Ulisses Féres
2016-Jul-04 13:54 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
sorry , the original message was in error. Follow: Hi. Sorry. Today I have a big problem with the samba I can not solve! My permissions do not work properly. in the RSAT created groups, OU and users. I configured in Windows the shared directory *TECNOLOGIA* security settings assigning full permissions to *grupo_tecnologia* (technology group). However users who are with *grupo_tecnologia* (primary) to access the share opens a popup asking for the user / password in which does not accept access. I noticed on linux with getfacl that DOMAIN is not properly setted as in bold: [root at smb ~]# getfacl /shares/c/tecnologia/ # file: shares/c/tecnologia/ # owner: root # group: root user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:domain\040admins:rwx *user:grupo_tecnologia:rwx* group::--- group:root:--- group:BUILTIN\134administrators:rwx group:domain\040admins:rwx *group:grupo_tecnologia:rwx* mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:domain\040admins:rwx *default:user:grupo_tecnologia:rwx* default:group::--- default:group:root:--- default:group:BUILTIN\134administrators:rwx default:group:domain\040admins:rwx *default:group:grupo_tecnologia:rwx* default:mask::rwx default:other::--- It was not to be: *default:group:ROPA\grupo_tecnologia:rwx* I believe all my problem may be due to this. *IP Server:* 192.168.1.99 *[root at smb ~]# smbd -V* Version 4.2.13 *[root at smb ~]# smbclient -V* Version 4.2.13 *I try install version 4.4.4 but this error continues* *[root at smb ~]# cat /etc/samba/smb.conf* # Global parameters [global] workgroup = ROPA realm = ROPA.INTRANET netbios name = SMB server role = active directory domain controller dns forwarder = 8.8.8.8 [netlogon] path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [tecnologia] comment = tecnologia path = /shares/c/tecnologia read only = no *[root at smb ~]# cat /etc/resolv.conf* domain ropa.intranet search ropa.intranet nameserver 192.168.1.99 nameserver 8.8.8.8 *[root at smb ~]# cat /etc/hosts* 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 192.168.1.99 smb smb.ropa.intranet *[root at smb ~]# testparm* Load smb config files from /usr/local/samba/etc/smb.conf Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[tecnologia]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions # Global parameters [global] workgroup = ROPA realm = ROPA.INTRANET server role = active directory domain controller passdb backend = samba_dsdb dns forwarder = 8.8.8.8 rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr [netlogon] path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [tecnologia] comment = tecnologia path = /shares/c/tecnologia read only = No *[root at smb ~]# klist* Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at ROPA.INTRANET Valid starting Expires Service principal 06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/ROPA.INTRANET at ROPA.INTRANET renew until 06/25/2016 01:21:04 *[root at smb~]# uname -a* Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files sss winbind group: files sss winbind hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus [root at smb~]# wbinfo -g enterprise read-only domain controllers domain admins domain users domain guests domain computers domain controllers schema admins enterprise admins group policy creator owners read-only domain controllers grupo_tecnologia [root at smb~]# cat /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm = false dns_lookup_kdc = true [logging] default FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [domain_realm] .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
Rowland penny
2016-Jul-04 14:20 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
On 04/07/16 14:54, Ulisses Féres wrote:> sorry , the original message was in error. Follow: > > > Hi. Sorry. Today I have a big problem with the samba I can not solve! My > permissions do not work properly. in the RSAT created groups, OU and users. > I configured in Windows the shared directory *TECNOLOGIA* security settings > assigning full permissions to *grupo_tecnologia* (technology group). > However users who are with *grupo_tecnologia* (primary) to access the share > opens a popup asking for the user / password in which does not accept > access. I noticed on linux with getfacl that DOMAIN is not properly setted > as in bold: > > > > [root at smb ~]# getfacl /shares/c/tecnologia/ > # file: shares/c/tecnologia/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:domain\040admins:rwx > *user:grupo_tecnologia:rwx* > group::--- > group:root:--- > group:BUILTIN\134administrators:rwx > group:domain\040admins:rwx > *group:grupo_tecnologia:rwx* > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:domain\040admins:rwx > *default:user:grupo_tecnologia:rwx* > default:group::--- > default:group:root:--- > default:group:BUILTIN\134administrators:rwx > default:group:domain\040admins:rwx > *default:group:grupo_tecnologia:rwx* > default:mask::rwx > default:other::--- > > > It was not to be: > > *default:group:ROPA\grupo_tecnologia:rwx* > > I believe all my problem may be due to this. > > > > *IP Server:* 192.168.1.99 > > *[root at smb ~]# smbd -V* > Version 4.2.13 > > *[root at smb ~]# smbclient -V* > Version 4.2.13 > > *I try install version 4.4.4 but this error continues* > > *[root at smb ~]# cat /etc/samba/smb.conf* > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > netbios name = SMB > server role = active directory domain controller > dns forwarder = 8.8.8.8 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = no > > > *[root at smb ~]# cat /etc/resolv.conf* > domain ropa.intranet > search ropa.intranet > nameserver 192.168.1.99 > nameserver 8.8.8.8 > > *[root at smb ~]# cat /etc/hosts* > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > 192.168.1.99 smb smb.ropa.intranet > > *[root at smb ~]# testparm* > > Load smb config files from /usr/local/samba/etc/smb.conf > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[tecnologia]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > Press enter to see a dump of your service definitions > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > server role = active directory domain controller > passdb backend = samba_dsdb > dns forwarder = 8.8.8.8 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = No > > *[root at smb ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at ROPA.INTRANET > > Valid starting Expires Service principal > 06/24/2016 01:21:09 06/24/2016 11:21:09 krbtgt/ROPA.INTRANET at ROPA.INTRANET > renew until 06/25/2016 01:21:04 > > *[root at smb~]# uname -a* > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: files > sss winbind group: files sss winbind hosts: files dns myhostname > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files > networks: files protocols: files rpc: files services: files sss netgroup: > files sss publickey: nisplus automount: files aliases: files nisplus > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain > admins domain users domain guests domain computers domain controllers > schema admins enterprise admins group policy creator owners read-only > domain controllers grupo_tecnologia [root at smb~]# cat > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm > = false dns_lookup_kdc = true [logging] default > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } > [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime > = 36000 forwardable = true krb4_convert = false } [domain_realm] > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator > Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege > SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight > SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilegeOK, lets start with why getfacl doesn't show the domain name for 'grupo_tecnologia' I have no idea, why don't you ask on the sssd mailing list, because this is what is returning your group name: /etc/nsswitch.conf ........... ........ group: files sss winbind 'winbind' in /etc/nsswitch.conf will very probably be ignored, because 'sss' is in front of it. I found your post to be pretty much unreadable, could you try another mail client, preferably one that doesn't squash all the text together. :-) Rowland
mathias dufresne
2016-Jul-04 14:34 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
Hi, First I won't read the end. Notepad or something as clever as that tool put data on big lines, which is unreadable. Now and to stop complaining, the fact AD user names are displayed with or without WORKGROUP\ is not an issue: the display is local to the system, managed by Samba (or Winbind[d]) and so the local Samba should act accordingly to what is configured into smb.conf relatively to the fact work group is displayed or not in user name. Not sure it is clear :D Anyway: to change that behaviour and get id, getfacl... your system showing WORKGROUP\username rather than username I think the smb.conf option is "winbind use default domain = yes". If you are not using Winbind, the replacement tool should also come with that option. 2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>:> sorry , the original message was in error. Follow: > > > Hi. Sorry. Today I have a big problem with the samba I can not solve! My > permissions do not work properly. in the RSAT created groups, OU and users. > I configured in Windows the shared directory *TECNOLOGIA* security settings > assigning full permissions to *grupo_tecnologia* (technology group). > However users who are with *grupo_tecnologia* (primary) to access the share > opens a popup asking for the user / password in which does not accept > access. I noticed on linux with getfacl that DOMAIN is not properly setted > as in bold: > > > > [root at smb ~]# getfacl /shares/c/tecnologia/ > # file: shares/c/tecnologia/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:domain\040admins:rwx > *user:grupo_tecnologia:rwx* > group::--- > group:root:--- > group:BUILTIN\134administrators:rwx > group:domain\040admins:rwx > *group:grupo_tecnologia:rwx* > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:domain\040admins:rwx > *default:user:grupo_tecnologia:rwx* > default:group::--- > default:group:root:--- > default:group:BUILTIN\134administrators:rwx > default:group:domain\040admins:rwx > *default:group:grupo_tecnologia:rwx* > default:mask::rwx > default:other::--- > > > It was not to be: > > *default:group:ROPA\grupo_tecnologia:rwx* > > I believe all my problem may be due to this. > > > > *IP Server:* 192.168.1.99 > > *[root at smb ~]# smbd -V* > Version 4.2.13 > > *[root at smb ~]# smbclient -V* > Version 4.2.13 > > *I try install version 4.4.4 but this error continues* > > *[root at smb ~]# cat /etc/samba/smb.conf* > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > netbios name = SMB > server role = active directory domain controller > dns forwarder = 8.8.8.8 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = no > > > *[root at smb ~]# cat /etc/resolv.conf* > domain ropa.intranet > search ropa.intranet > nameserver 192.168.1.99 > nameserver 8.8.8.8 > > *[root at smb ~]# cat /etc/hosts* > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > 192.168.1.99 smb smb.ropa.intranet > > *[root at smb ~]# testparm* > > Load smb config files from /usr/local/samba/etc/smb.conf > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[tecnologia]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > Press enter to see a dump of your service definitions > # Global parameters > [global] > workgroup = ROPA > realm = ROPA.INTRANET > server role = active directory domain controller > passdb backend = samba_dsdb > dns forwarder = 8.8.8.8 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > read only = No > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > [tecnologia] > comment = tecnologia > path = /shares/c/tecnologia > read only = No > > *[root at smb ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at ROPA.INTRANET > > Valid starting Expires Service principal > 06/24/2016 01:21:09 06/24/2016 11:21:09 > krbtgt/ROPA.INTRANET at ROPA.INTRANET > renew until 06/25/2016 01:21:04 > > *[root at smb~]# uname -a* > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: > files > sss winbind group: files sss winbind hosts: files dns myhostname > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files > networks: files protocols: files rpc: files services: files sss netgroup: > files sss publickey: nisplus automount: files aliases: files nisplus > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain > admins domain users domain guests domain computers domain controllers > schema admins enterprise admins group policy creator owners read-only > domain controllers grupo_tecnologia [root at smb~]# cat > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET dns_lookup_realm > = false dns_lookup_kdc = true [logging] default > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } > [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime > = 36000 forwardable = true krb4_convert = false } [domain_realm] > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator > Enter administrator's password: ROPA\Domain Admins SeDiskOperatorPrivilege > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege > SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight > SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2016-Jul-04 14:56 UTC
[Samba] getfacl not have domain name and samba4 not work correctly
Hai,>I configured in Windows the shared directory *TECNOLOGIA* security settings >assigning full permissions to *grupo_tecnologia* (technology group).What are the "share" rights on that share. For example did you remove authenticated users or everyone and added a new one? Is this a share which windows users only accesses.. try adding acl_xattr:ignore system acl = yes to your share. !! DO RE-APLY YOUR SHARE AND SECURITY SETTINGS TO BE SURE ITS SET OK. You are missing a right somewhere on share or folder or your missing an UID/GID somewhere. Look here : https://wiki.samba.org/index.php/File_sharing and choose 1 of the Setup shares, dont mix them. Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > Verzonden: maandag 4 juli 2016 16:34 > Aan: Ulisses Féres > CC: samba > Onderwerp: Re: [Samba] getfacl not have domain name and samba4 not work > correctly > > Hi, > > First I won't read the end. Notepad or something as clever as that tool > put > data on big lines, which is unreadable. > > Now and to stop complaining, the fact AD user names are displayed with or > without WORKGROUP\ is not an issue: the display is local to the system, > managed by Samba (or Winbind[d]) and so the local Samba should act > accordingly to what is configured into smb.conf relatively to the fact > work > group is displayed or not in user name. > > Not sure it is clear :D > > Anyway: to change that behaviour and get id, getfacl... your system > showing > WORKGROUP\username rather than username I think the smb.conf option is > "winbind use default domain = yes". > > If you are not using Winbind, the replacement tool should also come with > that option. > > 2016-07-04 15:54 GMT+02:00 Ulisses Féres <uferes2 at gmail.com>: > > > sorry , the original message was in error. Follow: > > > > > > Hi. Sorry. Today I have a big problem with the samba I can not solve! My > > permissions do not work properly. in the RSAT created groups, OU and > users. > > I configured in Windows the shared directory *TECNOLOGIA* security > settings > > assigning full permissions to *grupo_tecnologia* (technology group). > > However users who are with *grupo_tecnologia* (primary) to access the > share > > opens a popup asking for the user / password in which does not accept > > access. I noticed on linux with getfacl that DOMAIN is not properly > setted > > as in bold: > > > > > > > > [root at smb ~]# getfacl /shares/c/tecnologia/ > > # file: shares/c/tecnologia/ > > # owner: root > > # group: root > > user::rwx > > user:root:rwx > > user:BUILTIN\134administrators:rwx > > user:domain\040admins:rwx > > *user:grupo_tecnologia:rwx* > > group::--- > > group:root:--- > > group:BUILTIN\134administrators:rwx > > group:domain\040admins:rwx > > *group:grupo_tecnologia:rwx* > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:BUILTIN\134administrators:rwx > > default:user:domain\040admins:rwx > > *default:user:grupo_tecnologia:rwx* > > default:group::--- > > default:group:root:--- > > default:group:BUILTIN\134administrators:rwx > > default:group:domain\040admins:rwx > > *default:group:grupo_tecnologia:rwx* > > default:mask::rwx > > default:other::--- > > > > > > It was not to be: > > > > *default:group:ROPA\grupo_tecnologia:rwx* > > > > I believe all my problem may be due to this. > > > > > > > > *IP Server:* 192.168.1.99 > > > > *[root at smb ~]# smbd -V* > > Version 4.2.13 > > > > *[root at smb ~]# smbclient -V* > > Version 4.2.13 > > > > *I try install version 4.4.4 but this error continues* > > > > *[root at smb ~]# cat /etc/samba/smb.conf* > > # Global parameters > > [global] > > workgroup = ROPA > > realm = ROPA.INTRANET > > netbios name = SMB > > server role = active directory domain controller > > dns forwarder = 8.8.8.8 > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > > > [tecnologia] > > comment = tecnologia > > path = /shares/c/tecnologia > > read only = no > > > > > > *[root at smb ~]# cat /etc/resolv.conf* > > domain ropa.intranet > > search ropa.intranet > > nameserver 192.168.1.99 > > nameserver 8.8.8.8 > > > > *[root at smb ~]# cat /etc/hosts* > > 127.0.0.1 localhost localhost.localdomain localhost4 > > localhost4.localdomain4 > > 192.168.1.99 smb smb.ropa.intranet > > > > *[root at smb ~]# testparm* > > > > Load smb config files from /usr/local/samba/etc/smb.conf > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > Processing section "[tecnologia]" > > Loaded services file OK. > > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > # Global parameters > > [global] > > workgroup = ROPA > > realm = ROPA.INTRANET > > server role = active directory domain controller > > passdb backend = samba_dsdb > > dns forwarder = 8.8.8.8 > > rpc_server:tcpip = no > > rpc_daemon:spoolssd = embedded > > rpc_server:spoolss = embedded > > rpc_server:winreg = embedded > > rpc_server:ntsvcs = embedded > > rpc_server:eventlog = embedded > > rpc_server:srvsvc = embedded > > rpc_server:svcctl = embedded > > rpc_server:default = external > > winbindd:use external pipes = true > > idmap config * : backend = tdb > > map archive = No > > map readonly = no > > store dos attributes = Yes > > vfs objects = dfs_samba4 acl_xattr > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/ropa.intranet/scripts > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > [tecnologia] > > comment = tecnologia > > path = /shares/c/tecnologia > > read only = No > > > > *[root at smb ~]# klist* > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: administrator at ROPA.INTRANET > > > > Valid starting Expires Service principal > > 06/24/2016 01:21:09 06/24/2016 11:21:09 > > krbtgt/ROPA.INTRANET at ROPA.INTRANET > > renew until 06/25/2016 01:21:04 > > > > *[root at smb~]# uname -a* > > Linux smb.ropa.intranet 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 > > 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > > > > [root at smb~]# cat /etc/nsswitch.conf passwd: files sss winbind shadow: > > files > > sss winbind group: files sss winbind hosts: files dns myhostname > > bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: > files > > networks: files protocols: files rpc: files services: files sss > netgroup: > > files sss publickey: nisplus automount: files aliases: files nisplus > > [root at smb~]# wbinfo -g enterprise read-only domain controllers domain > > admins domain users domain guests domain computers domain controllers > > schema admins enterprise admins group policy creator owners read-only > > domain controllers grupo_tecnologia [root at smb~]# cat > > /etc/security/limits.conf root hard nofile 131072 root soft nofile 65536 > > mioutente hard nofile 32768 mioutente soft nofile 16384 [root at smb~]# cat > > /etc/krb5.conf [libdefaults] default_realm = ROPA.INTRANET > dns_lookup_realm > > = false dns_lookup_kdc = true [logging] default > > FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server > > > FILE:/var/log/kadmind.log ROPA.INTRANET = { kdc = smb.ropa.intranet > > default_domain = ropa.intranet admin_server = SMB.ROPA.INTRANET } > > [appdefaults] pam = { debug = false ticket_lifetime = 36000 > renew_lifetime > > = 36000 forwardable = true krb4_convert = false } [domain_realm] > > .ROPA.INTRANET = ROPA.INTRANET .ROPA = ROPA.INTRANET .ROPA.intranet > > ROPA.INTRANET [root at smb ~]# net rpc rights list accounts -Uadministrator > > Enter administrator's password: ROPA\Domain Admins > SeDiskOperatorPrivilege > > BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege > > SeInteractiveLogonRight BUILTIN\Account Operators > SeInteractiveLogonRight > > BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege > > SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators > > SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege > > SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege > > SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege > > SeSystemProfilePrivilege SeProfileSingleProcessPrivilege > > SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege > > SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > > SeUndockPrivilege PseudorrevolucionárioSeImpersonatePrivilege > > SeCreateGlobalPrivilege SeEnableDelegationPrivilege > SeInteractiveLogonRight > > SeNetworkLogonRight SeRemoteInteractiveLogonRight > SeDiskOperatorPrivilege > > BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege > > SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege > > SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access > > SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba