM.LOCAL
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOM : backend = rid
idmap config DOM : range = 10000-99999
template shell = /bin/bash
template homedir = /home/%U
   usershare allow guests = yes
[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S
[disk0]
  path = /mp0/windisk0
  read only = no
  writeable = yes
root at nas1:/var/lib/samba#

 /etc/krb5.conf
[libdefaults]
        default_realm = DOM.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false
        fcc-mit-ticketflags = true


root at nas1:/var/lib/samba# wbinfo --ping-dc | sed "s|$DOM|DOM|g"
checking the NETLOGON for domain[DOM] dc connection to "dc2.DOM.local" succeeded

root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
total 9
drwxrwxr-x+ 2 a-sdettmer domänen-benutzer 2 Jul 18 22:02 tst
root at nas1:/var/lib/samba#


root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL
root at nas1:/var/lib/samba# net rpc rights list privileges
SeDiskOperatorPrivilege -U "$DOM\administrator"
Password for [DOM\administrator]:
SeDiskOperatorPrivilege:
  DOM\Domänen-Admins
  BUILTIN\Administrators
root at nas1:/var/lib/samba#


root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
uid=29603(a-sdettmer) gid=10513(domänen-benutzer)
groups=10513(domänen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schlüsseladministratoren),XXXXX,10512(domänen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschlüsseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
users),10572(abgelehnte
rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
root at nas1:/var/lib/samba#



root at nas1:/var/lib/samba# samba-tool group listmembers
"$DOM\Domänen-Admins" 2>&1| sed "s|$DOM|DOM|g"
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No
such file or directory
ERROR: Failed to list members of "DOM\Domänen-Admins" group - (1,
"Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
directory")
root at nas1:/var/lib/samba#

(is this normal in domain member mode?)

More information about the samba mailing list