On Thu, 14 Jun 2018 09:39:46 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> And i did read the Comment to for Rowland below, > On debian you need : > libnss-winbind libpam-winbind to be installed. > I think you miss one of these.They are the glue that connects Samba to nsswitch and allows 'getent passwd username' to work. Without the 'glue' checking for ownership etc of file with 'ls -l' will only show numbers, this is because the OS doesn't know who the numbers are.> > With 4.8.2 on my DC's i see: > ls -al sysvol/ > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 > internal.domain.tld > > Note the ^^^ (+) in above line, then use getfacl to see all ACL's > If you use chmod, you might destroy your very needed windows ACL's > > And i see with getfaclAnd Louis also uses 'acl_xattr:ignore system acls = yes', this means that you can ignore the system ACL and what getfacl produces. The permissions you set from windows is actually stored in in 'security.NTACL' To see the contents of this attr: getfattr -n security.NTACL /home/testdata getfattr: Removing leading '/' from absolute path names # file: home/testdata security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAScZAAAAHQAAAAAAAAAkAAAAAECAAAAAAAWAQAAAAAAAAABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAgBQAQwAAAAAAyQAqQASAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P1oEAAAAAxQAAAAQAAEBAAAAAAABAAAAAAADGAD/AR8AAQIAAAAAABYBAAAAAAAAAAADGAAAABAAAQIAAAAAABYCAAAAAAAAAAALFAD/AR8AAQEAAAAAAAMAAAAAAAsUAAAAEAABAQAAAAAAAwEAAAAAAxQAqQASAAEBAAAAAAAFCwAAAAADFAD/AR8AAQEAAAAAAAUSAAAAAAMkAKkAEgABBQAAAAAABRUAAABJJWZpmd47xzE4eT9TBAAAAAMkAKkAEgABBQAAAAAABRUAAABJJWZpmd47xzE4eT9VBAAAAAMkAAAAEAABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAA Not very readable is it ?> > Id you dont get you id's > Try adding Domain and Local-Realms to : /etc/idmapd.conf >Don't understand the above, what has an NFS conf file got do with Samba ? Rowland
On Thu, 14 Jun 2018 10:50:15 +0100 Rowland Penny wrote:> > On Thu, 14 Jun 2018 09:39:46 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > And i did read the Comment to for Rowland below, > > On debian you need : > > libnss-winbind libpam-winbind to be installed. > > I think you miss one of these. > > They are the glue that connects Samba to nsswitch and allows 'getent > passwd username' to work. Without the 'glue' checking for ownership etc > of file with 'ls -l' will only show numbers, this is because the OS > doesn't know who the numbers are.Well, my getent *does* work on both the AD/DC and domain members. Also, my 'ls' does show names, not just numbers. Example:> ls -l /redirectedFolders/Users/total 88 drwxrwx---+ 6 root domusers 4096 2015-09-03 13:13 Administrator/ drwxrwx---+ 5 3000038 domusers 4096 2015-09-03 07:39 doris/ drwxrwx---+ 5 HPRS\hcarr domusers 4096 2015-09-03 07:37 hcarr/ drwxrwxr-x+ 34 HPRS\mark domusers 4096 2018-06-10 22:51 mark/ drwxrwx---+ 5 HPRS\shay domusers 4096 2016-07-15 22:58 shay/ drwxrwx---+ 5 HPRS\summitoh domusers 4096 2015-09-11 09:57 summitoh/> ls -ln /redirectedFolders/Users/total 88 drwxrwx---+ 6 0 10000 4096 2015-09-03 13:13 Administrator/ drwxrwx---+ 5 3000038 10000 4096 2015-09-03 07:39 doris/ drwxrwx---+ 5 10004 10000 4096 2015-09-03 07:37 hcarr/ drwxrwxr-x+ 34 10001 10000 4096 2018-06-10 22:51 mark/ drwxrwx---+ 5 10010 10000 4096 2016-07-15 22:58 shay/ drwxrwx---+ 5 3000050 10000 4096 2015-09-11 09:57 summitoh/ In the first list, users showing HPRS\username are domain users. Their UIDs are shown in the 2nd list. UIDs 3000038 and 3000050 are from my initial provisioning before you (Rowland) told me not to use that default range and rather use range 10000-10099 instead (12/1/2017 03:58AM, subject: "getent passwd does not show correct UID.GID"). I had to change the others in idmap.ldb. I have not yet changed doris and summitoh. Nevertheless, 'ls' does give names though I don't seem to have either libnss-winbind or libpam-winbind files on my AD/DC. Circling back to the OP, with 4.4.16 I got:> ls -l/var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ total 16 drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/ Now, with 4.8.2, doing the same ls gives me:> ls -l/var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ total 16 drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ I'm still not sure I've gleaned an answer. I'll check sam.ldb and imap.ldb for clues.> > With 4.8.2 on my DC's i see: > > ls -al sysvol/ > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 > > internal.domain.tldFunny you should mention that. I was going to post the same thing, mine is: rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 00:46 sysvol/ I thought it strange that it would list the 300000 groupname, but for files owned by 300000 it will only list the UID number, not the username.> > Note the ^^^ (+) in above line, then use getfacl to see all ACL's > > If you use chmod, you might destroy your very needed windows ACL's > > > > And i see with getfacl(sorry Rowland - I restored Louis' getfacl for comparison with mine)> > # file: var/lib/samba/sysvol/internal.domain.tld > > # owner: root > > # group: BUILTIN\134administrators > > user::rwx > > user:root:rwx > > user:3000000:rwx > > user:3000001:r-x > > user:3000002:rwx > > user:3000003:r-x > > group::rwx > > group:BUILTIN\134administrators:rwx > > group:BUILTIN\134server\040operators:r-x > > group:3000002:rwx > > group:3000003:r-x > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:3000000:rwx > > default:user:3000001:r-x > > default:user:3000002:rwx > > default:user:3000003:r-x > > default:group::--- > > default:group:BUILTIN\134administrators:rwx > > default:group:BUILTIN\134server\040operators:r-x > > default:group:3000002:rwx > > default:group:3000003:r-x > > default:mask::rwx > > default:other::---My getfacl is: $ getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:3000000:rwx user:3000002:rwx user:3000003:rwx group::rwx group:BUILTIN\134administrators:rwx group:NT\040AUTHORITY\134system:rwx group:NT\040AUTHORITY\134authenticated\040users:rwx mask::rwx other::r-- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000002:rwx default:user:3000003:rwx default:group::r-x default:group:BUILTIN\134administrators:rwx default:group:NT\040AUTHORITY\134system:rwx default:group:NT\040AUTHORITY\134authenticated\040users:rwx default:mask::rwx default:other::r-x Differences between Louis' facl and mine: I'm missing user 3000001. In group, I have: group:NT\040AUTHORITY\134system:rwx group:NT\040AUTHORITY\134authenticated\040users:rwx and am missing Louis': group:3000002:rwx group:3000003:r-x whereas Louis has: group:BUILTIN\134server\040operators:r-x For 'other' I have "other::r--" whereas Louis has "other::---" For default I am again missing user 3000001 and my 3000003 is rwx rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---". Same group difference with 'default' as mentioned above with my 040AUTHORITY and Louis' 040operators. My "default:other::r-x", Louis' "default:other::---" Are my different settings bad?> And Louis also uses 'acl_xattr:ignore system acls = yes',How do you know that? I don't see that listed in Louis' message?> this means that you can ignore the system ACL and what getfacl produces. > > The permissions you set from windows is actually stored in in > 'security.NTACL' > > To see the contents of this attr: > > getfattr -n security.NTACL /home/testdata > getfattr: Removing leading '/' from absolute path names > # file: home/testdata > security.NTACL=0sAwA [deleted] KCAAA > > Not very readable is it ?Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!> > > > Id you dont get you id's > > Try adding Domain and Local-Realms to : /etc/idmapd.conf > > > > Don't understand the above, what has an NFS conf file got do with > Samba ? > > RowlandI'll not mess with this yet. --Mark
On Thu, 14 Jun 2018 16:03:35 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> Nevertheless, 'ls' does give names though I don't seem to have either > libnss-winbind or libpam-winbind files on my AD/DC.I keep forgetting that you use slackware, I suppose it uses something different, but do you have any file like: libnss_winbind.so.2> > Circling back to the OP, with 4.4.16 I got: > > > ls -l > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > total 16 > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 2014-09-13 > 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096 > 2014-09-13 03:22 Scripts/ > > Now, with 4.8.2, doing the same ls gives me: > > > ls -l > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > total 16 > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and > imap.ldb for clues.For some reason, nsswitch (and/or idmap.ldb) isn't mapping '3000000' to 'Administrators'> > > > With 4.8.2 on my DC's i see: > > > ls -al sysvol/ > > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 > > > internal.domain.tld > > Funny you should mention that. I was going to post the same thing, > mine is: > > rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 00:46 > sysvol/ > > I thought it strange that it would list the 300000 groupname, but for > files owned by 300000 it will only list the UID number, not the > username.AH-Ha, the only place that maps an ID to a user AND a group is idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given 'Administrators' a uidNumber ? or is it being mapped to 'ID_TYPE_UID' in idmap.ldb ?> > and am missing Louis': > group:3000002:rwx > group:3000003:r-x > > whereas Louis has: > group:BUILTIN\134server\040operators:r-x > > For 'other' I have "other::r--" whereas Louis has "other::---" > > For default I am again missing user 3000001 and my 3000003 is rwx > rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---". > Same group difference with 'default' as mentioned above with my > 040AUTHORITY and Louis' 040operators. > My "default:other::r-x", Louis' "default:other::---" > > Are my different settings bad?Not necessarily, different DC's get different ID's for the users/groups.> > > And Louis also uses 'acl_xattr:ignore system acls = yes', > > How do you know that? I don't see that listed in Louis' message?I just do ;-) Try reading 'man vfs_acl_xattr'> > > this means that you can ignore the system ACL and what getfacl > > produces. > > > > The permissions you set from windows is actually stored in in > > 'security.NTACL' > > > > To see the contents of this attr: > > > > getfattr -n security.NTACL /home/testdata > > getfattr: Removing leading '/' from absolute path names > > # file: home/testdata > > security.NTACL=0sAwA [deleted] KCAAA > > > > Not very readable is it ? > > Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!Just set them from Windows and ignore the Unix acls Rowland
Mark, See below.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > Foley via samba > Verzonden: donderdag 14 juni 2018 22:04 > Aan: samba at lists.samba.org >.......I see funny things here. For example,> drwxrwxr-x+ 34 10001 10000 4096 2018-06-10 22:51 mark/ > drwxrwx---+ 5 3000038 10000 4096 2015-09-03 07:39 doris/The 2 things are, i see a UID from a RID backend setup and i see an UID from an AD backend. 10000 is the default for AD backend. 3000000 is the default for RID backend Now this dont have to be wrong, i just nodited this.> > In the first list, users showing HPRS\username are domain > users. Their UIDs are shown in the > 2nd list. UIDs 3000038 and 3000050 are from my initial > provisioning before you (Rowland) told > me not to use that default range and rather use range > 10000-10099 instead (12/1/2017 03:58AM, > subject: "getent passwd does not show correct UID.GID"). I > had to change the others in > idmap.ldb. I have not yet changed doris and summitoh. > > Nevertheless, 'ls' does give names though I don't seem to > have either libnss-winbind or > libpam-winbind files on my AD/DC. >> ......... > Funny you should mention that. I was going to post the same > thing, mine is: > > rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 > 00:46 sysvol/ > > I thought it strange that it would list the 300000 groupname, > but for files owned by 300000 it > will only list the UID number, not the username.Yes, this is what helps here and thats intended in my script. Since you cant set an GID as UID in linux, you set the UID as number and dont use the name. It works the same in the end, ( from the windows point of view ) Linux side, it only sees the numbers and thats ok.> > > > Note the ^^^ (+) in above line, then use getfacl to see all ACL's > > > If you use chmod, you might destroy your very needed > windows ACL's > > > > > > And i see with getfacl > > (sorry Rowland - I restored Louis' getfacl for comparison with mine) > > > > # file: var/lib/samba/sysvol/internal.domain.tld > > > # owner: root > > > # group: BUILTIN\134administrators > > > user::rwx > > > user:root:rwx > > > user:3000000:rwx > > > user:3000001:r-x > > > user:3000002:rwx > > > user:3000003:r-x > > > group::rwx > > > group:BUILTIN\134administrators:rwx > > > group:BUILTIN\134server\040operators:r-x > > > group:3000002:rwx > > > group:3000003:r-x > > > mask::rwx > > > other::--- > > > default:user::rwx > > > default:user:root:rwx > > > default:user:3000000:rwx > > > default:user:3000001:r-x > > > default:user:3000002:rwx > > > default:user:3000003:r-x > > > default:group::--- > > > default:group:BUILTIN\134administrators:rwx > > > default:group:BUILTIN\134server\040operators:r-x > > > default:group:3000002:rwx > > > default:group:3000003:r-x > > > default:mask::rwx > > > default:other::--- > > My getfacl is: > > $ getfacl /var/lib/samba/sysvol > getfacl: Removing leading '/' from absolute path names > # file: var/lib/samba/sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:3000000:rwx > user:3000002:rwx > user:3000003:rwx > group::rwx > group:BUILTIN\134administrators:rwx > group:NT\040AUTHORITY\134system:rwx > group:NT\040AUTHORITY\134authenticated\040users:rwx > mask::rwx > other::r-- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000002:rwx > default:user:3000003:rwx > default:group::r-x > default:group:BUILTIN\134administrators:rwx > default:group:NT\040AUTHORITY\134system:rwx > default:group:NT\040AUTHORITY\134authenticated\040users:rwx > default:mask::rwx > default:other::r-x > > Differences between Louis' facl and mine: > > I'm missing user 3000001. > > In group, I have: > > group:NT\040AUTHORITY\134system:rwx > group:NT\040AUTHORITY\134authenticated\040users:rwx > > and am missing Louis': > group:3000002:rwx > group:3000003:r-x > > whereas Louis has: > group:BUILTIN\134server\040operators:r-x > > For 'other' I have "other::r--" whereas Louis has "other::---" > > For default I am again missing user 3000001 and my 3000003 is > rwx rather than Louis' r-x. > My 'default-group' is "r-x", Louis' "---". > Same group difference with 'default' as mentioned above with > my 040AUTHORITY and Louis' > 040operators. > My "default:other::r-x", Louis' "default:other::---" > > Are my different settings bad?Yes. I'll explain a bit more here. The numbers you see, are for you and me not the same, if it is, then its pure luck. That is why i made the script. The script looks up all SID/UID/GID and try to match the names with it. Your 3000002 may be mine 3000001 or 3000003 So dont look to much at the UID numbers.> > > And Louis also uses 'acl_xattr:ignore system acls = yes', > > How do you know that? I don't see that listed in Louis' message?Yes, that because Rowland and im are some time here, we know once setup. Now, yes, i use that, but if you set with the script, it works the same. The script sets the rights as they are shown from a windows point of view, But without the ignore system acls. The main difference is in SYSTEM. When are things going wrong with sysvol. 1) people use chmod. 2) people forget to set a correct ACL on the SYSVOL Share. ( the SHARE ACL ) 3) then they change the rights from CLI. The order MUST be. 1) Set the base right on linux. 2) set the share rights from within windows. 3) set the folder rights from within windows. 4) NEVER chmod again from CLI. If that did not help. Then add : the ignore system acl to the sysvol share. Now from above order howto setup. If you done 1,2,3 and then you change 2, then you also much check 3 again. If you add the ignore system acl to the sysvol share. The redo set 2 and 3. And remember setup 4.> > > this means that you can ignore the system ACL and what > getfacl produces. > > > > The permissions you set from windows is actually stored in in > > 'security.NTACL' > > > > To see the contents of this attr: > > > > getfattr -n security.NTACL /home/testdata > > getfattr: Removing leading '/' from absolute path names > > # file: home/testdata > > security.NTACL=0sAwA [deleted] KCAAA > > > > Not very readable is it ? > > Tried that on /var/lib/samba/sysvol. Yup, gobbledygook! > > > > > > > > Id you dont get you id's > > > Try adding Domain and Local-Realms to : /etc/idmapd.conf > > > > > > > Don't understand the above, what has an NFS conf file got do with > > Samba ? > > > > Rowland > > I'll not mess with this yet. > > --MarkYes, something you really get logs and i trow in everything. I'll watch out for that next time. Greetz, Louis
On Fri, 15 Jun 2018 12:24:21 +0200 L.P.H. van Belle wrote:> > Mark, > > > See below. > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > > Foley via samba > > Verzonden: donderdag 14 juni 2018 22:04 > > Aan: samba at lists.samba.org > >....... > > I see funny things here. > For example, > > drwxrwxr-x+ 34 10001 10000 4096 2018-06-10 22:51 mark/ > > drwxrwx---+ 5 3000038 10000 4096 2015-09-03 07:39 doris/ > > The 2 things are, i see a UID from a RID backend setup and i see an UID from an AD backend. > 10000 is the default for AD backend. > 3000000 is the default for RID backend > Now this dont have to be wrong, i just nodited this.This is a long story sorted out a few years ago for me by Rowland. The initial provision for samba 4.1 defaulted to creating UIDs in the range 30000xx (msSFU30MaxUidNumber). When I went to create domain member workstations for these users, that range gave me problems. I forget exactly why without looking up the thread in this list. Rowland advised me to change the range and that info was incorporated into https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member (see block bordered in amber). So, I've been gradually changing users' UID/GID when I've had occasion to do something with them such as move them to a Linux domain member workstations or whatever. In this case, I simply haven't gotten around to changing doris yet. [deleted]> > Nevertheless, 'ls' does give names ... > > > > > ......... > > Funny you should mention that. I was going to post the same > > thing, mine is: > > > > rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 > > 00:46 sysvol/ > > > > I thought it strange that it would list the 300000 groupname, > > but for files owned by 300000 it > > will only list the UID number, not the username. > > Yes, this is what helps here and thats intended in my script. > Since you cant set an GID as UID in linux, you set the UID as number and dont use the name. > It works the same in the end, ( from the windows point of view ) > Linux side, it only sees the numbers and thats ok. > > > > > > > Note the ^^^ (+) in above line, then use getfacl to see all ACL's > > > > If you use chmod, you might destroy your very needed > > windows ACL's > > > > > > > > And i see with getfacl > > > > (sorry Rowland - I restored Louis' getfacl for comparison with mine) > > > > > > # file: var/lib/samba/sysvol/internal.domain.tld > > > > # owner: root > > > > # group: BUILTIN\134administrators > > > > user::rwx > > > > user:root:rwx > > > > user:3000000:rwx > > > > user:3000001:r-x > > > > user:3000002:rwx > > > > user:3000003:r-x > > > > group::rwx > > > > group:BUILTIN\134administrators:rwx > > > > group:BUILTIN\134server\040operators:r-x > > > > group:3000002:rwx > > > > group:3000003:r-x > > > > mask::rwx > > > > other::--- > > > > default:user::rwx > > > > default:user:root:rwx > > > > default:user:3000000:rwx > > > > default:user:3000001:r-x > > > > default:user:3000002:rwx > > > > default:user:3000003:r-x > > > > default:group::--- > > > > default:group:BUILTIN\134administrators:rwx > > > > default:group:BUILTIN\134server\040operators:r-x > > > > default:group:3000002:rwx > > > > default:group:3000003:r-x > > > > default:mask::rwx > > > > default:other::--- > > > > My getfacl is: > > > > $ getfacl /var/lib/samba/sysvol > > getfacl: Removing leading '/' from absolute path names > > # file: var/lib/samba/sysvol > > # owner: root > > # group: BUILTIN\134administrators > > user::rwx > > user:root:rwx > > user:3000000:rwx > > user:3000002:rwx > > user:3000003:rwx > > group::rwx > > group:BUILTIN\134administrators:rwx > > group:NT\040AUTHORITY\134system:rwx > > group:NT\040AUTHORITY\134authenticated\040users:rwx > > mask::rwx > > other::r-- > > default:user::rwx > > default:user:root:rwx > > default:user:3000000:rwx > > default:user:3000002:rwx > > default:user:3000003:rwx > > default:group::r-x > > default:group:BUILTIN\134administrators:rwx > > default:group:NT\040AUTHORITY\134system:rwx > > default:group:NT\040AUTHORITY\134authenticated\040users:rwx > > default:mask::rwx > > default:other::r-x > > > > Differences between Louis' facl and mine: > > > > I'm missing user 3000001. > > > > In group, I have: > > > > group:NT\040AUTHORITY\134system:rwx > > group:NT\040AUTHORITY\134authenticated\040users:rwx > > > > and am missing Louis': > > group:3000002:rwx > > group:3000003:r-x > > > > whereas Louis has: > > group:BUILTIN\134server\040operators:r-x > > > > For 'other' I have "other::r--" whereas Louis has "other::---" > > > > For default I am again missing user 3000001 and my 3000003 is > > rwx rather than Louis' r-x. > > My 'default-group' is "r-x", Louis' "---". > > Same group difference with 'default' as mentioned above with > > my 040AUTHORITY and Louis' > > 040operators. > > My "default:other::r-x", Louis' "default:other::---" > > > > Are my different settings bad? > Yes. > I'll explain a bit more here. > > The numbers you see, are for you and me not the same, if it is, then its pure luck. > That is why i made the script. > The script looks up all SID/UID/GID and try to match the names with it. > Your 3000002 may be mine 3000001 or 3000003 > > So dont look to much at the UID numbers. > > > > > > And Louis also uses 'acl_xattr:ignore system acls = yes', > > > > How do you know that? I don't see that listed in Louis' message? > Yes, that because Rowland and im are some time here, we know once setup. > Now, yes, i use that, but if you set with the script, it works the same. > The script sets the rights as they are shown from a windows point of view, > But without the ignore system acls. > > The main difference is in SYSTEM. > > When are things going wrong with sysvol. > 1) people use chmod. > 2) people forget to set a correct ACL on the SYSVOL Share. ( the SHARE ACL ) > 3) then they change the rights from CLI. > > The order MUST be. > 1) Set the base right on linux. > 2) set the share rights from within windows. > 3) set the folder rights from within windows. > 4) NEVER chmod again from CLI. > > If that did not help. > Then add : the ignore system acl to the sysvol share. > > Now from above order howto setup. > If you done 1,2,3 and then you change 2, then you also much check 3 again. > > If you add the ignore system acl to the sysvol share. > The redo set 2 and 3. > And remember setup 4.I have never manually set the permissions on these folders in linux. I did do step 2 from the previous message where you showed me how to do share permissions. I've just now redone step 3 according to your previous messaage: Set your sysvol FOLDER permissions as followed. Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL [stuff on securityNTACL deleted, for now ] I've restarted Samba and I will additionally follow up on your suggestions in the "Fixing sysvol permissions" thread and post results. --Mark