samba - Aug 2016 - File Server member DC ACL permissions

Dear Rowland, 

This Samba 4 domain was not provisioned from scratch. 
Here in the company we had a DC Windows 2008. The Samba was provided to
secondary DC.
Then, the primary DC remains Windows, but will be removed this weekend. Samba DC
will be the primary DC.
In the file server file krb5.conf, I informed the KDC servers pointing to the
Samba DC.

Follows the smb.conf my DC Samba 4:


# Global parameters 
[global] 
#bind interfaces only = Yes 
interfaces = lo eth0 
netbios name = SRV14 
realm = DOMAIN.LOCAL 
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = DOMAIN 
server role = active directory domain controller 
comment = 
log file = /var/log/samba/%m.log 
log level = 1 
# 
idmap_ldb:use rfc2307 = yes 

[netlogon] 
path = /usr/local/samba/var/locks/sysvol/lojacorr.local/scripts 
read only = No 

[sysvol] 
path = /usr/local/samba/var/locks/sysvol 
read only = No 



> How have you set the libnss_winbind links ?
I set the links to libnss_winbind this: 
My system is a Centos 7 x86_64:

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so 
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so2# ldconfig 

Now I can see the id of the User, with the command:
# wbinfo -i iuser 
iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false

Follow the file server smb.conf:


# Global parameters 
[global] 
netbios name = SRV16 
server string = Samba4 Server 
security = ADS 
encrypt passwords = yes 
realm = lojacorr.local 
workgroup = DOMAIN 
log file = /var/log/samba/%m.log 
log level = 1 
# 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = Yes 
winbind nss info = RFC2307 
#idmap_ldb: Use 
vfs objects = acl_xattr 
map acl inherit = Yes 
store dos attributes = Yes 
# Idmap config for domain DOMAIN 
idmap config DOMAIN: backend = ad 
idmap config DOMAIN: schema_mode = RFC2307 
idmap config DOMAIN: range = 10000-99999 
guest account = guest 

[data] 
comment = Folder data 
path = /mnt/dados 
read only = No 
browseable = yes 
inherit acls = Yes 
inherit permissions = Yes
guest account = guest 
guest ok=yes 
  


Follow the file server nsswitch.conf:


passwd:     files winbind 
shadow:     files 
group:      files winbind 

hosts:      files dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers:     files 
netmasks:   files 
networks:   files 
protocols:  files 
rpc:        files 
services:   files 
netgroup:   files 
publickey:  nisplus 
automount:  files 
aliases:    files nisplus 




I configured this permission for SeDiskOperatorPrivilege: 
# net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
-U'domain\administrator'

When I try to set the permissions via shell, I get the same error:

# setfacl -R -m g:"Domain Admins":rwx /mnt/dados 

setfacl: /mnt/dados: Malformed access ACL
`user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or
wrong entry at entry 5


The disc I am sharing was formatted with XFS file system.
Still denied access when trying to set permissions on the shared folder.

On Thu, 11 Aug 2016 18:39:14 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:
> 
> 
> Dear Rowland, 
> 
> This Samba 4 domain was not provisioned from scratch. 
> Here in the company we had a DC Windows 2008. The Samba was provided
> to secondary DC. Then, the primary DC remains Windows, but will be
> removed this weekend. Samba DC will be the primary DC. In the file
> server file krb5.conf, I informed the KDC servers pointing to the
> Samba DC. 
> 
> Follows the smb.conf my DC Samba 4:
> 
> 
> # Global parameters 
> [global] 
> #bind interfaces only = Yes 
> interfaces = lo eth0 
> netbios name = SRV14 
> realm = DOMAIN.LOCAL 
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN 
> server role = active directory domain controller 
> comment = 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> idmap_ldb:use rfc2307 = yes 
> 
> [netlogon] 
> path = /usr/local/samba/var/locks/sysvol/lojacorr.local/scripts 
> read only = No 
> 
> [sysvol] 
> path = /usr/local/samba/var/locks/sysvol 
> read only = No 
> 
> 
> 
> 
> > How have you set the libnss_winbind links ?
> 
> I set the links to libnss_winbind this: 
> My system is a Centos 7 x86_64:
> 
> # ln
> -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
> # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so2# ldconfig 
> 
> Now I can see the id of the User, with the command:
> # wbinfo -i iuser 
> iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false
Yes wbinfo shows the user but does 'getent passwd iuser' show anything ?
> 
> Follow the file server smb.conf:
> 
> 
> # Global parameters 
> [global] 
> netbios name = SRV16 
> server string = Samba4 Server 
> security = ADS 
> encrypt passwords = yes 
> realm = lojacorr.local 
> workgroup = DOMAIN 
> log file = /var/log/samba/%m.log 
> log level = 1 
> # 
> winbind enum users = yes 
> winbind enum groups = yes 
> winbind use default domain = Yes 
> winbind nss info = RFC2307 
> #idmap_ldb: Use 
> vfs objects = acl_xattr 
> map acl inherit = Yes 
> store dos attributes = Yes 
> # Idmap config for domain DOMAIN 
> idmap config DOMAIN: backend = ad 
> idmap config DOMAIN: schema_mode = RFC2307 
> idmap config DOMAIN: range = 10000-99999 
> guest account = guest 
>
You need to add:
  idmap config * : backend = tdb
  idmap config * : range = 2000-9999
 
> [data] 
> comment = Folder data 
> path = /mnt/dados 
> read only = No 
> browseable = yes 
> inherit acls = Yes 
> inherit permissions = Yes
> guest account = guest 
> guest ok=yes 
>   
> 
> 
> Follow the file server nsswitch.conf:
> 
> 
> passwd:     files winbind 
> shadow:     files 
> group:      files winbind 
> 
> hosts:      files dns 
> bootparams: nisplus [NOTFOUND=return] files 
> ethers:     files 
> netmasks:   files 
> networks:   files 
> protocols:  files 
> rpc:        files 
> services:   files 
> netgroup:   files 
> publickey:  nisplus 
> automount:  files 
> aliases:    files nisplus 
> 
> 
> 
> 
> I configured this permission for SeDiskOperatorPrivilege: 
> # net rpc rights grant 'DOMAIN\Domain Admins'
SeDiskOperatorPrivilege
> -U'domain\administrator'
> 
> When I try to set the permissions via shell, I get the same error:
> 
> # setfacl -R -m g:"Domain Admins":rwx /mnt/dados 
> 
> setfacl: /mnt/dados: Malformed access ACL
> `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx':
> Missing or wrong entry at entry 5 
> 
>
It looks like Domain Admins isn't being recognised by the OS, does Domain
 Admins have a gidNumber attribute

 
Rowland