samba - Nov 2023 - samba4 active directory - all permissions seem to be messed up

Hi. Please reply to the list not to me.

passdb backend line is not needed in member server.

I don?t think you?ve mapped Administrator to root.

See

http://samba.bigbird.es/doku.php?id=samba:file-server

Scroll down to ?map administrator to root?. And try again

Regards.

LP
On 10 Nov 2023 at 08:25 +0000, J?rgen Echter <j.echter at
echter-kuechen-elektro.de>, wrote:
> Hi Luis,
>
> here is my smb.conf for DC1:
>
> [global]
> ?? ?netbios name = SMBADDC1
> ?? ?realm = SAMDOM.DOMAIN.LOC
> ?? ?server role = active directory domain controller
> ?? ?workgroup = SAMDOM
> ?? ?dns forwarder = 192.168.0.1
> ??????? tls keyfile? = tls/SMBADDC1.key
> ??????? tls certfile = tls/SMBADDC1.crt
>
> [sysvol]
> ?? ?path = /usr/local/samba/var/locks/sysvol
> ?? ?read only = No
>
> [netlogon]
> ?? ?path = /usr/local/samba/var/locks/sysvol/SAMDOM.DOMAIN.LOC/scripts
> ?? ?read only = No
>
> for DC2:
>
> [global]
> ????netbios name = SMBADDC2
> ????realm = SAMDON.DOMAIN.LOC
> ????server role = active directory domain controller
> ????workgroup = SAMDOM
> ????dns forwarder = 192.168.0.1
> ????tls keyfile = tls/SMBADDC2.key tls
> ????certfile = tls/SMBADDC2.crt
>
> [sysvol] path = /usr/local/samba/var/locks/sysvol
> ????read only = No
> ????acls = yes
>
> [netlogon]
> ????path = /usr/local/samba/var/locks/sysvol/samdom.domain.loc/scripts
> ????read only = No
>
> for DC3:
>
> [global]
> ?? ?netbios name = SMBADDC3
> ?? ?realm = SAMDOM.DOMAIN.LOC
> ?? ?server role = active directory domain controller
> ?? ?workgroup = SAMDOM
> ?? ?dns forwarder = 192.168.0.1
>
> ?? ?tls enabled? = yes
> ?? ?tls keyfile? = tls/SMBADDC3.key
> ?? ?tls certfile = tls/SMBADDC3.crt
>
> [sysvol]
> ?? ?path = /var/lib/samba/sysvol
> ?? ?read only = No
>
> [netlogon]
> ?? ?path = /var/lib/samba/sysvol/samdom.domain.loc/scripts
> ?? ?read only = No
>
> and for the membver server with the shares:
>
> [global]
> #log level = 10
> #debug pid = yes
> ??????? security = ADS
> ??????? workgroup = SAMDOM
> ??????? realm = SAMDOM.DOMAIN.LOC
>
> ??????? winbind refresh tickets = Yes
>
> ??????? winbind nss info = template
> ??????? template shell = /bin/bash
> ??????? template homedir = /home/%U
> ??????? idmap config ELEMAY : backend = rid
> ??????? idmap config ELEMAY : range = 10000-999999
> ??????? idmap config * : backend = tdb
> ??????? idmap config * : range = 3000-7999
>
> ?? ?passdb backend = tdbsam
>
> ?? ?printing = cups
> ?? ?printcap name = cups
> ?? ?load printers = yes
> ?? ?cups options = raw
>
>
> ??????? vfs objects = acl_xattr
> ??????? map acl inherit = yes
>
> ?? ?aio read size = 1
> ?? ?aio write size = 1
>
> [share1]
> ?? path = /srv/samba/share1
> ?? browseable = yes
> ?? read only = no
> ?? guest ok = no
> ?? vfs objects = acl_xattr recycle io_uring
> ?? recycle:repository = .recycle
> ?? recycle:keeptree = yes
> ?? recycle:versions = yes
> ?? recycle:directory_mode = 0770
> ?? acl_xattr:ignore system acls = yes
>
> [share2]
> ?? path = /srv/samba/share2
> ?? browseable = Yes
> ?? read only = no
> ?? guest ok = no
> ?? vfs objects = acl_xattr recycle io_uring
> ?? recycle:repository = .recycle
> ?? recycle:keeptree = yes
> ?? recycle:versions = yes
> ?? recycle:touch_mtime = yes
> ?? recycle:directory_mode = 0770
> ?? acl_xattr:ignore system acls = yes
>
>
>
> Am Freitag, November 10, 2023 07:55 CET, schrieb Luis Peromarta via samba
<samba at lists.samba.org>:
>
> > It would be easier if you shared your smb.conf file for DCs and member
server.
> >
> > LP
> > On 9 Nov 2023 at 22:12 +0000, J?rgen Echter via samba <samba at
lists.samba.org>, wrote:
> > >
> > > Hi,
> > >
> > > i have a big issue here.
> > >
> > > I have 3 samba addc domain controllers (Version 4.19.2) and one
member server (Version 4.17.5).
> > >
> > > Out of the blue i cannot delete my own files anymore - access
denied - user DOMAIN/administrator has to give you permission to do so.
> > >
> > > If i type in a windows cmd 'whoami' i get
domain/administrator, so i am the user which hold the permsissions on the files.
Security tab looks good to me - Domain Admins - Full Access, Administrator -
Full Access
> > >
> > > If i check the permissions on the share itself everything is
looking like i set it up (i check in windows on the security tab). If i try to
redo the permission from within windows i get 'cannot enumerate objects in
container - access denied.'
> > >
> > > ls -alh on the member server tells me root:"SAMDOM/Domain
Admins" is the owner of the directory.
> > >
> > > smb.conf on the member server:
> > >
> > > [share]
> > > path = /srv/samba/share
> > > acl_xattr:ignore system acls = yes
> > >
> > > Shares where created like this wiki entry tells me to do:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > >
> > > Everything worked until today where i wanted to check why another
share isn't inheriting the permissions to subfolders.
> > >
> > > I only touched the share which didn't work as expected, so i
have no clue why out of the sudden all my permissions seem to have messed up.
> > >
> > > I also removed an old DC 2 weeks ago and added a new one. So i
guess this has nothing to do with it either.
> > >
> > > I really would appreciate any helping hand here. I can provide
screenshots or whatever is needed. The error messages may be not accurate as i
translated the german error messages i got.
> > >
> > > Thanks for listening and hopefully some hints what could have
gone wrong with my setup.
> > >
> > > Juergen
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba

On Fri, 10 Nov 2023 09:44:14 +0000
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Hi. Please reply to the list not to me.
> 
> passdb backend line is not needed in member server.
It is and it isn't :-)

You need it, but you do not need to actual have it in the smb.conf
because it is the default.
> 
> I don?t think you?ve mapped Administrator to root.
From what has been posted, I know the OP hasn't mapped Administrator to
root :-)

Rowland
> 
> See
> 
> http://samba.bigbird.es/doku.php?id=samba:file-server
> 
> Scroll down to ?map administrator to root?. And try again
> 
> Regards.
> 
> LP
> On 10 Nov 2023 at 08:25 +0000, J?rgen Echter
> <j.echter at echter-kuechen-elektro.de>, wrote:
> > Hi Luis,
> >
> > here is my smb.conf for DC1:
> >
> > [global]
> > ?? ?netbios name = SMBADDC1
> > ?? ?realm = SAMDOM.DOMAIN.LOC
> > ?? ?server role = active directory domain controller
> > ?? ?workgroup = SAMDOM
> > ?? ?dns forwarder = 192.168.0.1
> > ??????? tls keyfile? = tls/SMBADDC1.key
> > ??????? tls certfile = tls/SMBADDC1.crt
> >
> > [sysvol]
> > ?? ?path = /usr/local/samba/var/locks/sysvol
> > ?? ?read only = No
> >
> > [netlogon]
> > ?? ?path > >
/usr/local/samba/var/locks/sysvol/SAMDOM.DOMAIN.LOC/scripts read
> > only = No
> >
> > for DC2:
> >
> > [global]
> > ????netbios name = SMBADDC2
> > ????realm = SAMDON.DOMAIN.LOC
> > ????server role = active directory domain controller
> > ????workgroup = SAMDOM
> > ????dns forwarder = 192.168.0.1
> > ????tls keyfile = tls/SMBADDC2.key tls
> > ????certfile = tls/SMBADDC2.crt
> >
> > [sysvol] path = /usr/local/samba/var/locks/sysvol
> > ????read only = No
> > ????acls = yes
> >
> > [netlogon]
> > ????path > >
/usr/local/samba/var/locks/sysvol/samdom.domain.loc/scripts read
> > only = No
> >
> > for DC3:
> >
> > [global]
> > ?? ?netbios name = SMBADDC3
> > ?? ?realm = SAMDOM.DOMAIN.LOC
> > ?? ?server role = active directory domain controller
> > ?? ?workgroup = SAMDOM
> > ?? ?dns forwarder = 192.168.0.1
> >
> > ?? ?tls enabled? = yes
> > ?? ?tls keyfile? = tls/SMBADDC3.key
> > ?? ?tls certfile = tls/SMBADDC3.crt
> >
> > [sysvol]
> > ?? ?path = /var/lib/samba/sysvol
> > ?? ?read only = No
> >
> > [netlogon]
> > ?? ?path = /var/lib/samba/sysvol/samdom.domain.loc/scripts
> > ?? ?read only = No
> >
> > and for the membver server with the shares:
> >
> > [global]
> > #log level = 10
> > #debug pid = yes
> > ??????? security = ADS
> > ??????? workgroup = SAMDOM
> > ??????? realm = SAMDOM.DOMAIN.LOC
> >
> > ??????? winbind refresh tickets = Yes
> >
> > ??????? winbind nss info = template
> > ??????? template shell = /bin/bash
> > ??????? template homedir = /home/%U
> > ??????? idmap config ELEMAY : backend = rid
> > ??????? idmap config ELEMAY : range = 10000-999999
> > ??????? idmap config * : backend = tdb
> > ??????? idmap config * : range = 3000-7999
> >
> > ?? ?passdb backend = tdbsam
> >
> > ?? ?printing = cups
> > ?? ?printcap name = cups
> > ?? ?load printers = yes
> > ?? ?cups options = raw
> >
> >
> > ??????? vfs objects = acl_xattr
> > ??????? map acl inherit = yes
> >
> > ?? ?aio read size = 1
> > ?? ?aio write size = 1
> >
> > [share1]
> > ?? path = /srv/samba/share1
> > ?? browseable = yes
> > ?? read only = no
> > ?? guest ok = no
> > ?? vfs objects = acl_xattr recycle io_uring
> > ?? recycle:repository = .recycle
> > ?? recycle:keeptree = yes
> > ?? recycle:versions = yes
> > ?? recycle:directory_mode = 0770
> > ?? acl_xattr:ignore system acls = yes
> >
> > [share2]
> > ?? path = /srv/samba/share2
> > ?? browseable = Yes
> > ?? read only = no
> > ?? guest ok = no
> > ?? vfs objects = acl_xattr recycle io_uring
> > ?? recycle:repository = .recycle
> > ?? recycle:keeptree = yes
> > ?? recycle:versions = yes
> > ?? recycle:touch_mtime = yes
> > ?? recycle:directory_mode = 0770
> > ?? acl_xattr:ignore system acls = yes
> >
> >
> >
> > Am Freitag, November 10, 2023 07:55 CET, schrieb Luis Peromarta via
> > samba <samba at lists.samba.org>:
> >
> > > It would be easier if you shared your smb.conf file for DCs and
> > > member server.
> > >
> > > LP
> > > On 9 Nov 2023 at 22:12 +0000, J?rgen Echter via samba
> > > <samba at lists.samba.org>, wrote:
> > > >
> > > > Hi,
> > > >
> > > > i have a big issue here.
> > > >
> > > > I have 3 samba addc domain controllers (Version 4.19.2) and
one
> > > > member server (Version 4.17.5).
> > > >
> > > > Out of the blue i cannot delete my own files anymore -
access
> > > > denied - user DOMAIN/administrator has to give you
permission
> > > > to do so.
> > > >
> > > > If i type in a windows cmd 'whoami' i get
domain/administrator,
> > > > so i am the user which hold the permsissions on the files.
> > > > Security tab looks good to me - Domain Admins - Full Access,
> > > > Administrator - Full Access
> > > >
> > > > If i check the permissions on the share itself everything is
> > > > looking like i set it up (i check in windows on the security
> > > > tab). If i try to redo the permission from within windows i
get
> > > > 'cannot enumerate objects in container - access
denied.'
> > > >
> > > > ls -alh on the member server tells me
root:"SAMDOM/Domain
> > > > Admins" is the owner of the directory.
> > > >
> > > > smb.conf on the member server:
> > > >
> > > > [share]
> > > > path = /srv/samba/share
> > > > acl_xattr:ignore system acls = yes
> > > >
> > > > Shares where created like this wiki entry tells me to do:
> > > >
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > > >
> > > > Everything worked until today where i wanted to check why
> > > > another share isn't inheriting the permissions to
subfolders.
> > > >
> > > > I only touched the share which didn't work as expected,
so i
> > > > have no clue why out of the sudden all my permissions seem
to
> > > > have messed up.
> > > >
> > > > I also removed an old DC 2 weeks ago and added a new one. So
i
> > > > guess this has nothing to do with it either.
> > > >
> > > > I really would appreciate any helping hand here. I can
provide
> > > > screenshots or whatever is needed. The error messages may be
> > > > not accurate as i translated the german error messages i
got.
> > > >
> > > > Thanks for listening and hopefully some hints what could
have
> > > > gone wrong with my setup.
> > > >
> > > > Juergen
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read
> > > > the instructions:
https://lists.samba.org/mailman/options/samba
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba