[Samba] Fwd: Copy ACL to samba domain member file server

Kees van Vloten keesvanvloten at gmail.com
Wed Jul 19 08:57:11 UTC 2023 

Op 18-07-2023 om 23:00 schreef Steffen Dettmer via samba:
> Hi,
>
> I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
> domain controller Windows 2012R2 to migrate to Samba, but according to
> reading I had to downgrade to Windows Server 2008 first. I saw no way
> and bought a Windows Server 2019 license. Now I would like to have at
> least a file server with ACL support.
>
> I started with a fresh container and followed the Samba Wiki

I am wondering about the word "container". As far as I know you need a 
privileged container for Samba to function properly.

- Kees.

> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> I was able to join and did create a share as in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> It states to use Windows to configure permissions. However, on
> Windows, I only get permission denied and "failed to enumerate objects
> in the container". I saw in some log surprising permission issues with
> tbd file and since the container has no shell access for users I
> simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
> Interestingly, the permissions seem to be set according to windows
> file properties. I can create folders and its owner matches. I can
> write into, but always get errors with ACLs.I also can delete the
> folders (from Windows).
>
> What I would like to safely (=robust, stable, reliable) have is move
> my windows files to my ZFS datasets (nas1/mp0) like:
>
> c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
> /R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak
>
> [many of:
>           Neues Verz.     362    d:\stor1\f1\tmp\
> 2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
> Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
> Zugriff verweigert
> ]
>
> (This is "NTFS security will be copied to destination directory:
> permission denied")
>
> What am I doing wrong?
>
> Any help appreciated!
>
> Steffen
>
>
> root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf | sed
> "s|$DOM|DOM|"
> [global]
> security = ADS
> workgroup = DOM
> realm = DOM.LOCAL
> winbind use default domain = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     logging = file
>     panic action = /usr/share/samba/panic-action %d
>     server role = standalone server
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOM : backend = rid
> idmap config DOM : range = 10000-99999
> template shell = /bin/bash
> template homedir = /home/%U
>     usershare allow guests = yes
> [homes]
>     comment = Home Directories
>     browseable = no
>     read only = yes
>     create mask = 0700
>     directory mask = 0700
>     valid users = %S
> [disk0]
>    path = /mp0/windisk0
>    read only = no
>    writeable = yes
> root at nas1:/var/lib/samba#
>
>   /etc/krb5.conf
> [libdefaults]
>          default_realm = DOM.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>          rdns = false
>          fcc-mit-ticketflags = true
>
>
> root at nas1:/var/lib/samba# wbinfo --ping-dc | sed "s|$DOM|DOM|g"
> checking the NETLOGON for domain[DOM] dc connection to "dc2.DOM.local" succeeded
>
> root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
> total 9
> drwxrwxr-x+ 2 a-sdettmer domänen-benutzer 2 Jul 18 22:02 tst
> root at nas1:/var/lib/samba#
>
>
> root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
>     HAVE_LIBACL
> root at nas1:/var/lib/samba# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "$DOM\administrator"
> Password for [DOM\administrator]:
> SeDiskOperatorPrivilege:
>    DOM\Domänen-Admins
>    BUILTIN\Administrators
> root at nas1:/var/lib/samba#
>
>
> root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
> uid=29603(a-sdettmer) gid=10513(domänen-benutzer)
> groups=10513(domänen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schlüsseladministratoren),XXXXX,10512(domänen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschlüsseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
> users),10572(abgelehnte
> rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
> root at nas1:/var/lib/samba#
>
>
>
> root at nas1:/var/lib/samba# samba-tool group listmembers
> "$DOM\Domänen-Admins" 2>&1| sed "s|$DOM|DOM|g"
> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
> file /var/lib/samba/private/sam.ldb: No such file or directory
>
> Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No
> such file or directory
> ERROR: Failed to list members of "DOM\Domänen-Admins" group - (1,
> "Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
> directory")
> root at nas1:/var/lib/samba#
>
> (is this normal in domain member mode?)
>

More information about the samba mailing list