Discussion:
[Samba] getfacl not have domain name and samba4 not work correctly
Ulisses Féres
2016-06-30 14:24:45 UTC
Permalink
Hi.

Sorry. Today I have a big problem with the samba I can not solve!

My permissions do not work properly. in the RSAT created groups, OU and
users. I configured in Windows the shared directory *TECNOLOGIA* security
settings assigning full permissions to *grupo_tecnologia* (technology
group).

However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access.

I noticed on linux with getfacl that DOMAIN is not properly setted as in
red:


*[***@smb ~]# getfacl /shares/c/tecnologia/*
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---


It was not to be:

*default:group:ROPA\grupo_tecnologia:rwx*

I believe all my problem may be due to this.




*IP Server:* 192.168.1.99

*[***@smb ~]# smbd -V*
Version 4.2.13

*[***@smb ~]# smbclient -V*
Version 4.2.13

*I try install version 4.4.4 but this error continues*


*[***@smb ~]# cat /etc/samba/smb.conf*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8

[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no



*[***@smb ~]# cat /etc/resolv.conf*
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8

*[***@smb ~]# cat /etc/hosts*
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4 smb smb.ropa.intranet


*[***@smb ~]# testparm*
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"

Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr


[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No


[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No

*[***@smb ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@ROPA.INTRANET

Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/***@ROPA.INTRANET
renew until 06/25/2016 01:21:04

*[***@smb~]# uname -a*
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


Thanks i lot!
Ulisses.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jason Waters
2016-06-30 15:10:06 UTC
Permalink
I don't think your hosts file should be
localhost4.localdomain4 smb smb.ropa.intranet

It should be
192.168.1.99 smb smb.ropa.intranet

Then I would check if wbinfo -g returns groups?

also what does your /etc/nsswitch.conf file look like?
Post by Ulisses Féres
Hi.
Sorry. Today I have a big problem with the samba I can not solve!
My permissions do not work properly. in the RSAT created groups, OU and
users. I configured in Windows the shared directory *TECNOLOGIA* security
settings assigning full permissions to *grupo_tecnologia* (technology
group).
However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access.
I noticed on linux with getfacl that DOMAIN is not properly setted as in
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---
*default:group:ROPA\grupo_tecnologia:rwx*
I believe all my problem may be due to this.
*IP Server:* 192.168.1.99
Version 4.2.13
Version 4.2.13
*I try install version 4.4.4 but this error continues*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4 smb smb.ropa.intranet
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09
renew until 06/25/2016 01:21:04
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Thanks i lot!
Ulisses.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ulisses Féres
2016-07-02 13:54:39 UTC
Permalink
Tks for help me.

I change /etc/hosts!

Others details:

*[***@smb~]# cat /etc/nsswitch.conf*
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus


*[***@smb~]# wbinfo -g*
enterprise read-only domain controllers
domain admins
domain users
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain controllers
grupo_tecnologia


*[***@smb~]# cat /etc/security/limits.conf*
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

*[***@smb~]# cat /etc/krb5.conf*
[libdefaults]
default_realm = ROPA.INTRANET
dns_lookup_realm = false
dns_lookup_kdc = true


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

ROPA.INTRANET = {
kdc = smb.ropa.intranet
default_domain = ropa.intranet
admin_server = SMB.ROPA.INTRANET
}

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[domain_realm]
.ROPA.INTRANET = ROPA.INTRANET
.ROPA = ROPA.INTRANET
.ROPA.intranet = ROPA.INTRANET



*[***@smb ~]# net rpc rights list accounts -Uadministrator*
Enter administrator's password:
ROPA\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Account Operators
SeInteractiveLogonRight

BUILTIN\Backup Operators
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Administrators
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight
SeDiskOperatorPrivilege

BUILTIN\Server Operators
SeBackupPrivilege
SeSystemtimePrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight
SeChangeNotifyPrivilege
2016-06-30 12:10 GMT-03:00
I don't think your hosts file should be
Post by Ulisses Féres
localhost4.localdomain4 smb smb.ropa.intranet
It should be
192.168.1.99 smb smb.ropa.intranet
Then I would check if wbinfo -g returns groups?
also what does your /etc/nsswitch.conf file look like?
Post by Ulisses Féres
Hi.
Sorry. Today I have a big problem with the samba I can not solve!
My permissions do not work properly. in the RSAT created groups, OU and
users. I configured in Windows the shared directory *TECNOLOGIA* security
settings assigning full permissions to *grupo_tecnologia* (technology
group).
However users who are with *grupo_tecnologia* (primary) to access the
share
opens a popup asking for the user / password in which does not accept
access.
I noticed on linux with getfacl that DOMAIN is not properly setted as in
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---
*default:group:ROPA\grupo_tecnologia:rwx*
I believe all my problem may be due to this.
*IP Server:* 192.168.1.99
Version 4.2.13
Version 4.2.13
*I try install version 4.4.4 but this error continues*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4 smb smb.ropa.intranet
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09
renew until 06/25/2016 01:21:04
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Thanks i lot!
Ulisses.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ulisses Féres
2016-07-04 13:54:25 UTC
Permalink
sorry , the original message was in error. Follow:


Hi. Sorry. Today I have a big problem with the samba I can not solve! My
permissions do not work properly. in the RSAT created groups, OU and users.
I configured in Windows the shared directory *TECNOLOGIA* security settings
assigning full permissions to *grupo_tecnologia* (technology group).
However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access. I noticed on linux with getfacl that DOMAIN is not properly setted
as in bold:



[***@smb ~]# getfacl /shares/c/tecnologia/
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---


It was not to be:

*default:group:ROPA\grupo_tecnologia:rwx*

I believe all my problem may be due to this.



*IP Server:* 192.168.1.99

*[***@smb ~]# smbd -V*
Version 4.2.13

*[***@smb ~]# smbclient -V*
Version 4.2.13

*I try install version 4.4.4 but this error continues*

*[***@smb ~]# cat /etc/samba/smb.conf*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8

[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no


*[***@smb ~]# cat /etc/resolv.conf*
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8

*[***@smb ~]# cat /etc/hosts*
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
192.168.1.99 smb smb.ropa.intranet

*[***@smb ~]# testparm*

Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No

*[***@smb ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@ROPA.INTRANET

Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/***@ROPA.INTRANET
renew until 06/25/2016 01:21:04

*[***@smb~]# uname -a*
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[***@smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files
sss winbind group: files sss winbind hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
networks: files protocols: files rpc: files services: files sss netgroup:
files sss publickey: nisplus automount: files aliases: files nisplus
[***@smb~]# wbinfo -g enterprise read-only domain controllers domain
admins domain users domain guests domain computers domain controllers
schema admins enterprise admins group policy creator owners read-only
domain controllers grupo_tecnologia [***@smb~]# cat
/etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
mioutente hard nofile 32768 mioutente soft nofile 16384 [***@smb~]# cat
/etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
= false dns_lookup_kdc = true [logging] default =
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server =
FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
= 36000 forwardable = true krb4_convert = false } [domain_realm]
.ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet =
ROPA.INTRANET [***@smb ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege
BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-04 14:34:03 UTC
Permalink
Hi,

First I won't read the end. Notepad or something as clever as that tool put
data on big lines, which is unreadable.

Now and to stop complaining, the fact AD user names are displayed with or
without WORKGROUP\ is not an issue: the display is local to the system,
managed by Samba (or Winbind[d]) and so the local Samba should act
accordingly to what is configured into smb.conf relatively to the fact work
group is displayed or not in user name.

Not sure it is clear :D

Anyway: to change that behaviour and get id, getfacl... your system showing
WORKGROUP\username rather than username I think the smb.conf option is
"winbind use default domain = yes".

If you are not using Winbind, the replacement tool should also come with
that option.
Post by Ulisses Féres
Hi. Sorry. Today I have a big problem with the samba I can not solve! My
permissions do not work properly. in the RSAT created groups, OU and users.
I configured in Windows the shared directory *TECNOLOGIA* security settings
assigning full permissions to *grupo_tecnologia* (technology group).
However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access. I noticed on linux with getfacl that DOMAIN is not properly setted
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---
*default:group:ROPA\grupo_tecnologia:rwx*
I believe all my problem may be due to this.
*IP Server:* 192.168.1.99
Version 4.2.13
Version 4.2.13
*I try install version 4.4.4 but this error continues*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
192.168.1.99 smb smb.ropa.intranet
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09
renew until 06/25/2016 01:21:04
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
sss winbind group: files sss winbind hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
files sss publickey: nisplus automount: files aliases: files nisplus
admins domain users domain guests domain computers domain controllers
schema admins enterprise admins group policy creator owners read-only
/etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
/etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
= false dns_lookup_kdc = true [logging] default =
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server =
FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
= 36000 forwardable = true krb4_convert = false } [domain_realm]
.ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet =
Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege
BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-04 14:56:47 UTC
Permalink
Hai,
I configured in Windows the shared directory *TECNOLOGIA* security settings >assigning full permissions to *grupo_tecnologia* (technology group).
What are the "share" rights on that share.
For example did you remove authenticated users or everyone and added a new one?

Is this a share which windows users only accesses.. try adding
acl_xattr:ignore system acl = yes
to your share. !!

DO RE-APLY YOUR SHARE AND SECURITY SETTINGS TO BE SURE ITS SET OK.

You are missing a right somewhere on share or folder or your missing an UID/GID somewhere.

Look here :
https://wiki.samba.org/index.php/File_sharing

and choose 1 of the Setup shares, dont mix them.



Gr.

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 4 juli 2016 16:34
Aan: Ulisses Féres
CC: samba
Onderwerp: Re: [Samba] getfacl not have domain name and samba4 not work
correctly
Hi,
First I won't read the end. Notepad or something as clever as that tool
put
data on big lines, which is unreadable.
Now and to stop complaining, the fact AD user names are displayed with or
without WORKGROUP\ is not an issue: the display is local to the system,
managed by Samba (or Winbind[d]) and so the local Samba should act
accordingly to what is configured into smb.conf relatively to the fact
work
group is displayed or not in user name.
Not sure it is clear :D
Anyway: to change that behaviour and get id, getfacl... your system
showing
WORKGROUP\username rather than username I think the smb.conf option is
"winbind use default domain = yes".
If you are not using Winbind, the replacement tool should also come with
that option.
Post by Ulisses Féres
Hi. Sorry. Today I have a big problem with the samba I can not solve! My
permissions do not work properly. in the RSAT created groups, OU and
users.
Post by Ulisses Féres
I configured in Windows the shared directory *TECNOLOGIA* security
settings
Post by Ulisses Féres
assigning full permissions to *grupo_tecnologia* (technology group).
However users who are with *grupo_tecnologia* (primary) to access the
share
Post by Ulisses Féres
opens a popup asking for the user / password in which does not accept
access. I noticed on linux with getfacl that DOMAIN is not properly
setted
Post by Ulisses Féres
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---
*default:group:ROPA\grupo_tecnologia:rwx*
I believe all my problem may be due to this.
*IP Server:* 192.168.1.99
Version 4.2.13
Version 4.2.13
*I try install version 4.4.4 but this error continues*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
192.168.1.99 smb smb.ropa.intranet
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09
renew until 06/25/2016 01:21:04
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
sss winbind group: files sss winbind hosts: files dns myhostname
files
Post by Ulisses Féres
networks: files protocols: files rpc: files services: files sss
files sss publickey: nisplus automount: files aliases: files nisplus
admins domain users domain guests domain computers domain controllers
schema admins enterprise admins group policy creator owners read-only
/etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
/etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET
dns_lookup_realm
Post by Ulisses Féres
= false dns_lookup_kdc = true [logging] default =
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server
=
Post by Ulisses Féres
FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
[appdefaults] pam = { debug = false ticket_lifetime = 36000
renew_lifetime
Post by Ulisses Féres
= 36000 forwardable = true krb4_convert = false } [domain_realm]
.ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet =
Enter administrator's password: ROPA\Domain Admins
SeDiskOperatorPrivilege
Post by Ulisses Féres
BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Account Operators
SeInteractiveLogonRight
Post by Ulisses Féres
BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
Post by Ulisses Féres
SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege
SeInteractiveLogonRight
Post by Ulisses Féres
SeNetworkLogonRight SeRemoteInteractiveLogonRight
SeDiskOperatorPrivilege
Post by Ulisses Féres
BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...