Imo, this is a left over of an old bug, just remove the file Registry.po imo, i'll bet its never used. The computer looks for Registry.pol not Registry.po.> -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po* > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol*Look at the date 2014, and i do remember something about this. But... What does getfacl say about these files/folders Or get my script: https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh And see if there is something wrong here in you SID/UID mappins The script does not apply settings by default it only check and creates a file with the acl. So you can review it. And post you smb.conf that helps, really. You updated from 4.4 to 4.8, thats a big step. I have summerices the smb.conf changes, i suggest review it carefully again. http://downloads.van-belle.nl/samba4/Upgrade-info.txt Or https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) The complete list. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 13 juni 2018 8:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2 > > On Tue, 12 Jun 2018 16:53:30 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > In order to get help using a more up-to-date version of Samba, I've > > just upgraded from 4.4.16 to 4.8.2. So far, nothing new seems to be > > broken, but I still have to track down some issues I've been having. > > > > First off, I notice that something has changed with my > > BUILTIN\administrators ID. before, I had, e.g.: > > > > > ls -l > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4 > -AA63-FD8708A553D7\}/Machine/ > > total 16 > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > > Microsoft/ -rwxrwx--- 1 root users 958 2014-09-13 > > 04:01 Registry.po* -rwxrwx--- 1 BUILTIN\administrators users 958 > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators > > users 4096 2014-09-13 03:22 Scripts/ > > > > Now, with 4.8.2, doing the same ls gives me: > > > > > ls -l > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4 > -AA63-FD8708A553D7\}/Machine/ > > total 16 > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po* > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > > > Is this a problem? Why would that user now be missing? What should I > > do about this? > > > > THX --Mark > > > > 3000000 is very probably Administrators, has libnss_winbind etc been > updated ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Wed, 13 Jun 2018 08:50:00 +0200 "L.P.H. van Belle wrote:> > Imo, this is a left over of an old bug, just remove the file Registry.po imo, i'll bet its never used. > The computer looks for Registry.pol not Registry.po.Done. Registry.po removed. But another problem I've with Registry.pol which I've posted under topic "Are some Group Policies broken?", which you've also replied to. I'll look at that message shortly.> > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po* > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > Look at the date 2014, and i do remember something about this. > > But... What does getfacl say about these files/folders Or get my script: > https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh > And see if there is something wrong here in you SID/UID mappins > The script does not apply settings by default it only check and creates a file with the acl. > So you can review it.Results of your script (excellent tool, btw): $ ./samba-check-set-sysvol.sh Review the file : default-rights-sysvol.acl, these contains the defaults for sysvol. The sysvol ACLS info..... Please check your share rights for sysvol from within windows. If these are incorrect, correct them and run this script again. Set your sysvol SHARE permissions as followed. EVERYONE: READ Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings. Set your sysvol FOLDER permissions as followed. Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL #####COMMENT####################################### Louis - I made the following changes to sysvol from Windows logged in as the domain administrator: 'EVERYONE' was set to 'special', but in 'Advanced' nothing appeared to be set. I set this to FULL CONTROL. 'Authenticated Users' was not in the list at all. I added this and set to FULL CONTROL. 'HPRS\Administrators' was set to 'special', 'Advanced' showed FULL CONTROL. I set this to FULL CONTROL on the main/first dialog. I did not find HPRS\SYSTEM. When I search for that it came up with only SYSTEM. I did nothing. Puzzlement: Your program output has "Set your sysvol SHARE permissions ..." and a second section with, "Set your sysvol FOLDER permissions ...". When I right-click on SYSVOL > Properities > Security, I only have one dialog for viewing and setting permissions. There is nothing about SHARE permissions versus FOLDER permissions. Nor do I see any other tab related to sharing. What do you mean by this? #####END-OF-COMMENT################################## $ cat default-rights-sysvol.acl # file: /var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::---> > And post you smb.conf that helps, really.I will post this below, after Rowland's comment.> You updated from 4.4 to 4.8, thats a big step. > I have summerices the smb.conf changes, i suggest review it carefully again. > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > Or > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > The complete list.I will check out both of these documents. Meanwhile, I will restart samba and see if any of the changes I made to sysvol permissions have any effect on my issues.> Louis> > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland Penny via samba > > Verzonden: woensdag 13 juni 2018 8:33 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2 > > > > On Tue, 12 Jun 2018 16:53:30 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > In order to get help using a more up-to-date version of Samba, I've > > > just upgraded from 4.4.16 to 4.8.2. So far, nothing new seems to be > > > broken, but I still have to track down some issues I've been having. > > > > > > First off, I notice that something has changed with my > > > BUILTIN\administrators ID. before, I had, e.g.: > > > > > > > ls -l > > > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4 > > -AA63-FD8708A553D7\}/Machine/ > > > total 16 > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > > > Microsoft/ -rwxrwx--- 1 root users 958 2014-09-13 > > > 04:01 Registry.po* -rwxrwx--- 1 BUILTIN\administrators users 958 > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators > > > users 4096 2014-09-13 03:22 Scripts/ > > > > > > Now, with 4.8.2, doing the same ls gives me: > > > > > > > ls -l > > > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4 > > -AA63-FD8708A553D7\}/Machine/ > > > total 16 > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > > > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po* > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > > > > > Is this a problem? Why would that user now be missing? What should I > > > do about this? > > > > > > THX --Mark > > > > > > > 3000000 is very probably Administrators, has libnss_winbind etc been > > updated ? > > > > RowlandI have no libnss_winbind file on my system. Should I? You had once written (20 Aug 2015 15:56:15 Subject: Re: [Samba] Samba4 DC/AD documents created in redirected folders with bogus UID), "'3000000' is the UID/GID (yes it > is both) for 'S-1-5-32-544' which is the Administrators group." So, it stands to reason that this 3000000 now showing as the UID of these files is the administrator. But why did it go from ls'ing "BUILTIN\administrators" under 4.4.16 to now showing the actual GID with 4.8.2? Seems like something is not doing what it should. --Mark My smb.conf: # Global parameters [global] workgroup = HPRS realm = hprs.local netbios name = MAIL interfaces = lo, eth1 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes winbind use default domain = yes template shell = /bin/bash load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log level = 2 passdb:5 auth:10 winbind:2 lanman:10 max log size = 10000 [netlogon] path = /var/lib/samba/sysvol/hprs.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [Users] path = /redirectedFolders/Users comment = user folders for redirection read only = No [share] path = /var/lib/samba/share comment = Shared folder read only = No
Hi Mark, See below. ;-)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > Foley via samba > Verzonden: woensdag 13 juni 2018 22:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2 > > On Wed, 13 Jun 2018 08:50:00 +0200 "L.P.H. van Belle wrote: > > > > Imo, this is a left over of an old bug, just remove the > file Registry.po imo, i'll bet its never used. > > The computer looks for Registry.pol not Registry.po. > > Done. Registry.po removed. > > But another problem I've with Registry.pol which I've posted > under topic "Are some Group > Policies broken?", which you've also replied to. I'll look at > that message shortly. > > > > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po* > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > Look at the date 2014, and i do remember something about this. > > > > But... What does getfacl say about these files/folders Or > get my script: > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > heck-set-sysvol.sh > > And see if there is something wrong here in you SID/UID mappins > > The script does not apply settings by default it only check > and creates a file with the acl. > > So you can review it. > > Results of your script (excellent tool, btw):Thanks for the nice comment :-)> > $ ./samba-check-set-sysvol.sh > Review the file : default-rights-sysvol.acl, these contains > the defaults for sysvol. > The sysvol ACLS info..... > > Please check your share rights for sysvol from within windows. > If these are incorrect, correct them and run this script again. > Set your sysvol SHARE permissions as followed. > EVERYONE: READ > Authenticated Users: FULL CONTROL > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > User/Group system is added compaired to a win2008R2 sysvol, > you need this for some GPO > settings. > > Set your sysvol FOLDER permissions as followed. > Authenticated Users: Read & Exec, Show folder content, Read > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > #####COMMENT####################################### > Louis - I made the following changes to sysvol from Windows > logged in as the domain > administrator: > > 'EVERYONE' was set to 'special', but in 'Advanced' nothing > appeared to be set. I set this to > FULL CONTROL.After that "Advanced" tab, klik change owner, klik edit/change. There you wil see what "Special" is.> > 'Authenticated Users' was not in the list at all. I added > this and set to FULL CONTROL. > > 'HPRS\Administrators' was set to 'special', 'Advanced' showed > FULL CONTROL. I set this to FULL > CONTROL on the main/first dialog. > > I did not find HPRS\SYSTEM. When I search for that it came up > with only SYSTEM. I did nothing.Ok, you need to add SYSTEM, thats one of the most important ones. Then this is already a bit changed in samba, great, i'll go review that When im done with my work here.> > Puzzlement: Your program output has "Set your sysvol SHARE > permissions ..." and a second > section with, "Set your sysvol FOLDER permissions ...". When > I right-click on SYSVOL > > Properities > Security, I only have one dialog for viewing > and setting permissions. There is > nothing about SHARE permissions versus FOLDER permissions. > Nor do I see any other tab related > to sharing. What do you mean by this?SHARE Permissions: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs See : Setting Share Permissions and ACLs Click Start, enter Computer Management, and start the application. Select Action / Connect to another computer. Enter the name of the Samba host and click OK to connect the console to the host. Open the System Tools / Shared Folders / Shares menu entry. And review you sysvol, and set it to : EVERYONE: READ Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM or (nothing) ) \SYSTEM, FULL CONTROL Folder permissions: Use explorer, browse to a folder, goto the security tab. Set your sysvol FOLDER permissions as followed. Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL> #####END-OF-COMMENT################################## > > $ cat default-rights-sysvol.acl > # file: /var/lib/samba/sysvol > # owner: root > # group: root > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > > > And post you smb.conf that helps, really. > > I will post this below, after Rowland's comment. > > > You updated from 4.4 to 4.8, thats a big step. > > I have summerices the smb.conf changes, i suggest review it > carefully again. > > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > > Or > > > https://wiki.samba.org/index.php/Samba_Features_added/changed_ > (by_release) > > The complete list. > > I will check out both of these documents. > > Meanwhile, I will restart samba and see if any of the changes > I made to sysvol permissions have > any effect on my issues. > > > Louis > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > > Rowland Penny via samba > > > Verzonden: woensdag 13 juni 2018 8:33 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2 > > > > > > On Tue, 12 Jun 2018 16:53:30 -0400 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > In order to get help using a more up-to-date version of > Samba, I've > > > > just upgraded from 4.4.16 to 4.8.2. So far, nothing new > seems to be > > > > broken, but I still have to track down some issues I've > been having. > > > > > > > > First off, I notice that something has changed with my > > > > BUILTIN\administrators ID. before, I had, e.g.: > > > > > > > > > ls -l > > > > > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4 > > > -AA63-FD8708A553D7\}/Machine/ > > > > total 16 > > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > > > > Microsoft/ -rwxrwx--- 1 root users > 958 2014-09-13 > > > > 04:01 Registry.po* -rwxrwx--- 1 BUILTIN\administrators > users 958 > > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 > BUILTIN\administrators > > > > users 4096 2014-09-13 03:22 Scripts/ > > > > > > > > Now, with 4.8.2, doing the same ls gives me: > > > > > > > > > ls -l > > > > > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4 > > > -AA63-FD8708A553D7\}/Machine/ > > > > total 16 > > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > > > > -rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po* > > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > > > > > > > Is this a problem? Why would that user now be missing? > What should I > > > > do about this? > > > > > > > > THX --Mark > > > > > > > > > > 3000000 is very probably Administrators, has > libnss_winbind etc been > > > updated ? > > > > > > Rowland > > I have no libnss_winbind file on my system. Should I? > > You had once written (20 Aug 2015 15:56:15 Subject: Re: > [Samba] Samba4 DC/AD documents created > in redirected folders with bogus UID), "'3000000' is the > UID/GID (yes it > is both) for > 'S-1-5-32-544' which is the Administrators group." > > So, it stands to reason that this 3000000 now showing as the > UID of these files is the > administrator. But why did it go from ls'ing > "BUILTIN\administrators" under 4.4.16 to now > showing the actual GID with 4.8.2? Seems like something is > not doing what it should. > > > --Mark > > My smb.conf: > > # Global parameters > [global] > workgroup = HPRS > realm = hprs.local > netbios name = MAIL > interfaces = lo, eth1 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > winbind use default domain = yes > template shell = /bin/bash > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > max log size = 10000 > > [netlogon] > path = /var/lib/samba/sysvol/hprs.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [Users] > path = /redirectedFolders/Users > comment = user folders for redirection > read only = No > > [share] > path = /var/lib/samba/share > comment = Shared folder > read only = No > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >And i did read the Comment to for Rowland below, On debian you need : libnss-winbind libpam-winbind to be installed. I think you miss one of these. With 4.8.2 on my DC's i see: ls -al sysvol/ drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 internal.domain.tld Note the ^^^ (+) in above line, then use getfacl to see all ACL's If you use chmod, you might destroy your very needed windows ACL's And i see with getfacl # file: var/lib/samba/sysvol/internal.domain.tld # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Id you dont get you id's Try adding Domain and Local-Realms to : /etc/idmapd.conf Greetz, Louis
On Thu, 14 Jun 2018 09:39:46 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> And i did read the Comment to for Rowland below, > On debian you need : > libnss-winbind libpam-winbind to be installed. > I think you miss one of these.They are the glue that connects Samba to nsswitch and allows 'getent passwd username' to work. Without the 'glue' checking for ownership etc of file with 'ls -l' will only show numbers, this is because the OS doesn't know who the numbers are.> > With 4.8.2 on my DC's i see: > ls -al sysvol/ > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 > internal.domain.tld > > Note the ^^^ (+) in above line, then use getfacl to see all ACL's > If you use chmod, you might destroy your very needed windows ACL's > > And i see with getfaclAnd Louis also uses 'acl_xattr:ignore system acls = yes', this means that you can ignore the system ACL and what getfacl produces. The permissions you set from windows is actually stored in in 'security.NTACL' To see the contents of this attr: getfattr -n security.NTACL /home/testdata getfattr: Removing leading '/' from absolute path names # file: home/testdata security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAScZAAAAHQAAAAAAAAAkAAAAAECAAAAAAAWAQAAAAAAAAABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAgBQAQwAAAAAAyQAqQASAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P1oEAAAAAxQAAAAQAAEBAAAAAAABAAAAAAADGAD/AR8AAQIAAAAAABYBAAAAAAAAAAADGAAAABAAAQIAAAAAABYCAAAAAAAAAAALFAD/AR8AAQEAAAAAAAMAAAAAAAsUAAAAEAABAQAAAAAAAwEAAAAAAxQAqQASAAEBAAAAAAAFCwAAAAADFAD/AR8AAQEAAAAAAAUSAAAAAAMkAKkAEgABBQAAAAAABRUAAABJJWZpmd47xzE4eT9TBAAAAAMkAKkAEgABBQAAAAAABRUAAABJJWZpmd47xzE4eT9VBAAAAAMkAAAAEAABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAA Not very readable is it ?> > Id you dont get you id's > Try adding Domain and Local-Realms to : /etc/idmapd.conf >Don't understand the above, what has an NFS conf file got do with Samba ? Rowland
On Thu, 14 Jun 2018 09:39:46 +0200 L.P.H. van Belle wrote:> Hi Mark, > > See below. ;-) > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > > Foley via samba > > Verzonden: woensdag 13 juni 2018 22:50 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2 > >[deleted]> > > But... What does getfacl say about these files/folders Or > > get my script: > > > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > > heck-set-sysvol.sh > > > And see if there is something wrong here in you SID/UID mappins > > > The script does not apply settings by default it only check > > and creates a file with the acl. > > > So you can review it. > > > > Results of your script (excellent tool, btw): > Thanks for the nice comment :-) > > > > > $ ./samba-check-set-sysvol.sh > > Review the file : default-rights-sysvol.acl, these contains > > the defaults for sysvol. > > The sysvol ACLS info..... > > > > Please check your share rights for sysvol from within windows. > > If these are incorrect, correct them and run this script again. > > Set your sysvol SHARE permissions as followed. > > EVERYONE: READ > > Authenticated Users: FULL CONTROL > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > User/Group system is added compaired to a win2008R2 sysvol, > > you need this for some GPO > > settings. > > > > Set your sysvol FOLDER permissions as followed. > > Authenticated Users: Read & Exec, Show folder content, Read > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > > > #####COMMENT####################################### > > Louis - I made the following changes to sysvol from Windows > > logged in as the domain > > administrator: > > > > 'EVERYONE' was set to 'special', but in 'Advanced' nothing > > appeared to be set. I set this to > > FULL CONTROL. > > After that "Advanced" tab, klik change owner, klik edit/change. > There you wil see what "Special" is.You are right. I thought I did that, but must not have. In the "Special" permissions for EVERYONE I have: (Apply to Subfolders and files only) 'Traverse folder / execute file', 'List folder /read data', 'Read attributes', 'Read extended attributes', 'Read Permissions'. I set these when I first installed the AD/DC with Samaba 4.1 based on the alexwyn link http://ww17.alexwyn.com/computer-tips/folder-redirection-samba4-active-directory-domain-controller which no longer seems to be up. I'll double-check those settings to make sure all are still there.> > 'Authenticated Users' was not in the list at all. I added > > this and set to FULL CONTROL. > > > > 'HPRS\Administrators' was set to 'special', 'Advanced' showed > > FULL CONTROL. I set this to FULL > > CONTROL on the main/first dialog. > > > > I did not find HPRS\SYSTEM. When I search for that it came up > > with only SYSTEM. I did nothing. > > Ok, you need to add SYSTEM, thats one of the most important ones. > Then this is already a bit changed in samba, great, i'll go review that > When im done with my work here.Well, I'm not sure how to add that user. What is the UID/GID? Is this a user added by provisioning in later (than 4.1) versions of Samba and that's why I don't have it?> > Puzzlement: Your program output has "Set your sysvol SHARE > > permissions ..." and a second > > section with, "Set your sysvol FOLDER permissions ...". When > > I right-click on SYSVOL > > > Properities > Security, I only have one dialog for viewing > > and setting permissions. There is > > nothing about SHARE permissions versus FOLDER permissions. > > Nor do I see any other tab related > > to sharing. What do you mean by this? > > SHARE Permissions: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > See : Setting Share Permissions and ACLs > Click Start, enter Computer Management, and start the application. > Select Action / Connect to another computer. > Enter the name of the Samba host and click OK to connect the console to the host. > Open the System Tools / Shared Folders / Shares menu entry.Interesting. I've never seen that whole 'Computer Management, Connect to another computer' thing before ... OK, Everyone is currently set to FULL CONTROL. I'll set that to READ. No other users are set. I'll set as you describe below. I note that your specification for SYSTEM, below, is "(BUILTIN or NTDOM or (nothing) )" whereas your samba-check-set-sysvol.sh program outputs "(BUILTIN or NTDOM)", and your Folder permissions below also omit the "or nothing" qualifier. If the "or nothing" bit applies to the folder permission too, then I do have that user. For now, I'll assume plain 'ole "SYSTEM" w/o domain prefix is correct for the folder and go back and change that. Let me know if I have to add a new domain SYSTEM user.> > And review you sysvol, and set it to : > EVERYONE: READ > Authenticated Users: FULL CONTROL > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM or (nothing) ) \SYSTEM, FULL CONTROL > > > Folder permissions: > Use explorer, browse to a folder, goto the security tab. > Set your sysvol FOLDER permissions as followed. > Authenticated Users: Read & Exec, Show folder content, Read > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROLThese I did set yesterday after your previous message, except for SYSTEM. I've gone ahead and set (nothing)\SYSTEM to FULL CONTROL. I'll remove if you tell me this is incorrect.> > > #####END-OF-COMMENT################################## > > > > $ cat default-rights-sysvol.aclTo keep clutter down, I'll repost the facl output from your samba-check-set-sysvol.sh after> > > You updated from 4.4 to 4.8, thats a big step. > > > I have summerices the smb.conf changes, i suggest review it > > carefully again. > > > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > > > Or > > > > > https://wiki.samba.org/index.php/Samba_Features_added/changed_ > > (by_release) > > > The complete list. > > > > I will check out both of these documents. > >> And i did read the Comment to for Rowland below, > On debian you need : > libnss-winbind libpam-winbind to be installed. > I think you miss one of these.The UID issue and the sysvol permission issue are really two different things and I for one get easily confused with conflated threads. I'm going to remove these sysvol/permission comments and post with a difference topic. I'll leave these Rowland/UID related comments in this thread and break the two up. --Mark