samba - Jul 2023 - Fwd: Copy ACL to samba domain member file server

Hi,

I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
domain controller Windows 2012R2 to migrate to Samba, but according to
reading I had to downgrade to Windows Server 2008 first. I saw no way
and bought a Windows Server 2019 license. Now I would like to have at
least a file server with ACL support.

I started with a fresh container and followed the Samba Wiki
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
I was able to join and did create a share as in
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
It states to use Windows to configure permissions. However, on
Windows, I only get permission denied and "failed to enumerate objects
in the container". I saw in some log surprising permission issues with
tbd file and since the container has no shell access for users I
simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
Interestingly, the permissions seem to be set according to windows
file properties. I can create folders and its owner matches. I can
write into, but always get errors with ACLs.I also can delete the
folders (from Windows).

What I would like to safely (=robust, stable, reliable) have is move
my windows files to my ZFS datasets (nas1/mp0) like:

c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
/R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak

[many of:
         Neues Verz.     362    d:\stor1\f1\tmp\
2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
Zugriff verweigert
]

(This is "NTFS security will be copied to destination directory:
permission denied")

What am I doing wrong?

Any help appreciated!

Steffen


root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf | sed
"s|$DOM|DOM|"
[global]
security = ADS
workgroup = DOM
realm = DOM.LOCAL
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOM : backend = rid
idmap config DOM : range = 10000-99999
template shell = /bin/bash
template homedir = /home/%U
   usershare allow guests = yes
[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S
[disk0]
  path = /mp0/windisk0
  read only = no
  writeable = yes
root at nas1:/var/lib/samba#

 /etc/krb5.conf
[libdefaults]
        default_realm = DOM.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false
        fcc-mit-ticketflags = true


root at nas1:/var/lib/samba# wbinfo --ping-dc | sed "s|$DOM|DOM|g"
checking the NETLOGON for domain[DOM] dc connection to "dc2.DOM.local"
succeeded

root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
total 9
drwxrwxr-x+ 2 a-sdettmer dom?nen-benutzer 2 Jul 18 22:02 tst
root at nas1:/var/lib/samba#


root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL
root at nas1:/var/lib/samba# net rpc rights list privileges
SeDiskOperatorPrivilege -U "$DOM\administrator"
Password for [DOM\administrator]:
SeDiskOperatorPrivilege:
  DOM\Dom?nen-Admins
  BUILTIN\Administrators
root at nas1:/var/lib/samba#


root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
uid=29603(a-sdettmer) gid=10513(dom?nen-benutzer)
groups=10513(dom?nen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schl?sseladministratoren),XXXXX,10512(dom?nen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschl?sseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
users),10572(abgelehnte
rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
root at nas1:/var/lib/samba#



root at nas1:/var/lib/samba# samba-tool group listmembers
"$DOM\Dom?nen-Admins" 2>&1| sed "s|$DOM|DOM|g"
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
such file or directory
ERROR: Failed to list members of "DOM\Dom?nen-Admins" group - (1,
"Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file
or
directory")
root at nas1:/var/lib/samba#

(is this normal in domain member mode?)

On 18/07/2023 22:00, Steffen Dettmer via samba wrote:
> Hi,
> 
> I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
> domain controller Windows 2012R2 to migrate to Samba, but according to
> reading I had to downgrade to Windows Server 2008 first.
That is not entirely true, you can join Samba as a DC to a 2012R2 
domain, but you may have to lower the functional level first.
> I saw no way
> and bought a Windows Server 2019 license. Now I would like to have at
> least a file server with ACL support.
> 
> I started with a fresh container and followed the Samba Wiki
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> I was able to join and did create a share as in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> It states to use Windows to configure permissions. However, on
> Windows, I only get permission denied and "failed to enumerate objects
> in the container". I saw in some log surprising permission issues with
> tbd file and since the container has no shell access for users I
> simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
> Interestingly, the permissions seem to be set according to windows
> file properties. I can create folders and its owner matches. I can
> write into, but always get errors with ACLs.I also can delete the
> folders (from Windows).
> 
> What I would like to safely (=robust, stable, reliable) have is move
> my windows files to my ZFS datasets (nas1/mp0) like:
Which 'ZFS' is this ?
ZFS on Linux, or true ZFS that uses NFSv4 ACLs ?
> 
> c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
> /R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak
I do not use robocopy, but, as far as I am aware, it should work.
> 
> [many of:
>           Neues Verz.     362    d:\stor1\f1\tmp\
> 2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
> Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
> Zugriff verweigert
> ]
> 
> (This is "NTFS security will be copied to destination directory:
> permission denied")
> 
> What am I doing wrong?
> 
> Any help appreciated!
> 
> Steffen
> 
> 
> root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf
| sed
> "s|$DOM|DOM|"
> [global]
> security = ADS
> workgroup = DOM
> realm = DOM.LOCAL
> winbind use default domain = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     logging = file
>     panic action = /usr/share/samba/panic-action %d
>     server role = standalone server
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOM : backend = rid
> idmap config DOM : range = 10000-99999
> template shell = /bin/bash
> template homedir = /home/%U
>     usershare allow guests = yes
> [homes]
>     comment = Home Directories
>     browseable = no
>     read only = yes
>     create mask = 0700
>     directory mask = 0700
>     valid users = %S
> [disk0]
>    path = /mp0/windisk0
>    read only = no
>    writeable = yes
> root at nas1:/var/lib/samba#
There are a few lines in that smb.conf that really shouldn't be in a 
Unix domain members smb.conf, try this one:

[global]
     security = ADS
     workgroup = DOM
     realm = DOM.LOCAL

     log file = /var/log/samba/log.%m
     max log size = 1000
     logging = file
     panic action = /usr/share/samba/panic-action %d
     obey pam restrictions = yes
     pam password change = yes
     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config DOM : backend = rid
     idmap config DOM : range = 10000-99999
     template shell = /bin/bash
     template homedir = /home/%U
     usershare allow guests = yes

     vfs objects = acl_xattr
     map acl inherit = yes

[homes]
     comment = Home Directories
     browseable = no
     read only = no
     create mask = 0700
     directory mask = 0700
     valid users = %S

[disk0]
     path = /mp0/windisk0
     read only = no
> 
>   /etc/krb5.conf
> [libdefaults]
>          default_realm = DOM.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>          rdns = false
>          fcc-mit-ticketflags = true
Try this /etc/krb5.conf , it is based on the latest Samba recommended one:

  [libdefaults]
	default_realm = DOM.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
	DOM.LOCAL = {
		default_domain = dom.local
	}

[domain_realm]
	NAS1 = DOM.LOCAL
> 
> 
> root at nas1:/var/lib/samba# wbinfo --ping-dc | sed
"s|$DOM|DOM|g"
> checking the NETLOGON for domain[DOM] dc connection to
"dc2.DOM.local" succeeded
> 
> root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
> total 9
> drwxrwxr-x+ 2 a-sdettmer dom?nen-benutzer 2 Jul 18 22:02 tst
> root at nas1:/var/lib/samba#
> 
> 
> root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
>     HAVE_LIBACL
> root at nas1:/var/lib/samba# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "$DOM\administrator"
> Password for [DOM\administrator]:
> SeDiskOperatorPrivilege:
>    DOM\Dom?nen-Admins
>    BUILTIN\Administrators
> root at nas1:/var/lib/samba#
> 
> 
> root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
> uid=29603(a-sdettmer) gid=10513(dom?nen-benutzer)
>
groups=10513(dom?nen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schl?sseladministratoren),XXXXX,10512(dom?nen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschl?sseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
> users),10572(abgelehnte
>
rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
> root at nas1:/var/lib/samba#
> 
> 
> 
> root at nas1:/var/lib/samba# samba-tool group listmembers
> "$DOM\Dom?nen-Admins" 2>&1| sed "s|$DOM|DOM|g"
> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
> file /var/lib/samba/private/sam.ldb: No such file or directory
> 
> Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file
or directory
> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
> backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
> such file or directory
> ERROR: Failed to list members of "DOM\Dom?nen-Admins" group - (1,
> "Unable to open tdb '/var/lib/samba/private/sam.ldb': No such
file or
> directory")
> root at nas1:/var/lib/samba#
> 
> (is this normal in domain member mode?)
Yes, there is no sam.ldb on a Unix domain member, you can add '-H 
ldap://YOUR_DCS_HOSTNAME' to the command.

Rowland

Op 18-07-2023 om 23:00 schreef Steffen Dettmer via
samba:
> Hi,
>
> I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
> domain controller Windows 2012R2 to migrate to Samba, but according to
> reading I had to downgrade to Windows Server 2008 first. I saw no way
> and bought a Windows Server 2019 license. Now I would like to have at
> least a file server with ACL support.
>
> I started with a fresh container and followed the Samba Wiki
I am wondering about the word "container". As far as I know you need a
privileged container for Samba to function properly.

- Kees.
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> I was able to join and did create a share as in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> It states to use Windows to configure permissions. However, on
> Windows, I only get permission denied and "failed to enumerate objects
> in the container". I saw in some log surprising permission issues with
> tbd file and since the container has no shell access for users I
> simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
> Interestingly, the permissions seem to be set according to windows
> file properties. I can create folders and its owner matches. I can
> write into, but always get errors with ACLs.I also can delete the
> folders (from Windows).
>
> What I would like to safely (=robust, stable, reliable) have is move
> my windows files to my ZFS datasets (nas1/mp0) like:
>
> c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
> /R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak
>
> [many of:
>           Neues Verz.     362    d:\stor1\f1\tmp\
> 2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
> Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
> Zugriff verweigert
> ]
>
> (This is "NTFS security will be copied to destination directory:
> permission denied")
>
> What am I doing wrong?
>
> Any help appreciated!
>
> Steffen
>
>
> root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf
| sed
> "s|$DOM|DOM|"
> [global]
> security = ADS
> workgroup = DOM
> realm = DOM.LOCAL
> winbind use default domain = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     logging = file
>     panic action = /usr/share/samba/panic-action %d
>     server role = standalone server
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOM : backend = rid
> idmap config DOM : range = 10000-99999
> template shell = /bin/bash
> template homedir = /home/%U
>     usershare allow guests = yes
> [homes]
>     comment = Home Directories
>     browseable = no
>     read only = yes
>     create mask = 0700
>     directory mask = 0700
>     valid users = %S
> [disk0]
>    path = /mp0/windisk0
>    read only = no
>    writeable = yes
> root at nas1:/var/lib/samba#
>
>   /etc/krb5.conf
> [libdefaults]
>          default_realm = DOM.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>          rdns = false
>          fcc-mit-ticketflags = true
>
>
> root at nas1:/var/lib/samba# wbinfo --ping-dc | sed
"s|$DOM|DOM|g"
> checking the NETLOGON for domain[DOM] dc connection to
"dc2.DOM.local" succeeded
>
> root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
> total 9
> drwxrwxr-x+ 2 a-sdettmer dom?nen-benutzer 2 Jul 18 22:02 tst
> root at nas1:/var/lib/samba#
>
>
> root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
>     HAVE_LIBACL
> root at nas1:/var/lib/samba# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "$DOM\administrator"
> Password for [DOM\administrator]:
> SeDiskOperatorPrivilege:
>    DOM\Dom?nen-Admins
>    BUILTIN\Administrators
> root at nas1:/var/lib/samba#
>
>
> root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
> uid=29603(a-sdettmer) gid=10513(dom?nen-benutzer)
>
groups=10513(dom?nen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schl?sseladministratoren),XXXXX,10512(dom?nen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschl?sseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
> users),10572(abgelehnte
>
rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
> root at nas1:/var/lib/samba#
>
>
>
> root at nas1:/var/lib/samba# samba-tool group listmembers
> "$DOM\Dom?nen-Admins" 2>&1| sed "s|$DOM|DOM|g"
> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
> file /var/lib/samba/private/sam.ldb: No such file or directory
>
> Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file
or directory
> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
> backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
> such file or directory
> ERROR: Failed to list members of "DOM\Dom?nen-Admins" group - (1,
> "Unable to open tdb '/var/lib/samba/private/sam.ldb': No such
file or
> directory")
> root at nas1:/var/lib/samba#
>
> (is this normal in domain member mode?)
>