Hai, I suggest, start reading here, it explains all. https://lists.samba.org/archive/samba/2018-February/213690.html The script in that thread is not changing anything by default. I suggest try it and post the output. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 6 november 2018 12:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] classicupgrade > > On Tue, 6 Nov 2018 12:13:31 +0100 > Corrado Ravinetto via samba <samba at lists.samba.org> wrote: > > > > > > > Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: > > > No, your GPO's will still work. > > > > ok > > but when i created my gpo in sysvol i cannot access to this share > > because: > > > > drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 > > {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} > > > > Must i, for each new policy, adjiust right e owner ??? > > > > mmmmmmmh > > '3000002' is coming from idmap.ldb and because '3000002' isn't a Unix > user, it isn't mapped to a Unix name, it could in fact be a > group, yes, > groups on Windows can own folders & files. > > There is a wiki page that might help: > > https://wiki.samba.org/index.php/Managing_local_groups_on_doma > in_members_via_GPO_restricted_groups > > Further than that, I cannot help, I do not use GPO's, I don't have any > Windows clients ;-) > > Perhaps Louis might care to chime in here. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
hello i read this post, but when i check property tab, explorer crash and i cannot changing anything. My question is: for each new policy i must change this default ??? Cannot I change create mask on smb.conf for sysvol share ??? thanks at all Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:> Hai, > > I suggest, start reading here, it explains all. > https://lists.samba.org/archive/samba/2018-February/213690.html > > The script in that thread is not changing anything by default. > > I suggest try it and post the output. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: dinsdag 6 november 2018 12:33 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] classicupgrade >> >> On Tue, 6 Nov 2018 12:13:31 +0100 >> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >> >>> >>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>> No, your GPO's will still work. >>> ok >>> but when i created my gpo in sysvol i cannot access to this share >>> because: >>> >>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>> >>> Must i, for each new policy, adjiust right e owner ??? >>> >>> mmmmmmmh >> '3000002' is coming from idmap.ldb and because '3000002' isn't a Unix >> user, it isn't mapped to a Unix name, it could in fact be a >> group, yes, >> groups on Windows can own folders & files. >> >> There is a wiki page that might help: >> >> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >> in_members_via_GPO_restricted_groups >> >> Further than that, I cannot help, I do not use GPO's, I don't have any >> Windows clients ;-) >> >> Perhaps Louis might care to chime in here. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Corrado Ravinetto *
On Tue, 6 Nov 2018 13:44:05 +0100 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> hello > i read this post, but when i check property tab, explorer crash and i > cannot changing anything.It shouldn't crash, it isn't common, but it has been known to happen, usually because something is misconfigured. Check your smb.conf etc and if it still occurs, get a level 10 log and a wireshark trace and open a bug report.> My question is: for each new policy i must change this default ???No, you shouldn't have to> Cannot I change create mask on smb.conf for sysvol share ???No, leave the smb.conf alone. Rowland
This is one time settings. En yes, for each policy you need to klik on these once. ( in the gpo policy objects in GPO editor ) Can you post smb.conf getfacl PATH_TO_SYSVOL getent the_Folder_ONE_below-PATH_TO_SYSVOL Explorer crashes, if 9 out of 10 x a wrong right on the folder below the point your sharing. Per example. getfacl /home getfacl /home/samba getfacl /home/samba/share/ getfacl /home/samba/share/data Can you post these all also but replace the example path to your setup. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Corrado Ravinetto via samba > Verzonden: dinsdag 6 november 2018 13:44 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] classicupgrade > > hello > i read this post, but when i check property tab, explorer crash and i > cannot changing anything. > My question is: for each new policy i must change this default ??? > Cannot I change create mask on smb.conf for sysvol share ??? > > thanks at all > > Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: > > Hai, > > > > I suggest, start reading here, it explains all. > > https://lists.samba.org/archive/samba/2018-February/213690.html > > > > The script in that thread is not changing anything by default. > > > > I suggest try it and post the output. > > > > > > Greetz, > > > > Louis > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland Penny via samba > >> Verzonden: dinsdag 6 november 2018 12:33 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] classicupgrade > >> > >> On Tue, 6 Nov 2018 12:13:31 +0100 > >> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: > >> > >>> > >>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: > >>>> No, your GPO's will still work. > >>> ok > >>> but when i created my gpo in sysvol i cannot access to this share > >>> because: > >>> > >>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 > >>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} > >>> > >>> Must i, for each new policy, adjiust right e owner ??? > >>> > >>> mmmmmmmh > >> '3000002' is coming from idmap.ldb and because '3000002' > isn't a Unix > >> user, it isn't mapped to a Unix name, it could in fact be a > >> group, yes, > >> groups on Windows can own folders & files. > >> > >> There is a wiki page that might help: > >> > >> https://wiki.samba.org/index.php/Managing_local_groups_on_doma > >> in_members_via_GPO_restricted_groups > >> > >> Further than that, I cannot help, I do not use GPO's, I > don't have any > >> Windows clients ;-) > >> > >> Perhaps Louis might care to chime in here. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > -- > > *Corrado Ravinetto * > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
great :-) Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:> This is one time settings. > En yes, for each policy you need to klik on these once. ( in the gpo policy objects in GPO editor )ok> Can you post smb.conf[global] netbios name = DC1 realm = LXCERRUTI.COM server role = active directory domain controller workgroup = LXCERRUTI idmap_ldb:use rfc2307 = yes log level = 1 [netlogon] path = /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No> > getfacl PATH_TO_SYSVOLi'm not sure these are the original, i do many changes .... # file: usr/local/samba/var/locks/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:rwx group:3000003:r-x mask::rwx other::rwx default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:rwx default:group:3000003:r-x default:mask::rwx default:other::---> > getent the_Folder_ONE_below-PATH_TO_SYSVOL > > Explorer crashes, if 9 out of 10 x a wrong right on the folder below the point your sharing. > Per example. > > getfacl /home > getfacl /home/samba > getfacl /home/samba/share/ > getfacl /home/samba/share/data > > Can you post these all also but replace the example path to your setup.my dc is not a file server, no home or share in this server only netlogon and sysvol # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000001:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:rwx group:3000003:r-x mask::rwx other::rwx default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:rwx default:group:3000003:r-x default:mask::rwx default:other::---> > > Greetz, > > Louis > > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Corrado Ravinetto via samba >> Verzonden: dinsdag 6 november 2018 13:44 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] classicupgrade >> >> hello >> i read this post, but when i check property tab, explorer crash and i >> cannot changing anything. >> My question is: for each new policy i must change this default ??? >> Cannot I change create mask on smb.conf for sysvol share ??? >> >> thanks at all >> >> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>> Hai, >>> >>> I suggest, start reading here, it explains all. >>> https://lists.samba.org/archive/samba/2018-February/213690.html >>> >>> The script in that thread is not changing anything by default. >>> >>> I suggest try it and post the output. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Rowland Penny via samba >>>> Verzonden: dinsdag 6 november 2018 12:33 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] classicupgrade >>>> >>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>> >>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>> No, your GPO's will still work. >>>>> ok >>>>> but when i created my gpo in sysvol i cannot access to this share >>>>> because: >>>>> >>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>> >>>>> Must i, for each new policy, adjiust right e owner ??? >>>>> >>>>> mmmmmmmh >>>> '3000002' is coming from idmap.ldb and because '3000002' >> isn't a Unix >>>> user, it isn't mapped to a Unix name, it could in fact be a >>>> group, yes, >>>> groups on Windows can own folders & files. >>>> >>>> There is a wiki page that might help: >>>> >>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>> in_members_via_GPO_restricted_groups >>>> >>>> Further than that, I cannot help, I do not use GPO's, I >> don't have any >>>> Windows clients ;-) >>>> >>>> Perhaps Louis might care to chime in here. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> >> *Corrado Ravinetto * >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Corrado Ravinetto *
Hai, 
Ok, i expected a bit different outputs. 
On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
This is what i expected. 
getfacl /home/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---
Now how am i getting that if im shareing : /home/samba/sysvol
I've also shared  :   /home/samba  before the setup. 
Ive set the above rights first on /home/samba 
And then i've set the rights on /home/samba/sysvol 
Before you do that. 
wget
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
That generated a file called : default-rights-sysvol.acl 
With this as content: 
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
And if you use sysvol/netlogon only for windows computers, which you do. 
Set these : ( change the path to your setup. ) 
[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes
[netlogon]
        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
        read only = No
        acl_xattr:ignore system acls = yes
It's, in my opinion, the best way to make your sysvol work without problems.
Greetz, 
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Corrado Ravinetto via samba
> Verzonden: dinsdag 6 november 2018 14:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classicupgrade
> 
> great :-)
> 
> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
> > This is one time settings.
> > En yes, for each policy you need to klik on these once. ( 
> in the gpo policy objects in GPO editor )
> ok
> > Can you post smb.conf
> [global]
>          netbios name = DC1
>          realm = LXCERRUTI.COM
>          server role = active directory domain controller
>          workgroup = LXCERRUTI
>          idmap_ldb:use rfc2307 = yes
>          log level = 1
> 
> [netlogon]
>          path = 
> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
>          read only = No
> 
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> 
> >
> > getfacl PATH_TO_SYSVOL
> i'm not sure these are the original, i do many changes ....
> 
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> >
> > getent the_Folder_ONE_below-PATH_TO_SYSVOL
> >
> > Explorer crashes, if 9 out of 10 x a wrong right on the 
> folder below the point your sharing.
> > Per example.
> >
> > getfacl /home
> > getfacl /home/samba
> > getfacl /home/samba/share/
> > getfacl /home/samba/share/data
> >
> > Can you post these all also but replace the example path to 
> your setup.
> my dc is not a file server, no home or share in this server
> only netlogon and sysvol
> 
> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> 
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Corrado Ravinetto via samba
> >> Verzonden: dinsdag 6 november 2018 13:44
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] classicupgrade
> >>
> >> hello
> >> i read this post, but when i check property tab, explorer 
> crash and i
> >> cannot changing anything.
> >> My question is: for each new policy i must change this default ???
> >> Cannot I change create mask on smb.conf for sysvol share ???
> >>
> >> thanks at all
> >>
> >> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
> >>> Hai,
> >>>
> >>> I suggest, start reading here, it explains all.
> >>>
https://lists.samba.org/archive/samba/2018-February/213690.html
> >>>
> >>> The script in that thread is not changing anything by default.
> >>>
> >>> I suggest try it and post the output.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens
> >>>> Rowland Penny via samba
> >>>> Verzonden: dinsdag 6 november 2018 12:33
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] classicupgrade
> >>>>
> >>>> On Tue, 6 Nov 2018 12:13:31 +0100
> >>>> Corrado Ravinetto via samba <samba at
lists.samba.org> wrote:
> >>>>
> >>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha
scritto:
> >>>>>> No, your GPO's will still work.
> >>>>> ok
> >>>>> but when i created my gpo in sysvol i cannot access to
> this share
> >>>>> because:
> >>>>>
> >>>>> drwxrwx---+ 4 3000002 3000002 48  6 nov 12.03
> >>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
> >>>>>
> >>>>> Must i, for each new policy, adjiust right e owner 
???
> >>>>>
> >>>>> mmmmmmmh
> >>>> '3000002' is coming from idmap.ldb and because
'3000002'
> >> isn't a Unix
> >>>> user, it isn't mapped to a Unix name, it could in fact
be a
> >>>> group, yes,
> >>>> groups on Windows can own folders & files.
> >>>>
> >>>> There is a wiki page that might help:
> >>>>
> >>>>
https://wiki.samba.org/index.php/Managing_local_groups_on_doma
> >>>> in_members_via_GPO_restricted_groups
> >>>>
> >>>> Further than that, I cannot help, I do not use GPO's,
I
> >> don't have any
> >>>> Windows clients ;-)
> >>>>
> >>>> Perhaps Louis might care to chime in here.
> >>>>
> >>>> Rowland
> >>>>
> >>>> -- 
> >>>> To unsubscribe from this list go to the following URL 
> and read the
> >>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >> -- 
> >>
> >> *Corrado Ravinetto *
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> 
> -- 
> 
> *Corrado Ravinetto *
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>