> >>>> Run this : getfacl /home/users > >>> getfacl: Removing leading '/' from absolute path names > >>> # file: home/users > >>> # owner: root > >>> # group: A\\domain\040admins > >>> user::rwx > >>> user:root:rwx > >>> user:10512:rwx > >>> group::rwx > >>> group:A\\domain\040admins:rwx > >>> mask::rwx > >>> other::--- > >>> default:user::rwx > >>> default:user:root:rwx > >>> default:group::rwx > >>> default:group:A\\domain\040admins:rwx > >>> default:mask::rwx > >>> default:other::--- > >> Hmm, have you done something like running 'setfacl' on the directory ? > > No. > > > >> I ask this because, if you created the directory with: > >> mkdir /home/users > >> changed the ownership with: > >> chown root:'A\Domain Admins' /home/users > >> Changed the permissions with: > >> chmod 0770 /home/users > >> I would have expected 'getfacl' to return > >> getfacl: Removing leading '/' from absolute path names > >> # file: home/users > >> # owner: root > >> # group: A\134domain\040admins > >> user::rwx > >> group::rwx > >> other::--- > >> Yours appears to have extra lines that would normally only be there if > >> ACL's had been set from Windows or with 'setfacl'. > >> There is also this: > >> A\\domain\040admins > >> If you look at what I would expect, the second '\' is replaced by '134', > >> this is the ascii code for '\' (040 is the code for a space), so why is > >> yours different from every other getfacl output I have ever seen ? > > I did the followings today: > > setfacl -b users > > chmod 0770 users > > chown "root:A\domain users" users > > getfacl users > > # file: users > > # owner: root > > # group: A\\domain\040users > > user::rwx > > group::rwx > > other::--- > > So, the use of \\ is "automatic", I don't know other way to set it. > > But, after the reset, I still cannot change the directory permissions > > from Windows. > > > It looks like you may have found a bug in the 'acl' package ;-) > Debian 9 (Stretch) uses acl 2.2.52-3+b1 > Debian 10 (Buster) uses acl 2.2.53-4 > I am still on Stretch and if I run a couple of tests, creating a couple > of directories and changing ownership as you have done, I always get the > same result, which is different from you. > mkdir testA > chmod 0770 testA > chown root:"A\domain users" testA > getfacl testA > # file: testA > # owner: root > # group: A\134domain\040users > user::rwx > group::rwx > other::--- > mkdir testB > chmod 0770 testB > chown "root:A\domain users" testB > getfacl testB > # file: testB > # owner: root > # group: A\134domain\040users > user::rwx > group::rwx > other::--- > I am now wondering if because getfacl is returning this for you: > group: A\\domain\040users > When I get: > group: A\134domain\040users > is the problem ?ls -l ... drwxrwx--- 2 root A\domain users 4096 j?n 26 15:52 users What do you see with ls? Maybe it is good on the filesystem, just the acl package shows it incorreclty? Does Samba use acl too, and this is why I cannot see/set the permissions from Windows?
On 04/07/2019 10:22, Pisch Tam?s via samba wrote:> ls -l > ... > drwxrwx--- 2 root A\domain users 4096 j?n 26 15:52 users > What do you see with ls? > Maybe it is good on the filesystem, just the acl package shows it > incorreclty? Does Samba use acl too, and this is why I cannot see/set > the permissions from Windows? >I get the same as you: ls -lad testA drwxrwx--- 2 root A\domain users 4096 Jul? 4 09:39 testA ls -lad testB drwxrwx--- 2 root A\domain users 4096 Jul? 4 09:40 testB I suppose the only way to find out is to set up a Buster domain member on my domain, watch this space ;-) Rowland
On 04/07/2019 10:31, Rowland penny via samba wrote:> On 04/07/2019 10:22, Pisch Tam?s via samba wrote: >> ls -l >> ... >> drwxrwx---?? 2 root A\domain users? 4096 j?n?? 26 15:52 users >> What do you see with ls? >> Maybe it is good on the filesystem, just the acl package shows it >> incorreclty? Does Samba use acl too, and this is why I cannot see/set >> the permissions from Windows? >> > I get the same as you: > > ls -lad testA > drwxrwx--- 2 root A\domain users 4096 Jul? 4 09:39 testA > ls -lad testB > drwxrwx--- 2 root A\domain users 4096 Jul? 4 09:40 testB > > I suppose the only way to find out is to set up a Buster domain member > on my domain, watch this space ;-) > > Rowland > > >OK, I set up Buster RC3 in a VM, used this smb.conf: [global] ??? workgroup = SAMDOM ??? security = ADS ??? realm = SAMDOM.EXAMPLE.COM ??? dedicated keytab file = /etc/krb5.keytab ??? kerberos method = secrets and keytab ??? server string = Samba 4 Client %h ??? winbind expand groups = 4 ??? winbind refresh tickets = Yes ??? winbind offline logon = yes ??? winbind normalize names = Yes ??? ## map ids outside of domain to tdb files. ??? idmap config *:backend = tdb ??? idmap config *:range = 3000-7999 ??? ## map ids from the domain? the ranges may not overlap ! ??? idmap config SAMDOM : backend = rid ??? idmap config SAMDOM : range = 10000-999999 ??? template shell = /bin/bash ??? template homedir = /home/users/%U ??? domain master = no ??? local master = no ??? preferred master = no ??? # user Administrator workaround, without it you are unable to set privileges ??? username map = /etc/samba/user.map ??? # For ACL support on domain member ??? vfs objects = acl_xattr ??? map acl inherit = Yes ??? store dos attributes = Yes ??? # Share Setting Globally ??? unix extensions = no ??? reset on zero vc = yes ??? veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ ??? hide unreadable = yes ??? # disable printing completely ??? load printers = no ??? printing = bsd ??? printcap name = /dev/null ??? disable spoolss = yes [users] ??? path = /home/users ??? read only = No the user.map is this: !root = SAMDOM\Administrator Joined to the domain and started Samba. mkdir /home/users chmod 0770 /home/users chown "root:SAMDOM\domain users" /home/users ls -lad /home/users drwxrwx--- 2 root SAMDOM\domain_users 4096 Jul? 4 11:12 /home/users root at dbrc3:~# getfacl /home/users getfacl: Removing leading '/' from absolute path names # file: home/users # owner: root # group: SAMDOM\\domain_users user::rwx group::rwx other::--- Go to a Win10 machine and log in as 'SAMDOM\Administrator' Go to File explorer and navigate to the 'users' share on 'dbrc3' I could add 'Domain Admins' to the 'Properties' on the share without any problem. Back to Buster machine: root at dbrc3:~# ls -lad /home/users drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul? 4 11:12 /home/users root at dbrc3:~# getfacl /home/users getfacl: Removing leading '/' from absolute path names # file: home/users # owner: root # group: SAMDOM\\domain_users user::rwx user:root:rwx user:10512:rwx user:10513:rwx group::rwx group:SAMDOM\\domain_admins:rwx group:SAMDOM\\domain_users:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:10512:rwx default:group::r-x default:group:SAMDOM\\domain_admins:rwx default:group:SAMDOM\\domain_users:r-x default:mask::rwx default:other::r-x So we can scratch the 'acl' changes. you must have the 'acl' package installed to have 'getfacl', but is the 'attr' package installed ? Rowland
>OK, I set up Buster RC3 in a VMThanks a lot!>I could add 'Domain Admins' to the 'Properties' on the share without any >problem.:o> Back to Buster machine: > root at dbrc3:~# ls -lad /home/users > drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul 4 11:12 /home/users > root at dbrc3:~# getfacl /home/users > getfacl: Removing leading '/' from absolute path names > # file: home/users > # owner: root > # group: SAMDOM\\domain_users > user::rwx > user:root:rwx > user:10512:rwx > user:10513:rwx > group::rwx > group:SAMDOM\\domain_admins:rwx > group:SAMDOM\\domain_users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:10512:rwx > default:group::r-x > default:group:SAMDOM\\domain_admins:rwx > default:group:SAMDOM\\domain_users:r-x > default:mask::rwx > default:other::r-x > So we can scratch the 'acl' changes.Ok.> you must have the 'acl' package installed to have 'getfacl', but is the > 'attr' package installed ?Yes. getfattr users # file: users user.SAMBA_PAI
Pisch Tam?s <pischta at gmail.com> ezt ?rta (id?pont: 2019. j?l. 4., Cs, 13:15):> > >OK, I set up Buster RC3 in a VM > Thanks a lot! > > >I could add 'Domain Admins' to the 'Properties' on the share without any > >problem. > :o > > > Back to Buster machine: > > root at dbrc3:~# ls -lad /home/users > > drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul 4 11:12 /home/users > > root at dbrc3:~# getfacl /home/users > > getfacl: Removing leading '/' from absolute path names > > # file: home/users > > # owner: root > > # group: SAMDOM\\domain_users > > user::rwx > > user:root:rwx > > user:10512:rwx > > user:10513:rwx > > group::rwx > > group:SAMDOM\\domain_admins:rwx > > group:SAMDOM\\domain_users:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:10512:rwx > > default:group::r-x > > default:group:SAMDOM\\domain_admins:rwx > > default:group:SAMDOM\\domain_users:r-x > > default:mask::rwx > > default:other::r-x > > So we can scratch the 'acl' changes. > Ok. > > > you must have the 'acl' package installed to have 'getfacl', but is the > > 'attr' package installed ? > Yes. > getfattr users > # file: users > user.SAMBA_PAIUnbelievable: I remowed every settings from the samba shares, except path and read only in smb.conf. It turned out that I can set the fliesystem permissions of every share, except the users share! I checked the acls and xattrs of the folders. Only the users share had xattr entry. I deleted that setting, but it didn't help. I compared the acls of the other shares with the users share, but no difference. Is there users share related settings in smb.conf that maybe prohibit my access?