[Samba] Fwd: Copy ACL to samba domain member file server

Rowland Penny rpenny at samba.org
Wed Jul 19 08:50:04 UTC 2023 


On 18/07/2023 22:00, Steffen Dettmer via samba wrote:
> Hi,
> 
> I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
> domain controller Windows 2012R2 to migrate to Samba, but according to
> reading I had to downgrade to Windows Server 2008 first.

That is not entirely true, you can join Samba as a DC to a 2012R2 
domain, but you may have to lower the functional level first.

> I saw no way
> and bought a Windows Server 2019 license. Now I would like to have at
> least a file server with ACL support.
> 
> I started with a fresh container and followed the Samba Wiki
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> I was able to join and did create a share as in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> It states to use Windows to configure permissions. However, on
> Windows, I only get permission denied and "failed to enumerate objects
> in the container". I saw in some log surprising permission issues with
> tbd file and since the container has no shell access for users I
> simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
> Interestingly, the permissions seem to be set according to windows
> file properties. I can create folders and its owner matches. I can
> write into, but always get errors with ACLs.I also can delete the
> folders (from Windows).
> 
> What I would like to safely (=robust, stable, reliable) have is move
> my windows files to my ZFS datasets (nas1/mp0) like:

Which 'ZFS' is this ?
ZFS on Linux, or true ZFS that uses NFSv4 ACLs ?

> 
> c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
> /R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak

I do not use robocopy, but, as far as I am aware, it should work.

> 
> [many of:
>           Neues Verz.     362    d:\stor1\f1\tmp\
> 2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
> Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
> Zugriff verweigert
> ]
> 
> (This is "NTFS security will be copied to destination directory:
> permission denied")
> 
> What am I doing wrong?
> 
> Any help appreciated!
> 
> Steffen
> 
> 
> root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf | sed
> "s|$DOM|DOM|"
> [global]
> security = ADS
> workgroup = DOM
> realm = DOM.LOCAL
> winbind use default domain = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     logging = file
>     panic action = /usr/share/samba/panic-action %d
>     server role = standalone server
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOM : backend = rid
> idmap config DOM : range = 10000-99999
> template shell = /bin/bash
> template homedir = /home/%U
>     usershare allow guests = yes
> [homes]
>     comment = Home Directories
>     browseable = no
>     read only = yes
>     create mask = 0700
>     directory mask = 0700
>     valid users = %S
> [disk0]
>    path = /mp0/windisk0
>    read only = no
>    writeable = yes
> root at nas1:/var/lib/samba#

There are a few lines in that smb.conf that really shouldn't be in a 
Unix domain members smb.conf, try this one:

[global]
     security = ADS
     workgroup = DOM
     realm = DOM.LOCAL

     log file = /var/log/samba/log.%m
     max log size = 1000
     logging = file
     panic action = /usr/share/samba/panic-action %d
     obey pam restrictions = yes
     pam password change = yes
     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config DOM : backend = rid
     idmap config DOM : range = 10000-99999
     template shell = /bin/bash
     template homedir = /home/%U
     usershare allow guests = yes

     vfs objects = acl_xattr
     map acl inherit = yes

[homes]
     comment = Home Directories
     browseable = no
     read only = no
     create mask = 0700
     directory mask = 0700
     valid users = %S

[disk0]
     path = /mp0/windisk0
     read only = no

> 
>   /etc/krb5.conf
> [libdefaults]
>          default_realm = DOM.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>          rdns = false
>          fcc-mit-ticketflags = true

Try this /etc/krb5.conf , it is based on the latest Samba recommended one:

  [libdefaults]
	default_realm = DOM.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
	DOM.LOCAL = {
		default_domain = dom.local
	}

[domain_realm]
	NAS1 = DOM.LOCAL

> 
> 
> root at nas1:/var/lib/samba# wbinfo --ping-dc | sed "s|$DOM|DOM|g"
> checking the NETLOGON for domain[DOM] dc connection to "dc2.DOM.local" succeeded
> 
> root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
> total 9
> drwxrwxr-x+ 2 a-sdettmer domänen-benutzer 2 Jul 18 22:02 tst
> root at nas1:/var/lib/samba#
> 
> 
> root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
>     HAVE_LIBACL
> root at nas1:/var/lib/samba# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "$DOM\administrator"
> Password for [DOM\administrator]:
> SeDiskOperatorPrivilege:
>    DOM\Domänen-Admins
>    BUILTIN\Administrators
> root at nas1:/var/lib/samba#
> 
> 
> root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
> uid=29603(a-sdettmer) gid=10513(domänen-benutzer)
> groups=10513(domänen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schlüsseladministratoren),XXXXX,10512(domänen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschlüsseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
> users),10572(abgelehnte
> rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
> root at nas1:/var/lib/samba#
> 
> 
> 
> root at nas1:/var/lib/samba# samba-tool group listmembers
> "$DOM\Domänen-Admins" 2>&1| sed "s|$DOM|DOM|g"
> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
> file /var/lib/samba/private/sam.ldb: No such file or directory
> 
> Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No
> such file or directory
> ERROR: Failed to list members of "DOM\Domänen-Admins" group - (1,
> "Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
> directory")
> root at nas1:/var/lib/samba#
> 
> (is this normal in domain member mode?)

Yes, there is no sam.ldb on a Unix domain member, you can add '-H 
ldap://YOUR_DCS_HOSTNAME' to the command.

Rowland

More information about the samba mailing list