Hi Rowland,
I had to split smbd and winbindd config to work around some bugs in credentials
offline caching.
I have a separate winbindd.conf, it looks like this:
[global]
### Network ###
netbios name = Fileserver
server string = Fileserver (%h V:%v)
### ad member ###
workgroup = INTRANET
realm = INTRANET.MYCOMPANY.DE
security = ADS
kerberos method = secrets and keytab
### WINS ###
wins server = 192.168.0.197
name resolve order = wins host bcast
### winbind config ###
winbind offline logon = yes
winbind cache time = 600
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000000 - 1999999
idmap config INTRANET : backend = ad
idmap config INTRANET : schema_mode = rfc2307
idmap config INTRANET : range = 5000 - 40000
### offline mode is not working without those ###
winbind normalize names = no
map untrusted to domain = no
### performance ###
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
Greetings,
Felix
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland
Penny
Gesendet: Dienstag, 4. August 2015 15:17
An: samba at lists.samba.org
Betreff: Re: [Samba] Cannot change directory permissions
On 04/08/15 14:11, Felix Matouschek wrote:> Hi Rowland,
>
> my users are known to the OS
The smb.conf you posted earlier would seem to suggest that they aren't, what
does 'getent passwd <username>' produce ?
Rowland
> , they also have the correct permissions to alter the settings.
> Doing so on the CLI does work when logged in via SSH.
>
> When opening the Security Tab the users and groups are displayed, only on
directories there are no checkmarks under Read, Write etc.
> I also cannot set any checkmarks for Read, Write etc.
>
> When viewing the Security Tab of a file everything works and I can see and
set the checkmarks.
>
> Do you know what could be wrong?
>
> Greetings,
> Felix
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
> Rowland Penny
> Gesendet: Dienstag, 4. August 2015 12:55
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Cannot change directory permissions
>
> On 04/08/15 11:46, Felix Matouschek wrote:
>> Hi Rowland,
>>
>> when saying 'I' I theoretically meant any user that has write
access to the share.
>>
>> It should be possible to right click the directory in windows, the go
to security tab and remove the write permissions on the directory.
>>
>> This behaviour already works with files, I'm trying to figure out
how to make it also work for directories.
>>
>> Greetings,
>> Felix
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
>> Rowland Penny
>> Gesendet: Dienstag, 4. August 2015 11:57
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] Cannot change directory permissions
>>
>> On 04/08/15 10:07, Felix Matouschek wrote:
>>> Hello,
>>>
>>> I occasionally need to remove the write permissions from
directories inside a share to prevent users from accidentally deleting files
inside that directory.
>>>
>>> My problem is that I neither can view nor can change the
permissions of directories on my shares.
>>> Curiously enough viewing and changing permissions of files in the
same shares works without a problem.
>>>
>>> Is there anything I misconfigured?
>>>
>>> My smb.conf looks like this:
>>>
>>> [global]
>>> ### Network ###
>>> netbios name = Fileserver
>>> server string = Fileserver (%h V:%v)
>>>
>>> ### ad member ###
>>> workgroup = INTRANET
>>> realm = INTRANET.MYCOMPANY.DE
>>> security = ADS
>>> kerberos method = secrets and keytab
>>>
>>> ### WINS ###
>>> wins server = 192.168.0.197
>>> name resolve order = wins host bcast
>>>
>>> ### logins without prepending INTRANET\ ###
>>> map untrusted to domain = yes
>>>
>>> ### other settings ###
>>> unix extensions = no
>>> invalid users = root
>>>
>>> ### make exe files executable on windows without x bit ###
>>> acl allow execute always = yes
>>>
>>> ### performance ###
>>> deadtime = 10
>>> use sendfile = yes
>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>>>
>>> ### prevent unwanted files ###
>>> veto files =
/$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes
>>> delete veto files = yes
>>>
>>> ### SHARES ###
>>>
>>> [Exchange]
>>> path = /home/nobackup/exchange
>>> guest ok = yes
>>> read only = no
>>> create mask = 660
>>> directory mask = 770
>>> force group = exchange-users
>>>
>>> Greetings,
>>> Felix
>> Hi, when you say ' I occasionally need to remove the write
permissions', whom is the 'I', is this the Administrator ?
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
> I am fairly sure your problem is a misconfiguration of smb.conf, for a
start have a look here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> To change directory settings, your users and groups need to be known to the
underlying Unix OS and have the required permissions to alter the settings.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On 04/08/15 15:29, Felix Matouschek wrote:> Hi Rowland, > > I had to split smbd and winbindd config to work around some bugs in credentials offline caching. > I have a separate winbindd.conf, it looks like this: > > [global] > ### Network ### > netbios name = Fileserver > server string = Fileserver (%h V:%v) > > ### ad member ### > workgroup = INTRANET > realm = INTRANET.MYCOMPANY.DE > security = ADS > kerberos method = secrets and keytab > > ### WINS ### > wins server = 192.168.0.197 > name resolve order = wins host bcast > > ### winbind config ### > winbind offline logon = yes > winbind cache time = 600 > winbind enum users = yes > winbind enum groups = yes > winbind expand groups = 1 > winbind nested groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > winbind nss info = rfc2307 > idmap config * : backend = tdb > idmap config * : range = 1000000 - 1999999 > idmap config INTRANET : backend = ad > idmap config INTRANET : schema_mode = rfc2307 > idmap config INTRANET : range = 5000 - 40000 > > ### offline mode is not working without those ### > winbind normalize names = no > map untrusted to domain = no > > ### performance ### > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > > Greetings, > Felix > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny > Gesendet: Dienstag, 4. August 2015 15:17 > An: samba at lists.samba.org > Betreff: Re: [Samba] Cannot change directory permissions > > On 04/08/15 14:11, Felix Matouschek wrote: >> Hi Rowland, >> >> my users are known to the OS > The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? > > Rowland > >> , they also have the correct permissions to alter the settings. >> Doing so on the CLI does work when logged in via SSH. >> >> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. >> I also cannot set any checkmarks for Read, Write etc. >> >> When viewing the Security Tab of a file everything works and I can see and set the checkmarks. >> >> Do you know what could be wrong? >> >> Greetings, >> Felix >> >> -----Ursprüngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >> Rowland Penny >> Gesendet: Dienstag, 4. August 2015 12:55 >> An: samba at lists.samba.org >> Betreff: Re: [Samba] Cannot change directory permissions >> >> On 04/08/15 11:46, Felix Matouschek wrote: >>> Hi Rowland, >>> >>> when saying 'I' I theoretically meant any user that has write access to the share. >>> >>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >>> >>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >>> >>> Greetings, >>> Felix >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>> Rowland Penny >>> Gesendet: Dienstag, 4. August 2015 11:57 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] Cannot change directory permissions >>> >>> On 04/08/15 10:07, Felix Matouschek wrote: >>>> Hello, >>>> >>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>>> >>>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>>> >>>> Is there anything I misconfigured? >>>> >>>> My smb.conf looks like this: >>>> >>>> [global] >>>> ### Network ### >>>> netbios name = Fileserver >>>> server string = Fileserver (%h V:%v) >>>> >>>> ### ad member ### >>>> workgroup = INTRANET >>>> realm = INTRANET.MYCOMPANY.DE >>>> security = ADS >>>> kerberos method = secrets and keytab >>>> >>>> ### WINS ### >>>> wins server = 192.168.0.197 >>>> name resolve order = wins host bcast >>>> >>>> ### logins without prepending INTRANET\ ### >>>> map untrusted to domain = yes >>>> >>>> ### other settings ### >>>> unix extensions = no >>>> invalid users = root >>>> >>>> ### make exe files executable on windows without x bit ### >>>> acl allow execute always = yes >>>> >>>> ### performance ### >>>> deadtime = 10 >>>> use sendfile = yes >>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>>> >>>> ### prevent unwanted files ### >>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>>> delete veto files = yes >>>> >>>> ### SHARES ### >>>> >>>> [Exchange] >>>> path = /home/nobackup/exchange >>>> guest ok = yes >>>> read only = no >>>> create mask = 660 >>>> directory mask = 770 >>>> force group = exchange-users >>>> >>>> Greetings, >>>> Felix >>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. >> >> Rowland >> >>I am now officially lost, are you telling me that you have a smb.conf and a winbindd.conf ? If you have a winbindd.conf, how are you telling winbindd to load it ? Also I don't use the winbind offline logon feature, but I thought you have to have 'cached_login = yes' in the file: /etc/security/pam_winbind.conf. Does 'getent passwd' display all your AD domains ? Rowland Rowland
Hi Rowland, yes I do have two separate config files for smbd/nmbd and winbindd. You can tell winbindd to load a separate config file via the "-s" command line switch. Therefore I set "WINBINDD_EXTRA_OPTS" in "/etc/default/sernet-samba" to "-s /etc/samba/winbindd.conf". The "cached_login" option for pam is also set and working. The problem was the parameter "map untrusted to domain" in smb.conf. We need this parameter for smbd so that users with non-domain computers are able to enter just their username instead of INTRANET\username. However settting this parameter to yes prevents winbindd from correctly enabling the offline logons. (Maybe a bug?) Hence I set "map untrusted to domain" in smb.conf to yes and in winbindd.conf to no. All other settings that are used by both daemons are equal. "getent passwd" and "getent group" work, I see all my domain users and groups. It is just that users cannot modify the read/write permissions of directories via the Windows security tab. How can I solve this problem? Greetings, Felix> Am 04.08.2015 um 17:38 schrieb Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 04/08/15 15:29, Felix Matouschek wrote: >> Hi Rowland, >> >> I had to split smbd and winbindd config to work around some bugs in credentials offline caching. >> I have a separate winbindd.conf, it looks like this: >> >> [global] >> ### Network ### >> netbios name = Fileserver >> server string = Fileserver (%h V:%v) >> >> ### ad member ### >> workgroup = INTRANET >> realm = INTRANET.MYCOMPANY.DE >> security = ADS >> kerberos method = secrets and keytab >> >> ### WINS ### >> wins server = 192.168.0.197 >> name resolve order = wins host bcast >> >> ### winbind config ### >> winbind offline logon = yes >> winbind cache time = 600 >> winbind enum users = yes >> winbind enum groups = yes >> winbind expand groups = 1 >> winbind nested groups = yes >> winbind use default domain = yes >> winbind refresh tickets = yes >> winbind nss info = rfc2307 >> idmap config * : backend = tdb >> idmap config * : range = 1000000 - 1999999 >> idmap config INTRANET : backend = ad >> idmap config INTRANET : schema_mode = rfc2307 >> idmap config INTRANET : range = 5000 - 40000 >> >> ### offline mode is not working without those ### >> winbind normalize names = no >> map untrusted to domain = no >> >> ### performance ### >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >> >> Greetings, >> Felix >> >> -----Ursprüngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny >> Gesendet: Dienstag, 4. August 2015 15:17 >> An: samba at lists.samba.org >> Betreff: Re: [Samba] Cannot change directory permissions >> >>> On 04/08/15 14:11, Felix Matouschek wrote: >>> Hi Rowland, >>> >>> my users are known to the OS >> The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? >> >> Rowland >> >>> , they also have the correct permissions to alter the settings. >>> Doing so on the CLI does work when logged in via SSH. >>> >>> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. >>> I also cannot set any checkmarks for Read, Write etc. >>> >>> When viewing the Security Tab of a file everything works and I can see and set the checkmarks. >>> >>> Do you know what could be wrong? >>> >>> Greetings, >>> Felix >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>> Rowland Penny >>> Gesendet: Dienstag, 4. August 2015 12:55 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] Cannot change directory permissions >>> >>>> On 04/08/15 11:46, Felix Matouschek wrote: >>>> Hi Rowland, >>>> >>>> when saying 'I' I theoretically meant any user that has write access to the share. >>>> >>>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >>>> >>>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >>>> >>>> Greetings, >>>> Felix >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>>> Rowland Penny >>>> Gesendet: Dienstag, 4. August 2015 11:57 >>>> An: samba at lists.samba.org >>>> Betreff: Re: [Samba] Cannot change directory permissions >>>> >>>>> On 04/08/15 10:07, Felix Matouschek wrote: >>>>> Hello, >>>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>>>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>>>> Is there anything I misconfigured? >>>>> My smb.conf looks like this: >>>>> [global] >>>>> ### Network ### >>>>> netbios name = Fileserver >>>>> server string = Fileserver (%h V:%v) >>>>> ### ad member ### >>>>> workgroup = INTRANET >>>>> realm = INTRANET.MYCOMPANY.DE >>>>> security = ADS >>>>> kerberos method = secrets and keytab >>>>> ### WINS ### >>>>> wins server = 192.168.0.197 >>>>> name resolve order = wins host bcast >>>>> ### logins without prepending INTRANET\ ### >>>>> map untrusted to domain = yes >>>>> ### other settings ### >>>>> unix extensions = no >>>>> invalid users = root >>>>> ### make exe files executable on windows without x bit ### >>>>> acl allow execute always = yes >>>>> ### performance ### >>>>> deadtime = 10 >>>>> use sendfile = yes >>>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>>>> ### prevent unwanted files ### >>>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>>>> delete veto files = yes >>>>> ### SHARES ### >>>>> [Exchange] >>>>> path = /home/nobackup/exchange >>>>> guest ok = yes >>>>> read only = no >>>>> create mask = 660 >>>>> directory mask = 770 >>>>> force group = exchange-users >>>>> Greetings, >>>>> Felix >>>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: >>> >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. >>> >>> Rowland > > I am now officially lost, are you telling me that you have a smb.conf and a winbindd.conf ? > > If you have a winbindd.conf, how are you telling winbindd to load it ? > > Also I don't use the winbind offline logon feature, but I thought you have to have 'cached_login = yes' in the file: /etc/security/pam_winbind.conf. > > Does 'getent passwd' display all your AD domains ? > > Rowland > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba