> >> Who are you logged into the Windows PC as ? > > I log in az A\Administrator. I created an admin user, put in Domain > > Admins group, but the result was the same (ok, it would be strange, if > > it would work with it, instead of Administrator) > Then you need to ensure that 'Domain Admins' has the same privilege as > 'A\Administrator'Ok, I granted the following privileges to Administrator, (and to Domain Admins too) : net rpc rights list "Administrator" -UAdministrator Enter Administrator's password: SeDiskOperatorPrivilege SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege But I still cannot change the permissions.
On 03/07/2019 07:51, Pisch Tam?s via samba wrote:>>>> Who are you logged into the Windows PC as ? >>> I log in az A\Administrator. I created an admin user, put in Domain >>> Admins group, but the result was the same (ok, it would be strange, if >>> it would work with it, instead of Administrator) >> Then you need to ensure that 'Domain Admins' has the same privilege as >> 'A\Administrator' > Ok, I granted the following privileges to Administrator, (and to > Domain Admins too) : > net rpc rights list "Administrator" -UAdministrator > Enter Administrator's password: > SeDiskOperatorPrivilege > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeSecurityPrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > But I still cannot change the permissions. >Is Apparmor running on the Samba computer ? Is a firewall getting in the way ? Is there anything in any of the logs, you may have to to turn up the log level. Can you go here: https://github.com/thctlo/samba4 Download this script: samba-collect-debug-info.sh Run it your Samba server and post the output here. Rowland
> >>>> Who are you logged into the Windows PC as ? > >>> I log in az A\Administrator. I created an admin user, put in Domain > >>> Admins group, but the result was the same (ok, it would be strange, if > >>> it would work with it, instead of Administrator) > >> Then you need to ensure that 'Domain Admins' has the same privilege as > >> 'A\Administrator' > > Ok, I granted the following privileges to Administrator, (and to > > Domain Admins too) : > > net rpc rights list "Administrator" -UAdministrator > > Enter Administrator's password: > > SeDiskOperatorPrivilege > > SeMachineAccountPrivilege > > SeTakeOwnershipPrivilege > > SeBackupPrivilege > > SeRestorePrivilege > > SeRemoteShutdownPrivilege > > SePrintOperatorPrivilege > > SeAddUsersPrivilege > > SeSecurityPrivilege > > SeSystemtimePrivilege > > SeShutdownPrivilege > > SeDebugPrivilege > > SeSystemEnvironmentPrivilege > > SeSystemProfilePrivilege > > SeProfileSingleProcessPrivilege > > SeIncreaseBasePriorityPrivilege > > SeLoadDriverPrivilege > > SeCreatePagefilePrivilege > > SeIncreaseQuotaPrivilege > > SeChangeNotifyPrivilege > > SeUndockPrivilege > > SeManageVolumePrivilege > > SeImpersonatePrivilege > > SeCreateGlobalPrivilege > > SeEnableDelegationPrivilege > > But I still cannot change the permissions. > > > Is Apparmor running on the Samba computer ?No.> Is a firewall getting in the way ?On the server, the iptable chains are empty.> Is there anything in any of the logs, you may have to to turn up the log > level.I tried: log level = 4 acls 10 But I didn't find anything interesting. What log level settings would you recommend?> Can you go here: https://github.com/thctlo/samba4 > Download this script: samba-collect-debug-info.sh > Run it your Samba server and post the output here.On the file serever: Collected config --- 2019-07-03-10:27 ----------- Hostname: srv DNS Domain: a.b.hu FQDN: srv.a.b.hu ipaddress: 10.0.3.15 192.168.0.8 ----------- Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.0 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 valid_lft 83319sec preferred_lft 83319sec inet6 fe80::a00:27ff:fec9:960/64 scope link 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3 inet6 fe80::a00:27ff:fe60:dfa1/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost ##127.0.1.1 srv.a.b.hu srv 192.168.0.8 srv.a.b.hu srv # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf #domain a.b.hu search a.b.hu tm.b.hu ##nameserver 10.0.3.3 nameserver 192.168.0.4 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = A.B.HU dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. ##passwd: files systemd passwd: files winbind ##group: files systemd group: files winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] bind interfaces only = Yes dos charset = CP852 interfaces = lo enp0s3 log file = /var/log/samba/%m.log log level = 1 name resolve order = lmhosts host bcast realm = A.B.HU security = ADS template homedir = /home/users/%U template shell = /bin/bash unix charset = UTF8 username map = /etc/samba/user.map workgroup = A idmap config a : range = 10000-999999 idmap config a : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb admin users = admin create mask = 0770 csc policy = disable directory mask = 0770 map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [users] path = /home/users read only = No ... [wpkg] path = /home/samba/wpkg valid users = "@Domain Users" ----------- Running as Unix domain member and user.map detected. Contents of /etc/samba/user.map !root = A\Administrator !root = A\admin Server Role is set to : auto ----------- Installed packages: ii acl 2.2.53-4 amd64 access control list - utilities ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-2 all internationalization support for MIT Kerberos ii krb5-user 1.17-2 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-2 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.17-2 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-2 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.5+dfsg-4 amd64 Samba nameservice integration plugins ii libwbclient0:amd64 2:4.9.5+dfsg-4 amd64 Samba winbind client library ii python-samba 2:4.9.5+dfsg-4 amd64 Python bindings for Samba ii samba 2:4.9.5+dfsg-4 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.5+dfsg-4 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.5+dfsg-4 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-4 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.5+dfsg-4 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.5+dfsg-4 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.9.5+dfsg-4 amd64 service to resolve user and group information from Windows NT servers ----------- On dc1: Collected config --- 2019-07-03-10:46 ----------- Hostname: dc1 DNS Domain: a.b.hu FQDN: dc1.a.b.hu ipaddress: 10.0.3.15 192.168.0.4 ----------- Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.0 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 valid_lft 76592sec preferred_lft 76592sec inet6 fe80::a00:27ff:feb1:35eb/64 scope link 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3 inet6 fe80::a00:27ff:febf:f975/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 127.0.1.1 dc1.a.b.hu dc1 192.168.0.4 dc1.a.b.hu dc1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf #domain b.hu search a.b.hu tm.b.hu #nameserver 10.0.3.3 #nameserver 208.67.220.220 #nameserver 208.67.222.222 nameserver 192.168.0.4 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = A.B.HU dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. #passwd: files systemd passwd: files winbind #group: files systemd group: files winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] bind interfaces only = Yes dns forwarder = 208.67.220.220 interfaces = lo enp0s3 logon home = \\srv\users\%U logon path = "" name resolve order = lmhosts host bcast netbios name = DC1 realm = A.B.HU server role = active directory domain controller time server = Yes username map = /etc/samba/user.map workgroup = A idmap_ldb:use rfc2307 = yes kernel oplocks = Yes [netlogon] path = /var/lib/samba/sysvol/a.b.hu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- You have a user.map set in your smb.conf This is not allowed because Samba is running as a DC ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii acl 2.2.53-4 amd64 access control list - utilities ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.5+dfsg-5 amd64 Samba nameservice integration plugins ii libsmbclient:amd64 2:4.9.5+dfsg-5 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.9.5+dfsg-5 amd64 Samba winbind client library ii python-samba 2:4.9.5+dfsg-5 amd64 Python bindings for Samba ii samba 2:4.9.5+dfsg-5 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.5+dfsg-5 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.5+dfsg-5 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.5+dfsg-5 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.9.5+dfsg-5 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.9.5+dfsg-5 amd64 service to resolve user and group information from Windows NT servers ----------- Your script says that user.map is not allowed on a dc, but I don't read it in the smb.conf manual.
On 03/07/2019 10:49, Pisch Tam?s via samba wrote:> Is there anything in any of the logs, you may have to to turn up the log > I tried: > log level = 4 acls 10 > But I didn't find anything interesting. What log level settings would > you recommend?Try raising it one number at time, but be aware you will get larger and larger logs.> On the file serever: > Collected config --- 2019-07-03-10:27 ----------- > > Hostname: srv > DNS Domain: a.b.hu > FQDN: srv.a.b.hu > ipaddress: 10.0.3.15 192.168.0.8 > ----------- > Samba is running as a Unix domain member > ----------- > > This computer is running Debian 10.0 x86_64 > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > valid_lft 83319sec preferred_lft 83319sec > inet6 fe80::a00:27ff:fec9:960/64 scope link > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3 > inet6 fe80::a00:27ff:fe60:dfa1/64 scope link > ----------- > Checking file: /etc/hosts > 127.0.0.1 localhost > 192.168.0.8 srv.a.b.hu srv > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ----------- > Checking file: /etc/resolv.conf > search a.b.hu tm.b.hu > nameserver 192.168.0.4 > ----------- > > Checking file: /etc/samba/smb.conf > [global] > bind interfaces only = Yes > dos charset = CP852 > interfaces = lo enp0s3 > log file = /var/log/samba/%m.log > log level = 1 > name resolve order = lmhosts host bcast > realm = A.B.HU > security = ADS > template homedir = /home/users/%U > template shell = /bin/bash > unix charset = UTF8 > username map = /etc/samba/user.map > workgroup = A > idmap config a : range = 10000-999999 > idmap config a : backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > admin users = admin > create mask = 0770 > csc policy = disable > directory mask = 0770 > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [users] > path = /home/users > read only = No > ... > > [wpkg] > path = /home/samba/wpkg > valid users = "@Domain Users"I wouldn't recommend using 'valid users' , but then I suppose this is what you are trying to fix> ----------- > Running as Unix domain member and user.map detected. > Contents of /etc/samba/user.map > !root = A\Administrator > !root = A\adminRemove the second line, I would recommend only mapping 'Administrator' to 'root'> On dc1: > Collected config --- 2019-07-03-10:46 ----------- > > Hostname: dc1 > DNS Domain: a.b.hu > FQDN: dc1.a.b.hu > ipaddress: 10.0.3.15 192.168.0.4 > ----------- > Samba is running as an AD DC > ----------- > > This computer is running Debian 10.0 x86_64 > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > valid_lft 76592sec preferred_lft 76592sec > inet6 fe80::a00:27ff:feb1:35eb/64 scope link > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3 > inet6 fe80::a00:27ff:febf:f975/64 scope link > ----------- > Checking file: /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 dc1.a.b.hu dc1Remove the '127.0.1.1' line and what ever requires it.> 192.168.0.4 dc1.a.b.hu dc1 > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ----------- > Checking file: /etc/resolv.conf > #domain b.hu > search a.b.hu tm.b.huRemove the 'tm.b.hu'> #nameserver 10.0.3.3 > #nameserver 208.67.220.220 > #nameserver 208.67.222.222 > nameserver 192.168.0.4 > ----------- > > Checking file: /etc/samba/smb.conf > [global] > bind interfaces only = Yes > dns forwarder = 208.67.220.220 > interfaces = lo enp0s3The above line are okay> logon home = \\srv\users\%U > logon path = "" > name resolve order = lmhosts host bcastThe above are not.> netbios name = DC1 > realm = A.B.HU > server role = active directory domain controller > time server = YesAll DC's are time servers, just as long they are running an NTP server, it doesn't need setting in a DC smb.conf> username map = /etc/samba/user.mapNo, you do not use a user.map on a DC, Administrator is mapped in idmap.ldb> workgroup = A > idmap_ldb:use rfc2307 = yes > kernel oplocks = Yes > > [netlogon] > path = /var/lib/samba/sysvol/a.b.hu/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > ----------- > You have a user.map set in your smb.conf > This is not allowed because Samba is running as a DC > ----------- > BIND_DLZ not detected in smb.conf > > Your script says that user.map is not allowed on a dc, but I don't > read it in the smb.conf manual.Good point, but you do not use one a Samba AD DC, for the reason given above ;-) Try fixing the above problems. Rowland
L.P.H. van Belle
2019-Jul-03 11:34 UTC
[Samba] cannot set filesystem permissions on shares
Finaly, i was waiting for this one. ;-) Now after all changes Rowland suggested. Run this : getfacl /home/users Show the output. There are 5 things you need to think in. 1) The folder rights 2) The share rights 3) Posix or windows ACL's? ( use Windows ACL's my advice. ) 4) Dont forget the "Primary Group". 5) If you use chmod, you must re-apply the windows ACL again on share/security (file/folder) level. Thats why i suggest, something like this. : getfacl /home/users/ getfacl: Removing leading '/' from absolute path names # file: home/samba/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:NT\040AUTHORITY\134system:rwx group:NT\040AUTHORITY\134authenticated\040users:r-x mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:NT\040AUTHORITY\134system:rwx default:group:NT\040AUTHORITY\134authenticated\040users:r-x default:mask::rwx default:other::--- There is more, but im called for a meeting ... So sofar, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: woensdag 3 juli 2019 13:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] cannot set filesystem permissions on shares > > On 03/07/2019 10:49, Pisch Tam?s via samba wrote: > > Is there anything in any of the logs, you may have to to > turn up the log > > I tried: > > log level = 4 acls 10 > > But I didn't find anything interesting. What log level > settings would > > you recommend? > Try raising it one number at time, but be aware you will get > larger and > larger logs. > > On the file serever: > > Collected config --- 2019-07-03-10:27 ----------- > > > > Hostname: srv > > DNS Domain: a.b.hu > > FQDN: srv.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.8 > > ----------- > > Samba is running as a Unix domain member > > ----------- > > > > This computer is running Debian 10.0 x86_64 > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff > > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > > valid_lft 83319sec preferred_lft 83319sec > > inet6 fe80::a00:27ff:fec9:960/64 scope link > > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3 > > inet6 fe80::a00:27ff:fe60:dfa1/64 scope link > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > 192.168.0.8 srv.a.b.hu srv > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > search a.b.hu tm.b.hu > > nameserver 192.168.0.4 > > ----------- > > > > Checking file: /etc/samba/smb.conf > > [global] > > bind interfaces only = Yes > > dos charset = CP852 > > interfaces = lo enp0s3 > > log file = /var/log/samba/%m.log > > log level = 1 > > name resolve order = lmhosts host bcast > > realm = A.B.HU > > security = ADS > > template homedir = /home/users/%U > > template shell = /bin/bash > > unix charset = UTF8 > > username map = /etc/samba/user.map > > workgroup = A > > idmap config a : range = 10000-999999 > > idmap config a : backend = rid > > idmap config * : range = 3000-7999 > > idmap config * : backend = tdb > > admin users = admin > > create mask = 0770 > > csc policy = disable > > directory mask = 0770 > > map acl inherit = Yes > > store dos attributes = Yes > > vfs objects = acl_xattr > > > > [users] > > path = /home/users > > read only = No > > ... > > > > [wpkg] > > path = /home/samba/wpkg > > valid users = "@Domain Users" > I wouldn't recommend using 'valid users' , but then I suppose this is > what you are trying to fix > > ----------- > > Running as Unix domain member and user.map detected. > > Contents of /etc/samba/user.map > > !root = A\Administrator > > !root = A\admin > > Remove the second line, I would recommend only mapping > 'Administrator' > to 'root' > > > On dc1: > > Collected config --- 2019-07-03-10:46 ----------- > > > > Hostname: dc1 > > DNS Domain: a.b.hu > > FQDN: dc1.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.4 > > ----------- > > Samba is running as an AD DC > > ----------- > > > > This computer is running Debian 10.0 x86_64 > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff > > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > > valid_lft 76592sec preferred_lft 76592sec > > inet6 fe80::a00:27ff:feb1:35eb/64 scope link > > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3 > > inet6 fe80::a00:27ff:febf:f975/64 scope link > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > 127.0.1.1 dc1.a.b.hu dc1 > Remove the '127.0.1.1' line and what ever requires it. > > 192.168.0.4 dc1.a.b.hu dc1 > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > #domain b.hu > > search a.b.hu tm.b.hu > Remove the 'tm.b.hu' > > #nameserver 10.0.3.3 > > #nameserver 208.67.220.220 > > #nameserver 208.67.222.222 > > nameserver 192.168.0.4 > > ----------- > > > > Checking file: /etc/samba/smb.conf > > [global] > > bind interfaces only = Yes > > dns forwarder = 208.67.220.220 > > interfaces = lo enp0s3 > The above line are okay > > logon home = \\srv\users\%U > > logon path = "" > > name resolve order = lmhosts host bcast > The above are not. > > netbios name = DC1 > > realm = A.B.HU > > server role = active directory domain controller > > time server = Yes > All DC's are time servers, just as long they are running an > NTP server, > it doesn't need setting in a DC smb.conf > > username map = /etc/samba/user.map > No, you do not use a user.map on a DC, Administrator is > mapped in idmap.ldb > > workgroup = A > > idmap_ldb:use rfc2307 = yes > > kernel oplocks = Yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/a.b.hu/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > ----------- > > You have a user.map set in your smb.conf > > This is not allowed because Samba is running as a DC > > ----------- > > BIND_DLZ not detected in smb.conf > > > > Your script says that user.map is not allowed on a dc, but I don't > > read it in the smb.conf manual. > > Good point, but you do not use one a Samba AD DC, for the > reason given > above ;-) > > Try fixing the above problems. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
> > On the file serever: > > Collected config --- 2019-07-03-10:27 ----------- > > > > Hostname: srv > > DNS Domain: a.b.hu > > FQDN: srv.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.8 > > ----------- > > Samba is running as a Unix domain member > > ----------- > > > > This computer is running Debian 10.0 x86_64 > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff > > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > > valid_lft 83319sec preferred_lft 83319sec > > inet6 fe80::a00:27ff:fec9:960/64 scope link > > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3 > > inet6 fe80::a00:27ff:fe60:dfa1/64 scope link > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > 192.168.0.8 srv.a.b.hu srv > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > search a.b.hu tm.b.hu > > nameserver 192.168.0.4 > > ----------- > > > > Checking file: /etc/samba/smb.conf > > [global] > > bind interfaces only = Yes > > dos charset = CP852 > > interfaces = lo enp0s3 > > log file = /var/log/samba/%m.log > > log level = 1 > > name resolve order = lmhosts host bcast > > realm = A.B.HU > > security = ADS > > template homedir = /home/users/%U > > template shell = /bin/bash > > unix charset = UTF8 > > username map = /etc/samba/user.map > > workgroup = A > > idmap config a : range = 10000-999999 > > idmap config a : backend = rid > > idmap config * : range = 3000-7999 > > idmap config * : backend = tdb > > admin users = admin > > create mask = 0770 > > csc policy = disable > > directory mask = 0770 > > map acl inherit = Yes > > store dos attributes = Yes > > vfs objects = acl_xattr > > > > [users] > > path = /home/users > > read only = No > > ... > > > > [wpkg] > > path = /home/samba/wpkg > > valid users = "@Domain Users" > I wouldn't recommend using 'valid users' , but then I suppose this is > what you are trying to fixOk, but this is a special share, I have problem with more imprtant shares like users.> > ----------- > > Running as Unix domain member and user.map detected. > > Contents of /etc/samba/user.map > > !root = A\Administrator > > !root = A\admin > Remove the second line, I would recommend only mapping 'Administrator' > to 'root'Later I would like to login to Windows clients with the admin user, so this is why I included that too.> > On dc1: > > Collected config --- 2019-07-03-10:46 ----------- > > > > Hostname: dc1 > > DNS Domain: a.b.hu > > FQDN: dc1.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.4 > > ----------- > > Samba is running as an AD DC > > ----------- > > > > This computer is running Debian 10.0 x86_64 > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff > > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > > valid_lft 76592sec preferred_lft 76592sec > > inet6 fe80::a00:27ff:feb1:35eb/64 scope link > > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3 > > inet6 fe80::a00:27ff:febf:f975/64 scope link > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > 127.0.1.1 dc1.a.b.hu dc1 > Remove the '127.0.1.1' line and what ever requires it.Ok, I removed. Debian installer creates that line.> > 192.168.0.4 dc1.a.b.hu dc1 > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > #domain b.hu > > search a.b.hu tm.b.hu > Remove the 'tm.b.hu'We have two sites, connected with VPN, so we have two subnets. As I know, I need this to reach hosts in tm.b.hu, without the tm.b.hu postfix. I temporarily removed it, to test the result, but it didn't help.> > #nameserver 10.0.3.3 > > #nameserver 208.67.220.220 > > #nameserver 208.67.222.222 > > nameserver 192.168.0.4 > > ----------- > > > > Checking file: /etc/samba/smb.conf > > [global] > > bind interfaces only = Yes > > dns forwarder = 208.67.220.220 > > interfaces = lo enp0s3 > The above line are okay > > logon home = \\srv\users\%U > > logon path = "" > > name resolve order = lmhosts host bcast > The above are not.Ok, what do you recommend? I changed it after Rowland recommended not to use WINS.> > netbios name = DC1 > > realm = A.B.HU > > server role = active directory domain controller > > time server = Yes > All DC's are time servers, just as long they are running an NTP server, > it doesn't need setting in a DC smb.confOk.> > username map = /etc/samba/user.map > No, you do not use a user.map on a DC, Administrator is mapped in idmap.ldbOk.> > workgroup = A > > idmap_ldb:use rfc2307 = yes > > kernel oplocks = Yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/a.b.hu/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > ----------- > > You have a user.map set in your smb.conf > > This is not allowed because Samba is running as a DC > > ----------- > > BIND_DLZ not detected in smb.conf > > > > Your script says that user.map is not allowed on a dc, but I don't > > read it in the smb.conf manual. > Good point, but you do not use one a Samba AD DC, for the reason given > above ;-)> Now after all changes Rowland suggested. > > Run this : getfacl /home/usersgetfacl: Removing leading '/' from absolute path names # file: home/users # owner: root # group: A\\domain\040admins user::rwx user:root:rwx user:10512:rwx group::rwx group:A\\domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::rwx default:group:A\\domain\040admins:rwx default:mask::rwx default:other::---> > There are 5 things you need to think in. > 1) The folder rightsI havent used ACLs yet, I just followed Samba docs, and it says, I shoud set folder rights from Windows, but I cannot.> 2) The share rightsI've set it according to the Samba doc.> 3) Posix or windows ACL's? ( use Windows ACL's my advice. )Yes, that's what I wanted too.> 4) Dont forget the "Primary Group".Primary Group=default:group?> 5) If you use chmod, you must re-apply the windows ACL again on share/security (file/folder) level.So, chmod resets the permissions. Thanks, good to know it.