Ulisses Féres
2016-Jul-04 13:54 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
sorry , the original message was in error. Follow:
Hi. Sorry. Today I have a big problem with the samba I can not solve! My
permissions do not work properly. in the RSAT created groups, OU and users.
I configured in Windows the shared directory *TECNOLOGIA* security settings
assigning full permissions to *grupo_tecnologia* (technology group).
However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access. I noticed on linux with getfacl that DOMAIN is not properly setted
as in bold:
[root at smb ~]# getfacl /shares/c/tecnologia/
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---
It was not to be:
*default:group:ROPA\grupo_tecnologia:rwx*
I believe all my problem may be due to this.
*IP Server:* 192.168.1.99
*[root at smb ~]# smbd -V*
Version 4.2.13
*[root at smb ~]# smbclient -V*
Version 4.2.13
*I try install version 4.4.4 but this error continues*
*[root at smb ~]# cat /etc/samba/smb.conf*
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
netbios name = SMB
server role = active directory domain controller
dns forwarder = 8.8.8.8
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = no
*[root at smb ~]# cat /etc/resolv.conf*
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8
*[root at smb ~]# cat /etc/hosts*
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
192.168.1.99 smb smb.ropa.intranet
*[root at smb ~]# testparm*
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ROPA
realm = ROPA.INTRANET
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 8.8.8.8
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[tecnologia]
comment = tecnologia
path = /shares/c/tecnologia
read only = No
*[root at smb ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ROPA.INTRANET
Valid starting Expires Service principal
06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/ROPA.INTRANET at ROPA.INTRANET
renew until 06/25/2016 01:21:04
*[root at smb~]# uname -a*
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files
sss winbind group: files sss winbind hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
networks: files protocols: files rpc: files services: files sss netgroup:
files sss publickey: nisplus automount: files aliases: files nisplus
[root at smb~]# wbinfo -g enterprise read-only domain controllers domain
admins domain users domain guests domain computers domain controllers
schema admins enterprise admins group policy creator owners read-only
domain controllers grupo_tecnologia [root at smb~]# cat
/etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
/etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
= false dns_lookup_kdc = true [logging] default FILE:/var/log/krb5libs.log kdc =
FILE:/var/log/krb5kdc.log admin_server FILE:/var/log/kadmind.log ROPA.INTRANET =
{ kdc = smb.ropa.intranet
default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
= 36000 forwardable = true krb4_convert = false } [domain_realm]
.ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet
ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege
BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
Rowland penny
2016-Jul-04 14:20 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
On 04/07/16 14:54, Ulisses Féres wrote:> sorry , the original message was in error. Follow: > > > Hi. Sorry. Today I have a big problem with the samba I can not solve! My > permissions do not work properly. in the RSAT created groups, OU and users. > I configured in Windows the shared directory *TECNOLOGIA* security settings > assigning full permissions to *grupo_tecnologia* (technology group). > However users who are with *grupo_tecnologia* (primary) to access the share > opens a popup asking for the user / password in which does not accept > access. I noticed on linux with getfacl that DOMAIN is not properly setted > as in bold: > > > > [root at smb ~]# getfacl /shares/c/tecnologia/ > # file: shares/c/tecnologia/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:domain\040admins:rwx > *user:grupo_tecnologia:rwx* > group::--- > group:root:--- > group:BUILTIN\134administrators:rwx > group:domain\040admins:rwx > *group:grupo_tecnologia:rwx* > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:domain\040admins:rwx > *default:user:grupo_tecnologia:rwx* > default:group::--- > default:group:root:--- > default:group:BUILTIN\134administrators:rwx > default:group:domain\040admins:rwx > *default:group:grupo_tecnologia:rwx* > default:mask::rwx > default:other::--- > > > It was not to be: > > *default:group:ROPA\grupo_tecnologia:rwx* > > I believe all my problem may be due to this. > > > > *IP Server:* 192.168.1.99 > > *[root at smb ~]# smbd -V* > Version 4.2.13 > > *[root at smb ~]# smbclient -V* > Version 4.2.13 > > *I try install version 4.4.4 but this error continues* > > *[root at smb ~]# cat /etc/samba/smb.conf* > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > netbios name = SMB > server role = active directory domain controller > dns forwarder = 8.8.8.8 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = no > > > *[root at smb ~]# cat /etc/resolv.conf* > domain ropa.intranet > search ropa.intranet > nameserver 192.168.1.99 > nameserver 8.8.8.8 > > *[root at smb ~]# cat /etc/hosts* > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > 192.168.1.99 smb smb.ropa.intranet > > *[root at smb ~]# testparm* > > Load smb config files from /usr/local/samba/etc/smb.conf > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[tecnologia]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > Press enter to see a dump of your service definitions > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > server role = active directory domain controller > passdb backend = samba_dsdb > dns forwarder = 8.8.8.8 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = No > > *[root at smb ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at ROPA.INTRANET > > Valid starting Expires Service principal > 06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/ROPA.INTRANET at ROPA.INTRANET > renew until 06/25/2016 01:21:04 > > *[root at smb~]# uname -a* > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files > sss winbind group: files sss winbind hosts: files dns myhostname > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files > networks: files protocols: files rpc: files services: files sss netgroup: > files sss publickey: nisplus automount: files aliases: files nisplus > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain > admins domain users domain guests domain computers domain controllers > schema admins enterprise admins group policy creator owners read-only > domain controllers grupo_tecnologia [root at smb~]# cat > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm > = false dns_lookup_kdc = true [logging] default > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } > [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime > = 36000 forwardable = true krb4_convert = false } [domain_realm] > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator > Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege > SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight > SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilegeOK, lets start with why getfacl doesn't show the domain name for 'grupo_tecnologia' I have no idea, why don't you ask on the sssd mailing list, because this is what is returning your group name: /etc/nsswitch.conf ........... ........ group: files sss winbind 'winbind' in /etc/nsswitch.conf will very probably be ignored, because 'sss' is in front of it. I found your post to be pretty much unreadable, could you try another mail client, preferably one that doesn't squash all the text together. :-) Rowland
mathias dufresne
2016-Jul-04 14:34 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
Hi, First I won't read the end. Notepad or something as clever as that tool put data on big lines, which is unreadable. Now and to stop complaining, the fact AD user names are displayed with or without WORKGROUP\ is not an issue: the display is local to the system, managed by Samba (or Winbind[d]) and so the local Samba should act accordingly to what is configured into smb.conf relatively to the fact work group is displayed or not in user name. Not sure it is clear :D Anyway: to change that behaviour and get id, getfacl... your system showing WORKGROUP\username rather than username I think the smb.conf option is "winbind use default domain = yes". If you are not using Winbind, the replacement tool should also come with that option. 2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>:> sorry , the original message was in error. Follow: > > > Hi. Sorry. Today I have a big problem with the samba I can not solve! My > permissions do not work properly. in the RSAT created groups, OU and users. > I configured in Windows the shared directory *TECNOLOGIA* security settings > assigning full permissions to *grupo_tecnologia* (technology group). > However users who are with *grupo_tecnologia* (primary) to access the share > opens a popup asking for the user / password in which does not accept > access. I noticed on linux with getfacl that DOMAIN is not properly setted > as in bold: > > > > [root at smb ~]# getfacl /shares/c/tecnologia/ > # file: shares/c/tecnologia/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:domain\040admins:rwx > *user:grupo_tecnologia:rwx* > group::--- > group:root:--- > group:BUILTIN\134administrators:rwx > group:domain\040admins:rwx > *group:grupo_tecnologia:rwx* > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:domain\040admins:rwx > *default:user:grupo_tecnologia:rwx* > default:group::--- > default:group:root:--- > default:group:BUILTIN\134administrators:rwx > default:group:domain\040admins:rwx > *default:group:grupo_tecnologia:rwx* > default:mask::rwx > default:other::--- > > > It was not to be: > > *default:group:ROPA\grupo_tecnologia:rwx* > > I believe all my problem may be due to this. > > > > *IP Server:* 192.168.1.99 > > *[root at smb ~]# smbd -V* > Version 4.2.13 > > *[root at smb ~]# smbclient -V* > Version 4.2.13 > > *I try install version 4.4.4 but this error continues* > > *[root at smb ~]# cat /etc/samba/smb.conf* > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > netbios name = SMB > server role = active directory domain controller > dns forwarder = 8.8.8.8 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = no > > > *[root at smb ~]# cat /etc/resolv.conf* > domain ropa.intranet > search ropa.intranet > nameserver 192.168.1.99 > nameserver 8.8.8.8 > > *[root at smb ~]# cat /etc/hosts* > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > 192.168.1.99 smb smb.ropa.intranet > > *[root at smb ~]# testparm* > > Load smb config files from /usr/local/samba/etc/smb.conf > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[tecnologia]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > Press enter to see a dump of your service definitions > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > server role = active directory domain controller > passdb backend = samba_dsdb > dns forwarder = 8.8.8.8 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = No > > *[root at smb ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at ROPA.INTRANET > > Valid starting Expires Service principal > 06/24/2016 01:21:09 06/24/2016 11:21:09 > krbtgt/ROPA.INTRANET at ROPA.INTRANET > renew until 06/25/2016 01:21:04 > > *[root at smb~]# uname -a* > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: > files > sss winbind group: files sss winbind hosts: files dns myhostname > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files > networks: files protocols: files rpc: files services: files sss netgroup: > files sss publickey: nisplus automount: files aliases: files nisplus > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain > admins domain users domain guests domain computers domain controllers > schema admins enterprise admins group policy creator owners read-only > domain controllers grupo_tecnologia [root at smb~]# cat > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm > = false dns_lookup_kdc = true [logging] default > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } > [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime > = 36000 forwardable = true krb4_convert = false } [domain_realm] > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator > Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege > SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight > SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2016-Jul-04 14:56 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
Hai,>I configured in Windows the shared directory *TECNOLOGIA* security settings >assigning full permissions to *grupo_tecnologia* (technology group).What are the "share" rights on that share. For example did you remove authenticated users or everyone and added a new one? Is this a share which windows users only accesses.. try adding acl_xattr:ignore system acl = yes to your share. !! DO RE-APLY YOUR SHARE AND SECURITY SETTINGS TO BE SURE ITS SET OK. You are missing a right somewhere on share or folder or your missing an UID/GID somewhere. Look here : https://wiki.samba.org/index.php/File_sharing and choose 1 of the Setup shares, dont mix them. Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > Verzonden: maandag 4 juli 2016 16:34 > Aan: Ulisses Féres > CC: samba > Onderwerp: Re: [Samba] getfacl not have domain name and samba4 not work > correctly > > Hi, > > First I won't read the end. Notepad or something as clever as that tool > put > data on big lines, which is unreadable. > > Now and to stop complaining, the fact AD user names are displayed with or > without WORKGROUP\ is not an issue: the display is local to the system, > managed by Samba (or Winbind[d]) and so the local Samba should act > accordingly to what is configured into smb.conf relatively to the fact > work > group is displayed or not in user name. > > Not sure it is clear :D > > Anyway: to change that behaviour and get id, getfacl... your system > showing > WORKGROUP\username rather than username I think the smb.conf option is > "winbind use default domain = yes". > > If you are not using Winbind, the replacement tool should also come with > that option. > > 2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>: > > > sorry , the original message was in error. Follow: > > > > > > Hi. Sorry. Today I have a big problem with the samba I can not solve! My > > permissions do not work properly. in the RSAT created groups, OU and > users. > > I configured in Windows the shared directory *TECNOLOGIA* security > settings > > assigning full permissions to *grupo_tecnologia* (technology group). > > However users who are with *grupo_tecnologia* (primary) to access the > share > > opens a popup asking for the user / password in which does not accept > > access. I noticed on linux with getfacl that DOMAIN is not properly > setted > > as in bold: > > > > > > > > [root at smb ~]# getfacl /shares/c/tecnologia/ > > # file: shares/c/tecnologia/ > > # owner: root > > # group: root > > user::rwx > > user:root:rwx > > user:BUILTIN\134administrators:rwx > > user:domain\040admins:rwx > > *user:grupo_tecnologia:rwx* > > group::--- > > group:root:--- > > group:BUILTIN\134administrators:rwx > > group:domain\040admins:rwx > > *group:grupo_tecnologia:rwx* > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:BUILTIN\134administrators:rwx > > default:user:domain\040admins:rwx > > *default:user:grupo_tecnologia:rwx* > > default:group::--- > > default:group:root:--- > > default:group:BUILTIN\134administrators:rwx > > default:group:domain\040admins:rwx > > *default:group:grupo_tecnologia:rwx* > > default:mask::rwx > > default:other::--- > > > > > > It was not to be: > > > > *default:group:ROPA\grupo_tecnologia:rwx* > > > > I believe all my problem may be due to this. > > > > > > > > *IP Server:* 192.168.1.99 > > > > *[root at smb ~]# smbd -V* > > Version 4.2.13 > > > > *[root at smb ~]# smbclient -V* > > Version 4.2.13 > > > > *I try install version 4.4.4 but this error continues* > > > > *[root at smb ~]# cat /etc/samba/smb.conf* > > # Global parameters > > [global] > > workgroup = ROPA > > realm = ROPA.INTRANET > > netbios name = SMB > > server role = active directory domain controller > > dns forwarder = 8.8.8.8 > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > > > [tecnologia] > > comment = tecnologia > > path = /shares/c/tecnologia > > read only = no > > > > > > *[root at smb ~]# cat /etc/resolv.conf* > > domain ropa.intranet > > search ropa.intranet > > nameserver 192.168.1.99 > > nameserver 8.8.8.8 > > > > *[root at smb ~]# cat /etc/hosts* > > 127.0.0.1 localhost localhost.localdomain localhost4 > > localhost4.localdomain4 > > 192.168.1.99 smb smb.ropa.intranet > > > > *[root at smb ~]# testparm* > > > > Load smb config files from /usr/local/samba/etc/smb.conf > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > Processing section "[tecnologia]" > > Loaded services file OK. > > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > # Global parameters > > [global] > > workgroup = ROPA > > realm = ROPA.INTRANET > > server role = active directory domain controller > > passdb backend = samba_dsdb > > dns forwarder = 8.8.8.8 > > rpc_server:tcpip = no > > rpc_daemon:spoolssd = embedded > > rpc_server:spoolss = embedded > > rpc_server:winreg = embedded > > rpc_server:ntsvcs = embedded > > rpc_server:eventlog = embedded > > rpc_server:srvsvc = embedded > > rpc_server:svcctl = embedded > > rpc_server:default = external > > winbindd:use external pipes = true > > idmap config * : backend = tdb > > map archive = No > > map readonly = no > > store dos attributes = Yes > > vfs objects = dfs_samba4 acl_xattr > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > [tecnologia] > > comment = tecnologia > > path = /shares/c/tecnologia > > read only = No > > > > *[root at smb ~]# klist* > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: administrator at ROPA.INTRANET > > > > Valid starting Expires Service principal > > 06/24/2016 01:21:09 06/24/2016 11:21:09 > > krbtgt/ROPA.INTRANET at ROPA.INTRANET > > renew until 06/25/2016 01:21:04 > > > > *[root at smb~]# uname -a* > > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 > > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > > > > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: > > files > > sss winbind group: files sss winbind hosts: files dns myhostname > > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: > files > > networks: files protocols: files rpc: files services: files sss > netgroup: > > files sss publickey: nisplus automount: files aliases: files nisplus > > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain > > admins domain users domain guests domain computers domain controllers > > schema admins enterprise admins group policy creator owners read-only > > domain controllers grupo_tecnologia [root at smb~]# cat > > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 > > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat > > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET > dns_lookup_realm > > = false dns_lookup_kdc = true [logging] default > > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server > > > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet > > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } > > [appdefaults] pam = { debug = false ticket_lifetime = 36000 > renew_lifetime > > = 36000 forwardable = true krb4_convert = false } [domain_realm] > > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet > > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator > > Enter administrator's password: ROPA\Domain Admins > SeDiskOperatorPrivilege > > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege > > SeInteractiveLogonRight BUILTIN\Account Operators > SeInteractiveLogonRight > > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege > > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators > > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege > > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege > > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege > > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege > > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege > > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege > > SeCreateGlobalPrivilege SeEnableDelegationPrivilege > SeInteractiveLogonRight > > SeNetworkLogonRight SeRemoteInteractiveLogonRight > SeDiskOperatorPrivilege > > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege > > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege > > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access > > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba