I followed this guide: the user who gives permission to the network share is without problems but at the file system level I do not understand the user using the acl. What should I do? Il 24/01/2019 18:32, Rowland Penny via samba ha scritto:> On Thu, 24 Jan 2019 18:19:45 +0100 > marco pirola via samba <samba at lists.samba.org> wrote: > >> This is my smb.conf of the member of domain >> >> # Global parameters >> [global] >> security = ADS >> workgroup = ROBINOOD >> realm = ROBINOOD.TST >> #dns forwarder = 192.168.1.6 >> log file = /var/log/samba/%m.log >> log level = 1 >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> # Default ID mapping configuration for local BUILTIN accounts >> # and groups on a domain member. The default (*) domain: >> # - must not overlap with any domain ID mapping configuration! >> # - must use a read-write-enabled back end, such as tdb. >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> # - You must set a DOMAIN backend configuration >> # idmap config for the SAMDOM domain >> idmap config ROBINOOD : backend = rid >> idmap config ROBINOOD : range = 10000-999999 >> winbind use default domain = yes >> >> [repository] >> path = /home/samba/ >> read only = no >> >> Il 24/01/2019 18:17, Rowland Penny via samba ha scritto: >>> On Thu, 24 Jan 2019 18:07:19 +0100 >>> marco pirola via samba <samba at lists.samba.org> wrote: >>> >>>> hello everyone, I have this problem: I have a machine (debian9) >>>> that makes me a domain member. The partition where I create the >>>> shares supports acl. On a machine where windows 10 professional is >>>> installed where rsat is installed if I try to give a user >>>> permission to any known share that by logging on the domain member >>>> machine the user does not appear in the acl of the share. What >>>> should I do? >>>> >>> Please post your smb.conf from the Debian 9 machine. >>> >>> Rowland >>> > Have you tried reading this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland >
On Thu, 24 Jan 2019 20:07:35 +0100 marco pirola <mapirola81 at gmail.com> wrote:> I followed this guide: the user who gives permission to the network > share is without problems but at the file system level I do not > understand the user using the acl. What should I do? >I am not quite sure what you are trying to say :-( I think it is this: If you use 'Administrator' it works. If you use another user it doesn't. Is this correct ? If it is, is the user a member of Domain Admins ? Have you given Domain Admins the required privilege as shown on the wiki page ? Rowland
On Sun, 27 Jan 2019 13:07:06 +0100 marco pirola <mapirola81 at gmail.com> wrote:> Does'nt work if i used Administration and another user. Can i > resolved this problem? I used the acl? >I think I understand what is going on and it clearly shows why giving 'Administrator' a Unix ID is a bad idea ;-) If you run: getent passwd administrator You will get something like this: administrator:*:10500:10513::/home/administrator:/bin/bash This clearly shows that 'Administrator' has the ID '10500', which means it is a normal Unix user and can only do what a Normal Unix user can, which isn't much ;-) NOTE: this will only happen on a Samba AD DC or a Samba Unix domain member using the winbind 'rid' backend. You need to make 'Administrator' (from Samba's perspective) be able to do things on Unix without asking for a password. There is only one user that can do that: 'root' To do this, you need to add something to the 'global' section of your Unix domain members smb.conf file: username map = /etc/samba/user.map Create /etc/samba/user.map with this content: !root = ROBINOOD\Administrator Restart Samba and try again from Windows 10 Rowland
On Mon, 28 Jan 2019 19:43:55 +0100 Marco Pirola <mapirola81 at gmail.com> wrote:> Unfortunately, the result does not change >Then I am lost, I followed the wikipage (to ensure it still worked) and, from a Windows 10 pro domain member, It worked for me: getfacl /srv/samba/Demo/ getfacl: Removing leading '/' from absolute path names # file: srv/samba/Demo/ # owner: root # group: domain_admins user::rwx user:root:rwx user:10512:rwx user:10513:rwx group::rwx group:domain_admins:rwx group:domain_users:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:10513:rwx default:group::r-x default:group:domain_admins:r-x default:group:domain_users:rwx default:mask::rwx default:other::r-x All I can suggest is that you double check everything. Rowland
On Tue, 29 Jan 2019 06:59:45 +0100 Marco Pirola <mapirola81 at gmail.com> wrote:> This is the content of my smb.conf. Can you check if something is > missing? Otherwise I do not know how to behave anymore. Thanks and > have a good day.The only problem I can see is this line: valid user = +"domain users" You shouldn't set this line if using Windows ACL's Can we try checking a few things (I know you might have already posted them, but lets get them in one place), please add them to the post,do not attach them. OS /etc/hostname /etc/hosts /etc/resolv.conf /etc/krb5.conf /etc/nsswitch.conf Is a firewall running ? Is selinux/apparmor running ? What is the AD DC ? What Windows computer are you connecting from ? Rowland
This is my selinux conf. # Authors: Jason Tang <jtang at tresys.com> # # Copyright (C) 2004-2005 Tresys Technology, LLC # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # Specify how libsemanage will interact with a SELinux policy manager. # The four options are: # # "source" - libsemanage manipulates a source SELinux policy # "direct" - libsemanage will write directly to a module store. # /foo/bar - Write by way of a policy management server, whose # named socket is at /foo/bar. The path must begin # with a '/'. # foo.com:4242 - Establish a TCP connection to a remote policy # management server at foo.com. If there is a colon # then the remainder is interpreted as a port number; # otherwise default to port 4242. module-store = direct # When generating the final linked and expanded policy, by default # semanage will set the policy version to POLICYDB_VERSION_MAX, as # given in <sepol/policydb.h>. Change this setting if a different # version is necessary. #policy-version = 19 # expand-check check neverallow rules when executing all semanage commands. # Large penalty in time if you turn this on. expand-check=0 # By default, semanage will generate policies for the SELinux target. # To build policies for Xen, uncomment the following line. #target-platform = xen the other files are ok, otherwise I would not be able to make the join the machine or to do the query via nslooch of the machine dc 192.168.1.5 Il 29/01/2019 10:05, Rowland Penny via samba ha scritto:> On Tue, 29 Jan 2019 06:59:45 +0100 > Marco Pirola <mapirola81 at gmail.com> wrote: > >> This is the content of my smb.conf. Can you check if something is >> missing? Otherwise I do not know how to behave anymore. Thanks and >> have a good day. > The only problem I can see is this line: > > valid user = +"domain users" > > You shouldn't set this line if using Windows ACL's > > Can we try checking a few things (I know you might have already posted > them, but lets get them in one place), please add them to the post,do > not attach them. > > OS > /etc/hostname > /etc/hosts > /etc/resolv.conf > /etc/krb5.conf > /etc/nsswitch.conf > > Is a firewall running ? > Is selinux/apparmor running ? > What is the AD DC ? > What Windows computer are you connecting from ? > > Rowland >
In addition to Rowlands answer. About . [samba] path = /samba/ What are the rights on /samba/ ? My guess here, the rights on /samba does not allow you to set rights on that and subfolders. I also suggest, if you share a folder share a subfolder in /samba/share1 Makes it more easy to manage your ACL. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Pirola via samba > Verzonden: dinsdag 29 januari 2019 11:26 > Aan: Rowland Penny; samba at lists.samba.org > Onderwerp: Re: [Samba] error witch rsat > > This is my selinux conf. > > # Authors: Jason Tang <jtang at tresys.com> > # > # Copyright (C) 2004-2005 Tresys Technology, LLC > # > # This library is free software; you can redistribute it and/or > # modify it under the terms of the GNU Lesser General Public > # License as published by the Free Software Foundation; either > # version 2.1 of the License, or (at your option) any later version. > # > # This library is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > # Lesser General Public License for more details. > # > # You should have received a copy of the GNU Lesser General Public > # License along with this library; if not, write to the Free Software > # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > 02110-1301 USA > # > # Specify how libsemanage will interact with a SELinux policy manager. > # The four options are: > # > # "source" - libsemanage manipulates a source SELinux policy > # "direct" - libsemanage will write directly to a module store. > # /foo/bar - Write by way of a policy management server, whose > # named socket is at /foo/bar. The path must begin > # with a '/'. > # foo.com:4242 - Establish a TCP connection to a remote policy > # management server at foo.com. If there is a colon > # then the remainder is interpreted as a port number; > # otherwise default to port 4242. > module-store = direct > > # When generating the final linked and expanded policy, by default > # semanage will set the policy version to POLICYDB_VERSION_MAX, as > # given in <sepol/policydb.h>. Change this setting if a different > # version is necessary. > #policy-version = 19 > > # expand-check check neverallow rules when executing all > semanage commands. > # Large penalty in time if you turn this on. > expand-check=0 > > # By default, semanage will generate policies for the SELinux target. > # To build policies for Xen, uncomment the following line. > #target-platform = xen > > the other files are ok, otherwise I would not be able to make > the join > the machine or to do the query via nslooch of the machine dc > 192.168.1.5 > > Il 29/01/2019 10:05, Rowland Penny via samba ha scritto: > > On Tue, 29 Jan 2019 06:59:45 +0100 > > Marco Pirola <mapirola81 at gmail.com> wrote: > > > >> This is the content of my smb.conf. Can you check if something is > >> missing? Otherwise I do not know how to behave anymore. Thanks and > >> have a good day. > > The only problem I can see is this line: > > > > valid user = +"domain users" > > > > You shouldn't set this line if using Windows ACL's > > > > Can we try checking a few things (I know you might have > already posted > > them, but lets get them in one place), please add them to > the post,do > > not attach them. > > > > OS > > /etc/hostname > > /etc/hosts > > /etc/resolv.conf > > /etc/krb5.conf > > /etc/nsswitch.conf > > > > Is a firewall running ? > > Is selinux/apparmor running ? > > What is the AD DC ? > > What Windows computer are you connecting from ? > > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >