samba - Aug 2016 - File Server member DC ACL permissions

I will choose to use the winbind. 
Based on the link that Rowland said: 

https://wiki.samba.org /index.php/Setup_Samba_as_an_AD_Domain_Member 

I followed the steps as described in the tutorial. 

I created symlinks. 

In the main DC I added this line in smb.conf: 

idmap_ldb: use RFC2307 = yes 


Changed /etc/nsswitch.conf 

passwd: files winbind 
shadow: files 
group: files winbind 

hosts: files dns 
bootparams: nisplus [NOTFOUND = return] files 
ethers: files 
netmasks: files 
networks: files 
protocols: files 
rpc: files 
services: files 
netgroup: files winbind 
publickey: nisplus 
automount: files 
aliases: files nisplus 

My smb.conf: 

# Global parameters 
[global] 
        netbios name = SRV16 
        server string = Samba4 Server 
        security = ADS 
        encrypt passwords = yes 
        realm = domain.local 
        workgroup = DOMAIN 
        log file = /var/log/samba/%m.log 
        log level = 1 
        # 
        winbind enum users = yes 
        winbind enum groups = yes 
        winbind use default domain = Yes 
        winbind nss info = RFC2307 
        #idmap_ldb: Use 
        vfs objects = acl_xattr 
        map acl inherit = Yes 
        store the attributes = Yes 
        # Idmap config for domain DOMAIN 
       idmap config DOMAIN: backend = ad 
       idmap config DOMAIN: schema_mode = RFC2307 
       idmap config DOMAIN: 10000-99999 range = 


[data] 
        comment = Folder data 
        path = / mnt / data 
        read only = No 
        browseable = yes 
        inherit acls = Yes 
        inherit permissions = Yes 

I can view the groups and users of AD. 
The "kinit administrator" is working very well.When I try to see the
ID of a User, it does not return anything.
Also can not give permission through the shell of the file server, or through a
Windows host, when logged in as domain admin.

# setfacl -R -m g:"Domain Admins":rwx /mnt/dados 
setfacl: /mnt/dados: Malformed access ACL
`user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or
wrong entry at entry 5
setfacl: /mnt/dados/teste: Malformed access ACL
`user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or
wrong entry at entry 5

# ldconfig -v | grep winbind 
ldconfig: Can not stat / libx32: not directory or file found 
ldconfig: Path / usr / lib 'Given more than once 
ldconfig: Path / usr / lib64 'Given more than once 
ldconfig: Can not stat / usr / libx32: not directory or file found 
        libnss_winbind.so.2 -> libnss_winbind.so2


Could someone give me any tips on how to solve this problem?

On Wed, 10 Aug 2016 19:47:05 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:
> 
> 
> I will choose to use the winbind. 
> Based on the link that Rowland said: 
> 
> https://wiki.samba.org /index.php/Setup_Samba_as_an_AD_Domain_Member 
> 
> I followed the steps as described in the tutorial. 
> 
> I created symlinks. 
> 
> In the main DC I added this line in smb.conf: 
> 
> idmap_ldb: use RFC2307 = yes 
If this is the first DC you provisioned, you should have already had
this line, did you provision with '--use-rfc2307' ?

Try having a look here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> 
> 
> Changed /etc/nsswitch.conf 
> 
You only need 'winbind' on the 'passwd' & 'group'
lines
> 
> My smb.conf: 
> 
> # Global parameters 
> [global] 
>         netbios name = SRV16 
>         server string = Samba4 Server 
>         security = ADS 
>         encrypt passwords = yes 
>         realm = domain.local 
>         workgroup = DOMAIN 
>         log file = /var/log/samba/%m.log 
>         log level = 1 
>         # 
>         winbind enum users = yes 
>         winbind enum groups = yes 
>         winbind use default domain = Yes 
>         winbind nss info = RFC2307 
>         #idmap_ldb: Use 
>         vfs objects = acl_xattr 
>         map acl inherit = Yes 
>         store the attributes = Yes 
>         # Idmap config for domain DOMAIN 
>        idmap config DOMAIN: backend = ad 
>        idmap config DOMAIN: schema_mode = RFC2307 
>        idmap config DOMAIN: 10000-99999 range = 
'idmap config DOMAIN: 10000-99999 range =' 

should be 

'idmap config DOMAIN: range = 10000-99999'

You should also add:

	idmap config *: backend = tdb
	idmap config *: range = 2000-9999

This is where the builtin users & groups are mapped
> 
> 
> [data] 
>         comment = Folder data 
>         path = / mnt / data 
>         read only = No 
>         browseable = yes 
>         inherit acls = Yes 
>         inherit permissions = Yes 
> 
> I can view the groups and users of AD. 
> The "kinit administrator" is working very well.When I try to see
the
> ID of a User, it does not return anything. Also can not give
> permission through the shell of the file server, or through a Windows
> host, when logged in as domain admin.
Usual reason for this is not having any RFC2307 attributes in the users
AD object. The numbers used in uidNumber & gidNumber attributes must be
inside the '10000-99999' range you set in your smb.conf, you must also
ensure that Domain Users has a gidNumber attrbute.
> 
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados 
> setfacl: /mnt/dados: Malformed access ACL
> `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx':
> Missing or wrong entry at entry 5 setfacl: /mnt/dados/teste:
> Malformed access ACL
> `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx':
> Missing or wrong entry at entry 5
> 
> # ldconfig -v | grep winbind 
> ldconfig: Can not stat / libx32: not directory or file found 
> ldconfig: Path / usr / lib 'Given more than once 
> ldconfig: Path / usr / lib64 'Given more than once 
> ldconfig: Can not stat / usr / libx32: not directory or file found 
>         libnss_winbind.so.2 -> libnss_winbind.so2
> 
> 
How have you set the libnss_winbind links ?

Rowland