samba - Feb 2017 - Setting Win ACLs via Comp Managment, connection to Member Server warning

Here are ADDC files you requested to help me out:

++++++++++
/etc/hostname:dc1

/etc/hosts:127.0.0.1 localhost
/etc/hosts:192.168.0.31 dc1.siouxfalls.samdom.org dc1
/etc/hosts:

/etc/krb5.conf:[libdefaults]
/etc/krb5.conf: default_realm = ${REALM}
/etc/krb5.conf: dns_lookup_realm = false
/etc/krb5.conf: dns_lookup_kdc = true

/etc/resolv.conf:nameserver 192.168.0.31
/etc/resolv.conf:search siouxfalls.samdom.org

/etc/samba/smb.conf:[global]
/etc/samba/smb.conf:    workgroup = SIOUXFALLS
/etc/samba/smb.conf:    realm = SIOUXFALLS.SAMDOM.ORG
/etc/samba/smb.conf:    netbios name = DC1
/etc/samba/smb.conf:    server role = active directory domain controller
/etc/samba/smb.conf:    dns forwarder = 24.220.0.10
/etc/samba/smb.conf:    idmap_ldb:use rfc2307 = yes
/etc/samba/smb.conf:    bind interfaces only = yes
/etc/samba/smb.conf:    interfaces = lo ens3
/etc/samba/smb.conf:[netlogon]
/etc/samba/smb.conf:    path = /var/lib/samba/sysvol/siouxfalls.samdom.org/scri$
/etc/samba/smb.conf:    read only = No
/etc/samba/smb.conf:
/etc/samba/smb.conf:[sysvol]
/etc/samba/smb.conf:    path = /var/lib/samba/sysvol
/etc/samba/smb.conf:    read only = No
++++++++++++++


and here is the Domain Member set of files:



/etc/hostname:ubuntu-dm1

/etc/hosts:127.0.0.1 localhost
/etc/hosts:192.168.0.34 ubuntu-dm1.siouxfalls.samdom.org ubuntu-dm1
/etc/hosts:
/etc/hosts:::1 ip6-localhost ip6-loopback
/etc/hosts:fe00::0 ip6-localnet
/etc/hosts:ff00::0 ip6-mcastprefix
/etc/hosts:ff02::1 ip6-allnodes
/etc/hosts:ff02::2 ip6-allrouters
/etc/hosts:ff02::3 ip6-allhosts

/etc/krb5.conf:[libdefaults]
/etc/krb5.conf: default_realm = SIOUXFALLS.SAMDOM.ORG
/etc/krb5.conf: dns_lookup_realm = false
/etc/krb5.conf: dns_lookup_kdc = true
/etc/krb5.conf:[realms]
/etc/krb5.conf: SIOUXFALLS.SAMDOM.ORG = {
/etc/krb5.conf:         kdc = DC1
/etc/krb5.conf:         admin_server = DC1.SIOUXFALLS.SAMDOM.ORG
/etc/krb5.conf: }
/etc/krb5.conf:[login]
/etc/krb5.conf: krb4_convert = true
/etc/krb5.conf: krb4_get_tickets = false
/etc/krb5.conf:
/etc/resolv.conf:nameserver 192.168.0.31
/etc/resolv.conf:search siouxfalls.samdom.org

/etc/samba/smb.conf:[global]
/etc/samba/smb.conf:       security = ADS
/etc/samba/smb.conf:       workgroup = SIOUXFALLS
/etc/samba/smb.conf:       realm = SIOUXFALLS.SAMDOM.ORG
/etc/samba/smb.conf:       netbios name = UBUNTU-DM1
/etc/samba/smb.conf:       server role = member server
/etc/samba/smb.conf:       log file = /var/log/samba/%m.log
/etc/samba/smb.conf:       log level = 1
/etc/samba/smb.conf:       idmap config * : backend = tdb
/etc/samba/smb.conf:       idmap config * : range = 3000-7999
/etc/samba/smb.conf:       idmap config SIOUXFALLS:backend = ad
/etc/samba/smb.conf:       idmap config SIOUXFALLS:schema_mode = rfc2307
/etc/samba/smb.conf:       idmap config SIOUXFALLS:range = 10000-999999
/etc/samba/smb.conf:       winbind nss info = rfc2307
/etc/samba/smb.conf:
/etc/samba/smb.conf:winbind separator = +
/etc/samba/smb.conf:winbind enum users = yes
/etc/samba/smb.conf:winbind enum groups = yes
/etc/samba/smb.conf:winbind use default domain = yes
/etc/samba/smb.conf:
/etc/samba/smb.conf:[TGrassShare]
/etc/samba/smb.conf:path = /srv/samba/TGrassShare
/etc/samba/smb.conf:read only = no
/etc/samba/smb.conf:
/etc/samba/smb.conf:[eACLshare]
/etc/samba/smb.conf:path = /srv/samba/eACLshare
/etc/samba/smb.conf:read only = no
/etc/samba/smb.conf:vfs objects = acl_xattr
/etc/samba/smb.conf:map acl inherit = yes
/etc/samba/smb.conf:store dos attributes = yes
/etc/samba/smb.conf:
/etc/samba/smb.conf:[users]
/etc/samba/smb.conf:    path = /srv/samba/users/
/etc/samba/smb.conf:    read only = no
/etc/samba/smb.conf:    force create mode = 0600
/etc/samba/smb.conf:    force directory mode = 0700



At this moment I am only concerned with eACLshare share. It just does
not work as instructed on the wiki
Lin

On Tue, 21 Feb 2017 14:58:34 -0600
Lin Pro <linforpros at gmail.com> wrote:
> Here are ADDC files you requested to help me out:
OK, make /etc/krb5.conf on both machines look like this:

[libdefaults]
 default_realm = SIOUXFALLS.SAMDOM.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = true

On the domain member smb.conf, move:

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

to [global] from the [eACLshare]

remove these lines from [users]

    force create mode = 0600
    force directory mode = 0700

those are the only problems I can see in your conf files.

Provide your users have uidNumber attributes inside the '10000-999999'
range and Domain Users and Domain Admins have gidNumber attributes
inside the same range it should work.

How is the Windows Server 2012 R2 joined to the domain ?

Rowland

I made the changes you proposed but still my system must be messed up.
Please have a look at the screenshots below... may be you or some
other guru would know how to come out of this mess.


http://pasteboard.co/Ba9Ex0NQD.png
http://pasteboard.co/3Iq39El98.png

By the way, is there a clean way to reset ADDC and DM so that I could
start fresh?
those two virt machines are just lab machines. I can do whatever.

Aswering your question "How is the Windows Server 2012 R2 joined to the
domain ?
" I am not using is as a server but just as a client to administer the
two virtual machines (ADDC and DM). The Server itself as a virt
machine from cloudbase solutions for testing purposes.

Regars
Lin