barani tharan
2018-Nov-28 08:36 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
Dear Team I show below my problem when try to apply setfacl to share directory in domain controller My Problem is: I have one Samba AD [4.1] it work fine. I create common share folder in domain controller when try to apply ACL permission it show the following message [root at sambadc ~]# setfacl -m "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m: Invalid argument near character 3 After that i try to find usres id [root at sambadc ~]# id RISHI\\administrator id: RISHI\administrator: no such user But when i try the below command it shows the users [root at sambadc ~]# samba-tool user list AvijitGhosh RanjitRaman TeernaChatterjee AnkitJaiswal Priyaranjan DeepJoy NirajKishorSingh RajKumarMaurya Test HimanshuSinghi SoumyaKanjilal AshishJaiswal PoushaliSengupta BanditaRoy RohitAgarwal TuhinSaha Subramaniam My Samba file smb.conf [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = RISHI realm = RISHI.COM netbios name = SAMBADC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Rishinox] ----> This my share name path = /ADD_Drive/Rishinox_Share ---> ADD_Drive is a directory i mount 1 TB Hard Disk I show below fstab config file read only = no inherit acls = yes browseable = yes valid users = +rishi\"Domain Users" # vi /etc/fstab # # /etc/fstab # Created by anaconda on Thu Oct 26 20:59:06 2017 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=855b2556-69c5-40d5-8c1e-7686791de4e8 / ext4 defaults 1 1 UUID=76398c37-3212-4092-b8d4-cf2a807ac07d /home ext4 defaults 1 2 UUID=600ec943-139e-4bf2-9d70-51ce2bfaeeab swap swap defaults 0 0 /dev/disk/by-uuid/1ff91bed-d951-4712-8812-c6bb5760b565 /LVM auto nosuid,nodev,nofail,x-gvfs-show 0 0 #Mount External Drive to ADD_Drive /dev/sdb /ADD_Drive ext4 defaults,acl 0 0 At Same time try ACL permission in Domain member server it can be apply and show the user Id [root at backupserver ~]# id RISHI\\administrator uid=16777216(administrator) gid=16777220(domain users) groups=16777220(domain users),16777221(group policy creator owners),16777222(denied rodc password replication group),16777223(enterprise admins),16777224(schema admins),16777225(domain admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators) Please solve my issue Thanks&RegardsBaranitharan | | I’m protected online with Avast Free Antivirus. Get it here — it’s free forever. |
Rowland Penny
2018-Nov-28 09:15 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
On Wed, 28 Nov 2018 08:36:47 +0000 (UTC) barani tharan via samba <samba at lists.samba.org> wrote:> > Dear Team I show below my problem when try to apply setfacl to share > directory in domain controller > > > My Problem is: > I have one Samba AD [4.1] it work fine. I create common share folderSamba 4.1.x is EOL, you really should upgrade.> in domain controller when try to apply ACL permission it show the > following message [root at sambadc ~]# setfacl -m > "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m: > Invalid argument near character 3 After that i try to find usres id > > [root at sambadc ~]# id RISHI\\administrator > id: RISHI\administrator: no such user > But when i try the below command it shows the users > [root at sambadc ~]# samba-tool user list > > AvijitGhosh > RanjitRaman > TeernaChatterjee > AnkitJaiswal > Priyaranjan > DeepJoy > NirajKishorSingh > RajKumarMaurya > Test > HimanshuSinghi > SoumyaKanjilal > AshishJaiswal > PoushaliSengupta > BanditaRoy > RohitAgarwal > TuhinSaha > Subramaniam'samba-tool user list' works in the same way as 'wbinfo -u', it goes direct to AD. If getent doesn't work, it is usually because the libnss-winbind links are not set up, see here: https://wiki.samba.org/index.php/Libnss_winbind_Links> > My Samba file smb.conf > > [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = RISHI > realm = RISHI.COM > netbios name = SAMBADC > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [Rishinox] > path = /ADD_Drive/Rishinox_Share > read only = noMake the share look like the above and then read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You must use Windows ACLs on a share on a DC.> At Same time try ACL permission in Domain member server it can be > apply and show the user Id > > [root at backupserver ~]# id RISHI\\administrator > uid=16777216(administrator) gid=16777220(domain users) > groups=16777220(domain users),16777221(group policy creator > owners),16777222(denied rodc password replication > group),16777223(enterprise admins),16777224(schema > admins),16777225(domain > admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators) >It looks like you are using sssd, if so, can I suggest you use winbind instead, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
barani tharan
2018-Nov-30 06:16 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
Dear Rowland Penny I follow your mentioned step still i am face the same problem I have 1 Domain Controller [sambadc] and 1 Domain member for Samba Share and backup [backupserver] 1.when try view the ACL rights is backup server i can able view the domain user name [root at backupserver Rishinox]# getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute path names # file: ADHDD/Rishinox/ # owner: administrator # group: domain\040users user::rwx user:administrator:rwx #effective:r-x group::rwx #effective:r-x group:domain\040users:r-x group:domain\040admins:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:administrator:rwx default:group::rwx default:group:domain\040users:r-x default:group:domain\040admins:rwx default:mask::rwx default:other::r-x 2. My smb.conf file in backup server [root at backupserver Rishinox]# vi /etc/samba/smb.conf [global] #--authconfig--start-line-- # Generated by authconfig on 2017/10/27 10:57:19 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = RISHI password server = sambadc.rishi.com realm = RISHI.COM security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash kerberos method = secrets only winbind use default domain = yes winbind offline logon = true vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes #--authconfig--end-line-- ; workgroup = SAMBA ; security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw [Rishinox] ---> This my Samba Share path = /ADHDD/Rishinox read only = no inherit acls = yes browseable = yes valid users = +rishi\"Domain Users" vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes 3. I can able to view the Domain user id in backupserver [root at backupserver Rishinox]# id RISHI\\administrator uid=16777216(administrator) gid=16777220(domain users) groups=16777220(domain users),16777221(group policy creator owners),16777222(denied rodc password replication group),16777223(enterprise admins),16777224(schema admins),16777225(domain admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators) 4.When try to check the domain user id, set the acl and change the owner of file i get the following error in Domain controller [root at sambadc Rishinox_Share]# chown root:"Domain Admins" /ADD_Drive/Rishinox_Share/COMMON/ chown: invalid group: ‘root:Domain Admins’ [root at sambadc Rishinox_Share]# setfacl -m "u:RISHI\Administrator:rwx" /ADD_Drive/Rishinox_Share/ setfacl: Option -m: Invalid argument near character 3 [root at sambadc Rishinox_Share]# id RISHI\\administrator id: RISHI\administrator: no such user 5.When try the view the ACL rights i get following message not shown the Domain user name, it shows the user id ? [root at sambadc Rishinox_Share]# getfacl /ADD_Drive/Rishinox_Share/ getfacl: Removing leading '/' from absolute path names # file: ADD_Drive/Rishinox_Share/ # owner: 16777216 # group: 16777220 user::rwx user:root:rwx #effective:r-x group::--- group:root:--- group:users:r-x group:3000000:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:root:rwx default:user:3000000:rwx default:group::r-x default:group:root:r-x default:group:users:r-x default:group:3000000:rwx default:mask::rwx default:other::--- 6. MY smb.conf file for Domain Controller [root at sambadc Rishinox_Share]# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = RISHI realm = RISHI.COM netbios name = SAMBADC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Rishinox] path = /ADD_Drive/Rishinox_Share read only = no 7. I am already check the Libs file link and ACL setup in Domain Controller # smbd -b | grep HAVE_LIBACL HAVE_LIBACL [root at sambadc Rishinox_Share]# net rpc rights list privileges SeDiskOperatorPrivilege -U "RISHI\administrator" [root at sambadc Rishinox_Share]# net rpc rights grant "RISHI\Domain Admins" SeDiskOperatorPrivilege -U "RISHI\administrator" [root at sambadc Rishinox_Share]# ls -ll /lib64 lrwxrwxrwx. 1 root root 9 Oct 26 2017 /lib64 -> usr/lib64 [root at sambadc Rishinox_Share]# ls -ll /lib64/libnss_winbind.so lrwxrwxrwx 1 root root 26 Nov 28 18:27 /lib64/libnss_winbind.so -> /lib64/libnss_winbind.so.2 I don't know what i am make the wrong thing in configuration Thanks & RegardsBaranitharan On Wednesday, 28 November 2018, 2:45:40 PM GMT+5:30, Rowland Penny via samba <samba at lists.samba.org> wrote: On Wed, 28 Nov 2018 08:36:47 +0000 (UTC) barani tharan via samba <samba at lists.samba.org> wrote:> > Dear Team I show below my problem when try to apply setfacl to share > directory in domain controller > > > My Problem is: > I have one Samba AD [4.1] it work fine. I create common share folderSamba 4.1.x is EOL, you really should upgrade.> in domain controller when try to apply ACL permission it show the > following message [root at sambadc ~]# setfacl -m > "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m: > Invalid argument near character 3 After that i try to find usres id > > [root at sambadc ~]# id RISHI\\administrator > id: RISHI\administrator: no such user > But when i try the below command it shows the users > [root at sambadc ~]# samba-tool user list > > AvijitGhosh > RanjitRaman > TeernaChatterjee > AnkitJaiswal > Priyaranjan > DeepJoy > NirajKishorSingh > RajKumarMaurya > Test > HimanshuSinghi > SoumyaKanjilal > AshishJaiswal > PoushaliSengupta > BanditaRoy > RohitAgarwal > TuhinSaha > Subramaniam'samba-tool user list' works in the same way as 'wbinfo -u', it goes direct to AD. If getent doesn't work, it is usually because the libnss-winbind links are not set up, see here: https://wiki.samba.org/index.php/Libnss_winbind_Links> > My Samba file smb.conf > > [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = RISHI > realm = RISHI.COM > netbios name = SAMBADC > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [Rishinox] > path = /ADD_Drive/Rishinox_Share > read only = noMake the share look like the above and then read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You must use Windows ACLs on a share on a DC.> At Same time try ACL permission in Domain member server it can be > apply and show the user Id > > [root at backupserver ~]# id RISHI\\administrator > uid=16777216(administrator) gid=16777220(domain users) > groups=16777220(domain users),16777221(group policy creator > owners),16777222(denied rodc password replication > group),16777223(enterprise admins),16777224(schema > admins),16777225(domain > admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators) >It looks like you are using sssd, if so, can I suggest you use winbind instead, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command