samba - Dec 2023 - Samba share not quite working on Domain Controller

On Sun Dec 17 05:39:45 2023 spindles seven via samba <samba at
lists.samba.org> wrote:
>
> On December 17, 2023 6:23 AM Mark Foley wrote: 
> > On Sat Dec 16 15:49:27 2023 Mark Foley via samba <samba at
lists.samba.org>
> > wrote:
> > [deleted]
> > I got this fixed! Nothing like a little lotus-position meditation and
navel-
> > contemplation to gain enlightenment.
> > 
> > Since sysvol and netlogin folders didn't crash when I selected
their Properties >
> > Security, I reasoned there must be something about permissions or
ownership afoot.
> > Sure enough:
> > 
> > # ls -ld /var/lib/samba/sysvol/
> > drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16
/var/lib/samba/sysvol/
> > 
> > Both of those directories, created by provisioning, are members of
group 3000000
> > which I presume is some administrative group (although 'getent
group 3000000' on
> > the DC returns nothing, so I'm not sure).
> > 
> > I could have probably just set the group for Users to 3000000, but
there are some
> > extended attributes (designated by the '+' sign), so I cloned
sysvol to
> > Users:
> > 
> > # rmdir /redirectedFolders/Users/
> > # cp -rp /var/lib/samba/sysvol/ /redirectedFolders/ 
> > # cd /redirectedFolders/ 
> > # mv sysvol/ Users 
> > # cd Users/ 
> > # rm -r hprs.locl/ 
> > # cd ..> # ls -l
> > drwxrwx---+ 2 root 3000000 4096 2023-12-17 00:13 Users/
> > 
> > Voila! Same permission, complete with extended attributes.
>
> That's not the recommended way to add Extended ACL permissions to a
users' share.   You have copied the extended ACLs from the sysvol share to
the users share and these will not be the correct permissions.   For the Users
share where the users' home folder eg Documents etc are redirected, the
permissions required are as follows:
>
> File system permissions on the root of the users share:
> Principal:Access:Applies to
> ===================> CREATOR OWNER:Full control:Subfolders and files
only
> Domain Admins:Full control:This folder, subfolders and files 
> Authenticated Users:Traverse Folder/Execute file,List folder/read data,Read
Attributes, Create folders/append data:This folder only
> SYSTEM:Full Control:This folder, subfolders and files 
>
> These should be set using the procedure described here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>
> Hope that helps,
>
> Spindles7
Spindles7, Thanks.  my cloning the permissions from sysvol was temporary ... 
just in case, and to verify I could open Users > Properties > Security.  I
did
set the actual Security to what you have listed using notes from my previous DC
setup.  I didn't put those step into my post; as I mentioned, the story
wasn't
finished with that message. 

The wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
talks about Shares generally, but doesn't specifically mention
'Redirected
Folders'. Maybe that wiki is sufficient; I didn't examine in detail.

One thing I'm wondering about, that wiki has instructions to "Enable
Extended ACL
Support on a Unix domain member" as follows:

  "Ideally you have a system that supports NFS4 ACLs. The following example
is for
  systems like Linux, where you don't have those kind of ACLs. To configure
shares
  using extended access control lists (ACL) on a Unix domain member, you must
  enable the support in the smb.conf file. To enable extended ACL support
  globally, add the following settings to the [global] section of your smb.conf
  file:"

I do have a "system that supports NFS4 ACLs" so I suppose that means I
don't
have to add the listed settings to smb.conf? The instruction say, "To
configure
shares using ... (ACL) on a Unix domain member, you must enable the support in
the smb.conf file." I'm assuming that "MUST" admonition
applies only if you
don't have a system that supports NFS4 ACLs (but could the Linux system even
work at all without this support?).

Also, if one were to add these lines to smb.conf, would that be to the domain
member, domain controller, both? My guess would be to the domain member only.

Thanks --Mark

On Sun, 17 Dec 2023 11:50:18 -0500
Mark Foley via samba <samba at lists.samba.org>
wrote:
> 
> Spindles7, Thanks.  my cloning the permissions from sysvol was
> temporary ... just in case, and to verify I could open Users >
> Properties > Security.  I did set the actual Security to what you
> have listed using notes from my previous DC setup.  I didn't put
> those step into my post; as I mentioned, the story wasn't finished
> with that message. 
> 
> The wiki
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> talks about Shares generally, but doesn't specifically mention
> 'Redirected Folders'. Maybe that wiki is sufficient; I didn't
examine
> in detail.
Possibly because there is a separate page for Redirected Folders:

https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections
> 
> One thing I'm wondering about, that wiki has instructions to
"Enable
> Extended ACL Support on a Unix domain member" as follows:
> 
>   "Ideally you have a system that supports NFS4 ACLs. The following
> example is for systems like Linux, where you don't have those kind of
> ACLs. To configure shares using extended access control lists (ACL)
> on a Unix domain member, you must enable the support in the smb.conf
> file. To enable extended ACL support globally, add the following
> settings to the [global] section of your smb.conf file:"
> 
> I do have a "system that supports NFS4 ACLs" 
What filesystem is that ?

As far as I am aware, it is only freebsd and freebsd based distros that
have NFS4 acls as standard.
>so I suppose that means
> I don't have to add the listed settings to smb.conf? The instruction
> say, "To configure shares using ... (ACL) on a Unix domain member,
> you must enable the support in the smb.conf file." I'm assuming
that
> "MUST" admonition applies only if you don't have a system
that
> supports NFS4 ACLs (but could the Linux system even work at all
> without this support?).
If you run Samba as a Unix domain member on Linux, then, unless someone
can point out the filesystem with NFS4 ACLS, you need vfs_acl_xattr
> 
> Also, if one were to add these lines to smb.conf, would that be to
> the domain member, domain controller, both? My guess would be to the
> domain member only.
It is built into a DC, so only a Unix domain member.

Rowland

I believe I have successfully joined a Windows domain member, migrated a domain
user, created the 'Redirected Folders' directory and Group Policy and
restored
the domain user's redirected folders. This is a wrap up for anyone needing
the
same in the future.

I used the ForensiT Transwiz program to migrate the domain user to the new DC
and also join the Windows workstation to the domain.  My only snag here was that
I had to point the Windows DNS explicitly to the DC.  Left to itself, it found
the Internet facing router and tried to use that for the domain DNS.  Didn't
work.

Otherwise, that all worked except in my case I changed the AD domain name from
mail.hprs.local to dc1.hprs.locl.  Unfortunately, Transwiz does not modify
Registry entries to rename reference to mail.hprs.local and hprs.local to
dc1.hprs.locl and hprs.locl, respectively. 

I stated down the futile path of trying to find and modify registry entries
using regedit. Don't do that, waste of time. there are likely hundreds of
such
registry entries.

I downloaded and installed RegistryFinder, https://registry-finder.com, which
can edit the Registry and has a find/replace function. That took seconds to run
once installed.

The last thing I needed to do was to restore my backed-up User directory to
/redirectedFolders/Users on the new DC.  The UID/GID's were different on the
old
DC so I restored to a new user folder, did a chmod -R to all the restored
files/directories, then cp -ar them all to the correct User directory. 

Done! Everything showed up just fine on the user's Desktop, Favorites and
'My
Documents'.

--Mark