thr3ads.net - samba - [Samba] getfacl not have domain name and samba4 not work correctly [Jul 2016]

If this information is useful, please help other people find it:
Share via:

Ulisses Féres

2016-Jul-04 13:54 UTC

[Samba] getfacl not have domain name and samba4 not work correctly

sorry , the original message was in error. Follow:


Hi. Sorry. Today I have a big problem with the samba I can not solve! My
permissions do not work properly. in the RSAT created groups, OU and users.
I configured in Windows the shared directory *TECNOLOGIA* security settings
assigning full permissions to *grupo_tecnologia* (technology group).
However users who are with *grupo_tecnologia* (primary) to access the share
opens a popup asking for the user / password in which does not accept
access. I noticed on linux with getfacl that DOMAIN is not properly setted
as in bold:



[root at smb ~]# getfacl /shares/c/tecnologia/
# file: shares/c/tecnologia/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:domain\040admins:rwx
*user:grupo_tecnologia:rwx*
group::---
group:root:---
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
*group:grupo_tecnologia:rwx*
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:domain\040admins:rwx
*default:user:grupo_tecnologia:rwx*
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
*default:group:grupo_tecnologia:rwx*
default:mask::rwx
default:other::---


It was not to be:

*default:group:ROPA\grupo_tecnologia:rwx*

I believe all my problem may be due to this.



*IP Server:* 192.168.1.99

*[root at smb ~]# smbd -V*
Version 4.2.13

*[root at smb ~]# smbclient -V*
Version 4.2.13

*I try install version 4.4.4 but this error continues*

*[root at smb ~]# cat /etc/samba/smb.conf*
# Global parameters
[global]
        workgroup = ROPA
        realm = ROPA.INTRANET
        netbios name = SMB
        server role = active directory domain controller
        dns forwarder = 8.8.8.8

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


[tecnologia]
        comment = tecnologia
        path = /shares/c/tecnologia
        read only = no


*[root at smb ~]# cat /etc/resolv.conf*
domain ropa.intranet
search ropa.intranet
nameserver 192.168.1.99
nameserver 8.8.8.8

*[root at smb ~]# cat /etc/hosts*
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
192.168.1.99 smb smb.ropa.intranet

*[root at smb ~]# testparm*

Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[tecnologia]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
        workgroup = ROPA
        realm = ROPA.INTRANET
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder = 8.8.8.8
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4 acl_xattr
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
[tecnologia]
        comment = tecnologia
        path = /shares/c/tecnologia
        read only = No

*[root at smb ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ROPA.INTRANET

Valid starting       Expires              Service principal
06/24/2016 01:21:09  06/24/2016 11:21:09  krbtgt/ROPA.INTRANET at ROPA.INTRANET
        renew until 06/25/2016 01:21:04

*[root at smb~]# uname -a*
Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files
sss winbind group: files sss winbind hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
networks: files protocols: files rpc: files services: files sss netgroup:
files sss publickey: nisplus automount: files aliases: files nisplus
[root at smb~]# wbinfo -g enterprise read-only domain controllers domain
admins domain users domain guests domain computers domain controllers
schema admins enterprise admins group policy creator owners read-only
domain controllers grupo_tecnologia [root at smb~]# cat
/etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
/etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
= false dns_lookup_kdc = true [logging] default FILE:/var/log/krb5libs.log kdc =
FILE:/var/log/krb5kdc.log admin_server FILE:/var/log/kadmind.log ROPA.INTRANET =
{ kdc = smb.ropa.intranet
default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
= 36000 forwardable = true krb4_convert = false } [domain_realm]
.ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet
ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege
BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege

Rowland penny

2016-Jul-04 14:20 UTC

head link

[Samba] getfacl not have domain name and samba4 not work correctly

On 04/07/16 14:54, Ulisses Féres wrote:> sorry , the original message was in error. Follow:
>
>
> Hi. Sorry. Today I have a big problem with the samba I can not solve! My
> permissions do not work properly. in the RSAT created groups, OU and users.
> I configured in Windows the shared directory *TECNOLOGIA* security settings
> assigning full permissions to *grupo_tecnologia* (technology group).
> However users who are with *grupo_tecnologia* (primary) to access the share
> opens a popup asking for the user / password in which does not accept
> access. I noticed on linux with getfacl that DOMAIN is not properly setted
> as in bold:
>
>
>
> [root at smb ~]# getfacl /shares/c/tecnologia/
> # file: shares/c/tecnologia/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:domain\040admins:rwx
> *user:grupo_tecnologia:rwx*
> group::---
> group:root:---
> group:BUILTIN\134administrators:rwx
> group:domain\040admins:rwx
> *group:grupo_tecnologia:rwx*
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:domain\040admins:rwx
> *default:user:grupo_tecnologia:rwx*
> default:group::---
> default:group:root:---
> default:group:BUILTIN\134administrators:rwx
> default:group:domain\040admins:rwx
> *default:group:grupo_tecnologia:rwx*
> default:mask::rwx
> default:other::---
>
>
> It was not to be:
>
> *default:group:ROPA\grupo_tecnologia:rwx*
>
> I believe all my problem may be due to this.
>
>
>
> *IP Server:* 192.168.1.99
>
> *[root at smb ~]# smbd -V*
> Version 4.2.13
>
> *[root at smb ~]# smbclient -V*
> Version 4.2.13
>
> *I try install version 4.4.4 but this error continues*
>
> *[root at smb ~]# cat /etc/samba/smb.conf*
> # Global parameters
> [global]
>          workgroup = ROPA
>          realm = ROPA.INTRANET
>          netbios name = SMB
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
>
> [tecnologia]
>          comment = tecnologia
>          path = /shares/c/tecnologia
>          read only = no
>
>
> *[root at smb ~]# cat /etc/resolv.conf*
> domain ropa.intranet
> search ropa.intranet
> nameserver 192.168.1.99
> nameserver 8.8.8.8
>
> *[root at smb ~]# cat /etc/hosts*
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> 192.168.1.99 smb smb.ropa.intranet
>
> *[root at smb ~]# testparm*
>
> Load smb config files from /usr/local/samba/etc/smb.conf
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[tecnologia]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> Press enter to see a dump of your service definitions
> # Global parameters
> [global]
>          workgroup = ROPA
>          realm = ROPA.INTRANET
>          server role = active directory domain controller
>          passdb backend = samba_dsdb
>          dns forwarder = 8.8.8.8
>          rpc_server:tcpip = no
>          rpc_daemon:spoolssd = embedded
>          rpc_server:spoolss = embedded
>          rpc_server:winreg = embedded
>          rpc_server:ntsvcs = embedded
>          rpc_server:eventlog = embedded
>          rpc_server:srvsvc = embedded
>          rpc_server:svcctl = embedded
>          rpc_server:default = external
>          winbindd:use external pipes = true
>          idmap config * : backend = tdb
>          map archive = No
>          map readonly = no
>          store dos attributes = Yes
>          vfs objects = dfs_samba4 acl_xattr
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
>          read only = No
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> [tecnologia]
>          comment = tecnologia
>          path = /shares/c/tecnologia
>          read only = No
>
> *[root at smb ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at ROPA.INTRANET
>
> Valid starting       Expires              Service principal
> 06/24/2016 01:21:09  06/24/2016 11:21:09  krbtgt/ROPA.INTRANET at
ROPA.INTRANET
>          renew until 06/25/2016 01:21:04
>
> *[root at smb~]# uname -a*
> Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
> 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
>
> [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow:
files
> sss winbind group: files sss winbind hosts: files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
> networks: files protocols: files rpc: files services: files sss netgroup:
> files sss publickey: nisplus automount: files aliases: files nisplus
> [root at smb~]# wbinfo -g enterprise read-only domain controllers domain
> admins domain users domain guests domain computers domain controllers
> schema admins enterprise admins group policy creator owners read-only
> domain controllers grupo_tecnologia [root at smb~]# cat
> /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
> mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
> /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
> = false dns_lookup_kdc = true [logging] default >
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server >
FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
> default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
> [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
> = 36000 forwardable = true krb4_convert = false } [domain_realm]
> .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet >
ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
> Enter administrator's password: ROPA\Domain Admins
SeDiskOperatorPrivilege
> BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
> SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
> BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
> SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
> SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
> SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
> SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
> SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
> SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
> SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
> BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
> SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
> SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
> SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
OK, lets start with why getfacl doesn't show the domain name for 
'grupo_tecnologia'

I have no idea, why don't you ask on the sssd mailing list, because this 
is what is returning your group name:

/etc/nsswitch.conf
...........
........
group: files sss winbind

'winbind' in /etc/nsswitch.conf will very probably be ignored, because 
'sss' is in front of it.

I found your post to be pretty much unreadable, could you try another 
mail client, preferably one that doesn't squash all the text together. :-)

Rowland

mathias dufresne

2016-Jul-04 14:34 UTC

head link

[Samba] getfacl not have domain name and samba4 not work correctly

Hi,

First I won't read the end. Notepad or something as clever as that tool put
data on big lines, which is unreadable.

Now and to stop complaining, the fact AD user names are displayed with or
without WORKGROUP\ is not an issue: the display is local to the system,
managed by Samba (or Winbind[d]) and so the local Samba should act
accordingly to what is configured into smb.conf relatively to the fact work
group is displayed or not in user name.

Not sure it is clear :D

Anyway: to change that behaviour and get id, getfacl... your system showing
WORKGROUP\username rather than username I think the smb.conf option is
"winbind use default domain = yes".

If you are not using Winbind, the replacement tool should also come with
that option.

2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>:
> sorry , the original message was in error. Follow:
>
>
> Hi. Sorry. Today I have a big problem with the samba I can not solve! My
> permissions do not work properly. in the RSAT created groups, OU and users.
> I configured in Windows the shared directory *TECNOLOGIA* security settings
> assigning full permissions to *grupo_tecnologia* (technology group).
> However users who are with *grupo_tecnologia* (primary) to access the share
> opens a popup asking for the user / password in which does not accept
> access. I noticed on linux with getfacl that DOMAIN is not properly setted
> as in bold:
>
>
>
> [root at smb ~]# getfacl /shares/c/tecnologia/
> # file: shares/c/tecnologia/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:domain\040admins:rwx
> *user:grupo_tecnologia:rwx*
> group::---
> group:root:---
> group:BUILTIN\134administrators:rwx
> group:domain\040admins:rwx
> *group:grupo_tecnologia:rwx*
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:domain\040admins:rwx
> *default:user:grupo_tecnologia:rwx*
> default:group::---
> default:group:root:---
> default:group:BUILTIN\134administrators:rwx
> default:group:domain\040admins:rwx
> *default:group:grupo_tecnologia:rwx*
> default:mask::rwx
> default:other::---
>
>
> It was not to be:
>
> *default:group:ROPA\grupo_tecnologia:rwx*
>
> I believe all my problem may be due to this.
>
>
>
> *IP Server:* 192.168.1.99
>
> *[root at smb ~]# smbd -V*
> Version 4.2.13
>
> *[root at smb ~]# smbclient -V*
> Version 4.2.13
>
> *I try install version 4.4.4 but this error continues*
>
> *[root at smb ~]# cat /etc/samba/smb.conf*
> # Global parameters
> [global]
>         workgroup = ROPA
>         realm = ROPA.INTRANET
>         netbios name = SMB
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> [tecnologia]
>         comment = tecnologia
>         path = /shares/c/tecnologia
>         read only = no
>
>
> *[root at smb ~]# cat /etc/resolv.conf*
> domain ropa.intranet
> search ropa.intranet
> nameserver 192.168.1.99
> nameserver 8.8.8.8
>
> *[root at smb ~]# cat /etc/hosts*
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> 192.168.1.99 smb smb.ropa.intranet
>
> *[root at smb ~]# testparm*
>
> Load smb config files from /usr/local/samba/etc/smb.conf
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[tecnologia]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> Press enter to see a dump of your service definitions
> # Global parameters
> [global]
>         workgroup = ROPA
>         realm = ROPA.INTRANET
>         server role = active directory domain controller
>         passdb backend = samba_dsdb
>         dns forwarder = 8.8.8.8
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap config * : backend = tdb
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
>         read only = No
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> [tecnologia]
>         comment = tecnologia
>         path = /shares/c/tecnologia
>         read only = No
>
> *[root at smb ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at ROPA.INTRANET
>
> Valid starting       Expires              Service principal
> 06/24/2016 01:21:09  06/24/2016 11:21:09
> krbtgt/ROPA.INTRANET at ROPA.INTRANET
>         renew until 06/25/2016 01:21:04
>
> *[root at smb~]# uname -a*
> Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
> 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
>
> [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow:
> files
> sss winbind group: files sss winbind hosts: files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files
> networks: files protocols: files rpc: files services: files sss netgroup:
> files sss publickey: nisplus automount: files aliases: files nisplus
> [root at smb~]# wbinfo -g enterprise read-only domain controllers domain
> admins domain users domain guests domain computers domain controllers
> schema admins enterprise admins group policy creator owners read-only
> domain controllers grupo_tecnologia [root at smb~]# cat
> /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536
> mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat
> /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm
> = false dns_lookup_kdc = true [logging] default >
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server >
FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet
> default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
> [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime
> = 36000 forwardable = true krb4_convert = false } [domain_realm]
> .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet >
ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator
> Enter administrator's password: ROPA\Domain Admins
SeDiskOperatorPrivilege
> BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
> SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight
> BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
> SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
> SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
> SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
> SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
> SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
> SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight
> SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege
> BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
> SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
> SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
> SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

L.P.H. van Belle

2016-Jul-04 14:56 UTC

head link

[Samba] getfacl not have domain name and samba4 not work correctly

Hai, 
>I configured in Windows the shared directory *TECNOLOGIA* security settings
>assigning full permissions to *grupo_tecnologia* (technology group).
What are the "share" rights on that share. 
For example did you remove authenticated users or everyone and added a new one?

Is this a share which windows users only accesses.. try adding 
acl_xattr:ignore system acl = yes 
to your share. !! 

DO RE-APLY YOUR SHARE AND SECURITY SETTINGS TO BE SURE ITS SET OK.

You are missing a right somewhere on share or folder or your missing an UID/GID
somewhere.

Look here : 
https://wiki.samba.org/index.php/File_sharing 

and choose 1 of the Setup shares, dont mix them. 



Gr. 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
dufresne
> Verzonden: maandag 4 juli 2016 16:34
> Aan: Ulisses Féres
> CC: samba
> Onderwerp: Re: [Samba] getfacl not have domain name and samba4 not work
> correctly
> 
> Hi,
> 
> First I won't read the end. Notepad or something as clever as that tool
> put
> data on big lines, which is unreadable.
> 
> Now and to stop complaining, the fact AD user names are displayed with or
> without WORKGROUP\ is not an issue: the display is local to the system,
> managed by Samba (or Winbind[d]) and so the local Samba should act
> accordingly to what is configured into smb.conf relatively to the fact
> work
> group is displayed or not in user name.
> 
> Not sure it is clear :D
> 
> Anyway: to change that behaviour and get id, getfacl... your system
> showing
> WORKGROUP\username rather than username I think the smb.conf option is
> "winbind use default domain = yes".
> 
> If you are not using Winbind, the replacement tool should also come with
> that option.
> 
> 2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>:
> 
> > sorry , the original message was in error. Follow:
> >
> >
> > Hi. Sorry. Today I have a big problem with the samba I can not solve!
My
> > permissions do not work properly. in the RSAT created groups, OU and
> users.
> > I configured in Windows the shared directory *TECNOLOGIA* security
> settings
> > assigning full permissions to *grupo_tecnologia* (technology group).
> > However users who are with *grupo_tecnologia* (primary) to access the
> share
> > opens a popup asking for the user / password in which does not accept
> > access. I noticed on linux with getfacl that DOMAIN is not properly
> setted
> > as in bold:
> >
> >
> >
> > [root at smb ~]# getfacl /shares/c/tecnologia/
> > # file: shares/c/tecnologia/
> > # owner: root
> > # group: root
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\134administrators:rwx
> > user:domain\040admins:rwx
> > *user:grupo_tecnologia:rwx*
> > group::---
> > group:root:---
> > group:BUILTIN\134administrators:rwx
> > group:domain\040admins:rwx
> > *group:grupo_tecnologia:rwx*
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\134administrators:rwx
> > default:user:domain\040admins:rwx
> > *default:user:grupo_tecnologia:rwx*
> > default:group::---
> > default:group:root:---
> > default:group:BUILTIN\134administrators:rwx
> > default:group:domain\040admins:rwx
> > *default:group:grupo_tecnologia:rwx*
> > default:mask::rwx
> > default:other::---
> >
> >
> > It was not to be:
> >
> > *default:group:ROPA\grupo_tecnologia:rwx*
> >
> > I believe all my problem may be due to this.
> >
> >
> >
> > *IP Server:* 192.168.1.99
> >
> > *[root at smb ~]# smbd -V*
> > Version 4.2.13
> >
> > *[root at smb ~]# smbclient -V*
> > Version 4.2.13
> >
> > *I try install version 4.4.4 but this error continues*
> >
> > *[root at smb ~]# cat /etc/samba/smb.conf*
> > # Global parameters
> > [global]
> >         workgroup = ROPA
> >         realm = ROPA.INTRANET
> >         netbios name = SMB
> >         server role = active directory domain controller
> >         dns forwarder = 8.8.8.8
> >
> > [netlogon]
> >         path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> >
> >
> > [tecnologia]
> >         comment = tecnologia
> >         path = /shares/c/tecnologia
> >         read only = no
> >
> >
> > *[root at smb ~]# cat /etc/resolv.conf*
> > domain ropa.intranet
> > search ropa.intranet
> > nameserver 192.168.1.99
> > nameserver 8.8.8.8
> >
> > *[root at smb ~]# cat /etc/hosts*
> > 127.0.0.1   localhost localhost.localdomain localhost4
> > localhost4.localdomain4
> > 192.168.1.99 smb smb.ropa.intranet
> >
> > *[root at smb ~]# testparm*
> >
> > Load smb config files from /usr/local/samba/etc/smb.conf
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Processing section "[tecnologia]"
> > Loaded services file OK.
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> > Press enter to see a dump of your service definitions
> > # Global parameters
> > [global]
> >         workgroup = ROPA
> >         realm = ROPA.INTRANET
> >         server role = active directory domain controller
> >         passdb backend = samba_dsdb
> >         dns forwarder = 8.8.8.8
> >         rpc_server:tcpip = no
> >         rpc_daemon:spoolssd = embedded
> >         rpc_server:spoolss = embedded
> >         rpc_server:winreg = embedded
> >         rpc_server:ntsvcs = embedded
> >         rpc_server:eventlog = embedded
> >         rpc_server:srvsvc = embedded
> >         rpc_server:svcctl = embedded
> >         rpc_server:default = external
> >         winbindd:use external pipes = true
> >         idmap config * : backend = tdb
> >         map archive = No
> >         map readonly = no
> >         store dos attributes = Yes
> >         vfs objects = dfs_samba4 acl_xattr
> > [netlogon]
> >         path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts
> >         read only = No
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> > [tecnologia]
> >         comment = tecnologia
> >         path = /shares/c/tecnologia
> >         read only = No
> >
> > *[root at smb ~]# klist*
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administrator at ROPA.INTRANET
> >
> > Valid starting       Expires              Service principal
> > 06/24/2016 01:21:09  06/24/2016 11:21:09
> > krbtgt/ROPA.INTRANET at ROPA.INTRANET
> >         renew until 06/25/2016 01:21:04
> >
> > *[root at smb~]# uname -a*
> > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
> > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind
shadow:
> > files
> > sss winbind group: files sss winbind hosts: files dns myhostname
> > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks:
> files
> > networks: files protocols: files rpc: files services: files sss
> netgroup:
> > files sss publickey: nisplus automount: files aliases: files nisplus
> > [root at smb~]# wbinfo -g enterprise read-only domain controllers
domain
> > admins domain users domain guests domain computers domain controllers
> > schema admins enterprise admins group policy creator owners read-only
> > domain controllers grupo_tecnologia [root at smb~]# cat
> > /etc/security/limits.conf root hard nofile 131072 root soft nofile
65536
> > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at
smb~]# cat
> > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET
> dns_lookup_realm
> > = false dns_lookup_kdc = true [logging] default > >
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server
> > > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc =
smb.ropa.intranet
> > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET }
> > [appdefaults] pam = { debug = false ticket_lifetime = 36000
> renew_lifetime
> > = 36000 forwardable = true krb4_convert = false } [domain_realm]
> > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet
> > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts
-Uadministrator
> > Enter administrator's password: ROPA\Domain Admins
> SeDiskOperatorPrivilege
> > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege
> > SeInteractiveLogonRight BUILTIN\Account Operators
> SeInteractiveLogonRight
> > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege
> > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators
> > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
> > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege
> > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege
> > SeCreateGlobalPrivilege SeEnableDelegationPrivilege
> SeInteractiveLogonRight
> > SeNetworkLogonRight SeRemoteInteractiveLogonRight
> SeDiskOperatorPrivilege
> > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege
> > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege
> > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access
> > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Reasonably Related Threads

Search for more possibly parallel threads

samba - Jul 2016 - getfacl not have domain name and samba4 not work correctly

[Samba] getfacl not have domain name and samba4 not work correctly

[Samba] getfacl not have domain name and samba4 not work correctly

[Samba] getfacl not have domain name and samba4 not work correctly

[Samba] getfacl not have domain name and samba4 not work correctly

Reasonably Related Threads