samba - Oct 2014 - Samba4: Setting up share/security permissions for shares on member server

Hello,

I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit and I am about to setup
my member server. The DC was provisioned with rfc2307 and extended attributes. I
have assigned to the domain group called "Domain Users" the GID=10000.
My member server was prepared with ACL+user_xattr and winbind support. My
/etc/nsswitch.conf is using "winbind" for passwd+group, and
"getent passwd" on the member server is returning the AD user
accounts, which I assigned a UID to with the ADUC tool at tab UNIX Attribute. I
was told *NEVER EVER* to assign a UID through the "UNIX Attribute" tab
in ADUC tool for the "Administrator" user. Here begins the problem:

When the user "Administrator" doesn't have UID assigned as UNIX
Attribute, he never will be listed in "getent passwd" on my member
server and thus never will be usable as a user itself on the member server. Here
I am stuck: I wanted to configure the [home] and [profiles] share on my member
server according the wiki
(https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions)
The wiki says I should grant "SeDiskOperatorPrivilege" to the
"Domain Admins" group. I did execute that on the DC and ensured also
on the DC with the command "net rpc rights list accounts
-Uadministrator" that it was applied successfully. On the member server I
created with "mkdir -p /srv/samba4_data/home" the path for the [home]
share.

Then I login to a Windows XP machine that is joined to my Samba4/AD domain with
a user that is member of the domain group "Domain Admins". I do it
exactly as described in
(https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions).
Through "Computer Management" I connect to my member server and I see
the [home] share. I can change and apply the  settings as described on the Wiki.
But as soon as I click the  tab, everything is greyed out, I cannot change
anyting there. In my understanding that is what I would expect, because there
are no rights for "MYDOM\johndoe" on the path
"membersrv1:/srv/samba4_data/home".

[root at membersrv1:/srv/samba4_data$ ls -ld home
drwxr-xr-x 2 root root 4096 Okt 21 19:11 home

[root at membersrv1:/srv/samba4_data$ getfacl home
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

How should I be able to edit the security settings as explained on the wiki?
What did I miss here? Any help appreciated.

Mirco

On 21/10/14 18:39, ?icro MEGAS wrote:
> Hello,
>
> I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit and I am about to
setup my member server. The DC was provisioned with rfc2307 and extended
attributes. I have assigned to the domain group called "Domain Users"
the GID=10000. My member server was prepared with ACL+user_xattr and winbind
support. My /etc/nsswitch.conf is using "winbind" for passwd+group,
and "getent passwd" on the member server is returning the AD user
accounts, which I assigned a UID to with the ADUC tool at tab UNIX Attribute. I
was told *NEVER EVER* to assign a UID through the "UNIX Attribute" tab
in ADUC tool for the "Administrator" user. Here begins the problem:
>
> When the user "Administrator" doesn't have UID assigned as
UNIX Attribute, he never will be listed in "getent passwd" on my
member server and thus never will be usable as a user itself on the member
server. Here I am stuck: I wanted to configure the [home] and [profiles] share
on my member server according the wiki
(https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions)
The wiki says I should grant "SeDiskOperatorPrivilege" to the
"Domain Admins" group. I did execute that on the DC and ensured also
on the DC with the command "net rpc rights list accounts
-Uadministrator" that it was applied successfully. On the member server I
created with "mkdir -p /srv/samba4_data/home" the path for the [home]
share.
>
> Then I login to a Windows XP machine that is joined to my Samba4/AD domain
with a user that is member of the domain group "Domain Admins". I do
it exactly as described in
(https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions).
Through "Computer Management" I connect to my member server and I see
the [home] share. I can change and apply the  settings as described on the Wiki.
But as soon as I click the  tab, everything is greyed out, I cannot change
anyting there. In my understanding that is what I would expect, because there
are no rights for "MYDOM\johndoe" on the path
"membersrv1:/srv/samba4_data/home".
>
> [root at membersrv1:/srv/samba4_data$ ls -ld home
> drwxr-xr-x 2 root root 4096 Okt 21 19:11 home
>
> [root at membersrv1:/srv/samba4_data$ getfacl home
> # file: home
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::ra-x
>
> How should I be able to edit the security settings as explained on the
wiki? What did I miss here? Any help appreciated.
>
> Mirco
OK, edit smb.conf on the member server, add this line:

username map = /etc/samba/smbmap

Now create the smbmap file:

nano /etc/samba/smbmap

!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator 
administrator


Change 'EXAMPLE' for your workgroup name

This will map the windows Administrator to the Unix root user (which is 
what you want/need)

Restart samba daemons and you should now find that everything will work 
better ;-)

Rowland

> OK, edit smb.conf on the member server, add this line:
> username map = /etc/samba/smbmap
> Now create the smbmap file:
> nano /etc/samba/smbmap
>
> !root = EXAMPLE\Administrator EXAMPLE\administrator Administrator 
> administrator
> 
> Change 'EXAMPLE' for your workgroup name
> 
> This will map the windows Administrator to the Unix root user (which is 
> what you want/need)
> 
> Restart samba daemons and you should now find that everything will work 
> better ;-)
> 
> Rowland
Hi Rowland and thanks for your feedback. That works now only if I am logged in
at the Windows machine with MYDOM\Administrator account. Thanks so far. Is there
any way, so that is possible for "MYDOM\Domain Admins", too? Because I
don't think we (=the domain admins) want to log out of our windows machines
and relogin using the default MYDOM\Administrator account when we need to
modify/apply security settings on shares.

And why isn't that documented on the wiki? *confused_looking*

Mirco

?icro MEGAS schrieb am 21.10.2014 19:39:
> Then I login to a Windows XP machine that is joined to my Samba4/AD domain
with
> a user that is member of the domain group "Domain Admins". I do
it exactly as
> described in
You might be better off administering the domain from a Win7 Box. IIRC there 
is an issue with the XP version of ADUC. I can't administer my own domain
from
XP, but it works from the Win7 box... 

And (at least here) it only works when I log in Win7 as domain admin. Maybe You 
give it a try. 

Best regards
Peter

PS: You should stop using XP... 
PS2: Don't start using Win7 32 bit. It eats up these max. 3 GB RAM like it
was nothing. :-(