samba - Dec 2023 - Samba share not quite working on Domain Controller

On Sat Dec 16 15:49:27 2023 Mark Foley via samba <samba at
lists.samba.org> wrote:
>
> I don't know if this is a Windows, Linux or Samba problem. I've
posted this
> issue to both Windows and Linux forums, but no one seem to have any idea so
far.
>
> Note that this works on my current/old DC version 4.8.2 provisioned with
> BIND9_FLATFILE. The "new" DC is version 4.18.8 provisioned with
SAMBA_INTERNAL.
> I don't know if this matters or not. My smb.conf is:
>
(deleted)
> [Users]
>     path = /redirectedFolders/Users
>     comment = user folders for redirection
>     read only = No
(deleted)
>
> All but the [Users] section was auto-generated by the provision command.
Yes, I
> know putting a Share on the DC is not recommended, but I've used that
for the
> redirected folders on the old DC for the past 10 years and, although not
> recommended, it's not actually "forbidden". 
>
> I have successfully joined a Windows 10 workstation as a domain members. In
> Windows Explorer (as DC Administrator), I can open the share with
> \\dc1.hprs.locl, and I see my folders. The folder in question is
'Users' I can
> put files into that folder from Windows, no problem. However if I
right-click
> on 'Users > Properties > Security', Explorer crashes. This
does not happen
> doing the same thing on the other two folders (sysvol and netlogin). I find
> nothing in the Linux log files. The Windows event log gives:
>
[deleted]
>
> Any idea what's up with this?
>
> Thanks --Mark
>
I got this fixed! Nothing like a little lotus-position medidatation and
navel-contemplation to gain enlightenment.

Since sysvol and netlogin folders didn't crash when I selected their
Properties >
Security, I reasoned there must be something about permissions or ownership
afoot.
Sure enough:

# ls -ld /var/lib/samba/sysvol/
drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16 /var/lib/samba/sysvol/

Both of those directories, created by provisioning, are members of group 3000000
which I presume is some administrative group (although 'getent group
3000000' on
the DC returns nothing, so I'm not sure).

I could have probably just set the group for Users to 3000000, but there are
some extended attributes (designated by the '+' sign), so I cloned
sysvol to
Users:

# rmdir /redirectedFolders/Users/
# cp -rp /var/lib/samba/sysvol/ /redirectedFolders/
# cd /redirectedFolders/
# mv sysvol/ Users
# cd Users/
# rm -r hprs.locl/
# cd ..
# ls -l
drwxrwx---+ 2 root 3000000 4096 2023-12-17 00:13 Users/

Voila! Same permission, complete with extended attributes.

After doing that I was able to set Properties > Security correctly on the
Windows computer.

This by no means finishes the 'Redirected Folders' effort.  I have yet
to create
the Group Policy and then attempt to restore the users' Desktops, etc. to
this
directory, but I wanted to at least let the sambalist know I got past this
problem so everyone who was working feverishly on helping me figuring it out
could stand down. 

Hope this helps ayone tying to set up Redirected Folders.

--Mark

On Sun, 17 Dec 2023 01:23:29 -0500
Mark Foley via samba <samba at lists.samba.org>
wrote:
> 
> Since sysvol and netlogin folders didn't crash when I selected their
> Properties > Security, I reasoned there must be something about
> permissions or ownership afoot. Sure enough:
> 
> # ls -ld /var/lib/samba/sysvol/
> drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16
> /var/lib/samba/sysvol/
> 
> Both of those directories, created by provisioning, are members of
> group 3000000 which I presume is some administrative group (although
> 'getent group 3000000' on the DC returns nothing, so I'm not
sure).
If this was Debian, I would suggest installing libnss-winbind and
libpam-winbind, but as this is slackware, I haven't a clue what the
required package(s) is/are called. However, on Debian the two '.so'
files the package(s) contain are 'libnss_winbind.so.2' and
'pam_winbind.so', installing these and adding 'winbind' to the
'passwd'
& 'group' lines in /etc/nsswitch.conf will get getent to work and
the
'3000000' will very probably become 'Domain Admins'

Having to do the above is yet another reason not to use a DC as a
fileserver, all your users will then be able to login into the DC.

Rowland

On December 17, 2023 6:23 AM Mark Foley wrote: 
> On Sat Dec 16 15:49:27 2023 Mark Foley via samba <samba at
lists.samba.org>
> wrote:
> [deleted]
> I got this fixed! Nothing like a little lotus-position medidatation and
navel-
> contemplation to gain enlightenment.
> 
> Since sysvol and netlogin folders didn't crash when I selected their
Properties >
> Security, I reasoned there must be something about permissions or ownership
afoot.
> Sure enough:
> 
> # ls -ld /var/lib/samba/sysvol/
> drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16 /var/lib/samba/sysvol/
> 
> Both of those directories, created by provisioning, are members of group
3000000
> which I presume is some administrative group (although 'getent group
3000000' on
> the DC returns nothing, so I'm not sure).
> 
> I could have probably just set the group for Users to 3000000, but there
are some
> extended attributes (designated by the '+' sign), so I cloned
sysvol to
> Users:
> 
> # rmdir /redirectedFolders/Users/
> # cp -rp /var/lib/samba/sysvol/ /redirectedFolders/ 
> # cd /redirectedFolders/ 
> # mv sysvol/ Users 
> # cd Users/ 
> # rm -r hprs.locl/ 
> # cd ..> # ls -l
> drwxrwx---+ 2 root 3000000 4096 2023-12-17 00:13 Users/
> 
> Voila! Same permission, complete with extended attributes.
That's not the recommended way to add Extended ACL permissions to a
users' share.   You have copied the extended ACLs from the sysvol share to
the users share and these will not be the correct permissions.   For the Users
share where the users' home folder eg Documents etc are redirected, the
permissions required are as follows:

File system permissions on the root of the users share:
Principal:Access:Applies to
===================CREATOR OWNER:Full control:Subfolders and files only 
Domain Admins:Full control:This folder, subfolders and files 
Authenticated Users:Traverse Folder/Execute file,List folder/read data,Read
Attributes,	Create folders/append data:This folder only
SYSTEM:Full Control:This folder, subfolders and files 

These should be set using the procedure described here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs


Hope that helps,

Spindles7