Shane Robinson
2015-Feb-27 19:09 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
Hello again List, Marc, and Louis! I'm afraid my message from yesterday may have been TL;DR. The short version is as follows: Following the wiki's for AD member server (building from source on Debian Wheezy) and Setting up shares with Windows acls did not give the expected results First, I needed to link libnss_winbind.so to /usr/lib/x86_64-linux-gnu for winbind to work. Marc - may I add this to the wiki, or is there a reason not to that I'm unaware of? Second, setting permissions on a share did not work until I mapped the domain administrator to root. This is mentioned in the Troubleshooting member server wiki page, but only in relation to granting the SeDiskOperatorPrivilege, which was not an issue for me. Does this mapping have any ramifications that I (or others) should be aware of? The other way to allow ACL changes from windows (which I did on my now-defunct member File Servers) was something like this: "sudo chmod 0775 /srv/myshare" and "sudo chgrp 'Domain Admins' /srv/myshare" .. which as result will give full access to the members of the group "MYDOM\Domain Admins" Is one better than the other? If you'd like any further information, I'd be happy to provide it. Thank you very much for your help! PS - I included Louis in the TO line because of your unanswered email of February 16th ("Samba_Member_Server_Troubleshooting"). Shane Robinson Chief Administrative Officer SimpeQ Care Inc. t. 604.988.3103 ext. 104 c. 604.506.3311 f. 604.988.3105 Please consider the environment before printing this email. -----Original Message----- From: Shane Robinson [mailto:srobinson at simpeq.ca] Sent: Thursday, February 26, 2015 11:17 AM To: 'samba at lists.samba.org' Subject: Wheezy member Server - Unable to edit permissions of share without usermapping - shall I add to Wiki? Hello List! I have a Samba AD domain with two virtualized DC's running 4.1.15 and 4.1.17. I have had two member file servers with odd permissions problems that I've now given up on, and decided to start fresh. I have created a File server (FS3) with Debian wheezy, built samba 4.1.17 from source, with configure options of : --with-ads --with-shared-modules=idmap_ad ... and placed the attached smb.conf into /usr/local/samba/etc/ . I successfully joined it to the domain, and set up the shared directories as defined in the aforementioned smb.conf. I followed the AD Member Server setup wiki page, and getent passwd "INTERNAL\<domain user>" works, as does getent group and wbinfo. The SeDiskOperatorPrivilege was granted to the administrator without issue. The file system is ext4, mounted with user_xattr,acl,barrier=1. I have tried to follow the wiki to the letter, with one exception, linking libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition to /lib64. As the domain administrator, from a Win7 member, I was able to give Domain Admins full control in the "Share Permissions" tab (from Computer Management). Upon trying to give Domain Admins full control to the share, I get an Access Denied error (as in the screenshot attached). The log.smbd (level 8) of that interaction is also attached. The "Setup and Configure file shares with Windows ACLs" wiki page has a troubleshooting section which mentions trying: setfacl -R -m default:group:domain\ admins:rwx /srv/sites ... so I did. The result of getfacl is now: shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites getfacl: Removing leading '/' from absolute path names # file: srv/sites # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:domain\040admins:rwx default:mask::rwx default:other::r-x ... but the access denied error persists. As a list subscriber for a few years, I recalled Louis van Belle publishing a samba4 wheezy member script. Within the smb.conf it defines, I find that the username map option. I added the username map option to the smb.conf of FS3, and created the mapping file with: !root = "INTERNAL\Administrator" "INTERNAL\administrator" Upon trying this, I have success. (yay!) SO: The script is now relegated to an "old_set_of_scripts" repository, so I'm not sure if this is still the Right Thing to do. Are there ramifications to this mapping that need to be considered? Is this a debian-specific issue, like the libnss_winbind.so linking? Are there any reasons that I should NOT add these steps to the wiki (I have a logon already, and I'm just itching to use it)? Thank you in advance for any and all help you are able to provide! Shane Robinson Chief Administrative Officer SimpeQ Care Inc. t. 604.988.3103 ext. 104 c. 604.506.3311 f. 604.988.3105 Please consider the environment before printing this email.
Rowland Penny
2015-Feb-27 19:24 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
On 27/02/15 19:09, Shane Robinson wrote:> Hello again List, Marc, and Louis! > > I'm afraid my message from yesterday may have been TL;DR. The short version > is as follows: > > Following the wiki's for AD member server (building from source on Debian > Wheezy) and Setting up shares with Windows acls did not give the expected > results > > First, I needed to link libnss_winbind.so to /usr/lib/x86_64-linux-gnu for > winbind to work. Marc - may I add this to the wiki, or is there a reason not > to that I'm unaware of?I think this would be a good idea, the problem is the wiki is a bit RH centric, so go ahead and add something about setting the link for debian, but follow the format that is already there, don't worry if it isn't quite right, Marc will change it.> > Second, setting permissions on a share did not work until I mapped the > domain administrator to root. This is mentioned in the Troubleshooting > member server wiki page, but only in relation to granting the > SeDiskOperatorPrivilege, which was not an issue for me. > > Does this mapping have any ramifications that I (or others) should be aware > of?No, but I don't think it has to be done this way, I am beginning to think there are other ways of doing this. Rowland> > The other way to allow ACL changes from windows (which I did on my > now-defunct member File Servers) was something like this: > "sudo chmod 0775 /srv/myshare" and > "sudo chgrp 'Domain Admins' /srv/myshare" > .. which as result will give full access to the members of the group > "MYDOM\Domain Admins" > > Is one better than the other? > > If you'd like any further information, I'd be happy to provide it. > > Thank you very much for your help! > > PS - I included Louis in the TO line because of your unanswered email of > February 16th ("Samba_Member_Server_Troubleshooting"). > > > Shane Robinson > Chief Administrative Officer > SimpeQ Care Inc. > t. 604.988.3103 ext. 104 > c. 604.506.3311 > f. 604.988.3105 > Please consider the environment before printing this email. > > > -----Original Message----- > From: Shane Robinson [mailto:srobinson at simpeq.ca] > Sent: Thursday, February 26, 2015 11:17 AM > To: 'samba at lists.samba.org' > Subject: Wheezy member Server - Unable to edit permissions of share without > usermapping - shall I add to Wiki? > > Hello List! > > I have a Samba AD domain with two virtualized DC's running 4.1.15 and > 4.1.17. I have had two member file servers with odd permissions problems > that I've now given up on, and decided to start fresh. > > I have created a File server (FS3) with Debian wheezy, built samba 4.1.17 > from source, with configure options of : > --with-ads --with-shared-modules=idmap_ad > > ... and placed the attached smb.conf into /usr/local/samba/etc/ . I > successfully joined it to the domain, and set up the shared directories as > defined in the aforementioned smb.conf. > > I followed the AD Member Server setup wiki page, and getent passwd > "INTERNAL\<domain user>" works, as does getent group and wbinfo. The > SeDiskOperatorPrivilege was granted to the administrator without issue. > > The file system is ext4, mounted with user_xattr,acl,barrier=1. I have tried > to follow the wiki to the letter, with one exception, linking > libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition to /lib64. > > As the domain administrator, from a Win7 member, I was able to give Domain > Admins full control in the "Share Permissions" tab (from Computer > Management). > > Upon trying to give Domain Admins full control to the share, I get an Access > Denied error (as in the screenshot attached). > > The log.smbd (level 8) of that interaction is also attached. > > The "Setup and Configure file shares with Windows ACLs" wiki page has a > troubleshooting section which mentions trying: > > setfacl -R -m default:group:domain\ admins:rwx /srv/sites > > ... so I did. The result of getfacl is now: > > shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites > getfacl: Removing leading '/' from absolute path names # file: srv/sites # > owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx > default:group::r-x default:group:domain\040admins:rwx > default:mask::rwx > default:other::r-x > > ... but the access denied error persists. > > As a list subscriber for a few years, I recalled Louis van Belle publishing > a samba4 wheezy member script. Within the smb.conf it defines, I find that > the username map option. > > I added the username map option to the smb.conf of FS3, and created the > mapping file with: > > !root = "INTERNAL\Administrator" "INTERNAL\administrator" > > Upon trying this, I have success. (yay!) > > > > SO: The script is now relegated to an "old_set_of_scripts" repository, so > I'm not sure if this is still the Right Thing to do. > > Are there ramifications to this mapping that need to be considered? > > Is this a debian-specific issue, like the libnss_winbind.so linking? > > Are there any reasons that I should NOT add these steps to the wiki (I have > a logon already, and I'm just itching to use it)? > > > Thank you in advance for any and all help you are able to provide! > > Shane Robinson > Chief Administrative Officer > SimpeQ Care Inc. > t. 604.988.3103 ext. 104 > c. 604.506.3311 > f. 604.988.3105 > Please consider the environment before printing this email. > >
Shane Robinson
2015-Feb-27 19:46 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
Hello all, Sorry about the top-posting. I have added the bit about the linking (YAY!, I'm helping!). Now if we can clear up the ACL issue, this will be a great day! Summary: To edit ACL's from Windows on a Debian Member server, we need to either 1) map the domain admin to root OR 2) give explicit permissions to Domain Admins with a chmod 0755 and chgrp "MYDOM\Domain Admins" Which is better and why? Thanks everyone! Shane -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, February 27, 2015 11:25 AM To: samba at lists.samba.org Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki? On 27/02/15 19:09, Shane Robinson wrote:> Hello again List, Marc, and Louis! > > I'm afraid my message from yesterday may have been TL;DR. The short > version is as follows: > > Following the wiki's for AD member server (building from source on > Debian > Wheezy) and Setting up shares with Windows acls did not give the > expected results > > First, I needed to link libnss_winbind.so to /usr/lib/x86_64-linux-gnu > for winbind to work. Marc - may I add this to the wiki, or is there a > reason not to that I'm unaware of?I think this would be a good idea, the problem is the wiki is a bit RH centric, so go ahead and add something about setting the link for debian, but follow the format that is already there, don't worry if it isn't quite right, Marc will change it.> > Second, setting permissions on a share did not work until I mapped the > domain administrator to root. This is mentioned in the Troubleshooting > member server wiki page, but only in relation to granting the > SeDiskOperatorPrivilege, which was not an issue for me. > > Does this mapping have any ramifications that I (or others) should be > aware of?No, but I don't think it has to be done this way, I am beginning to think there are other ways of doing this. Rowland> > The other way to allow ACL changes from windows (which I did on my > now-defunct member File Servers) was something like this: > "sudo chmod 0775 /srv/myshare" and > "sudo chgrp 'Domain Admins' /srv/myshare" > .. which as result will give full access to the members of the group > "MYDOM\Domain Admins" > > Is one better than the other? > > If you'd like any further information, I'd be happy to provide it. > > Thank you very much for your help! > > PS - I included Louis in the TO line because of your unanswered email > of February 16th ("Samba_Member_Server_Troubleshooting"). > > > Shane Robinson > Chief Administrative Officer > SimpeQ Care Inc. > t. 604.988.3103 ext. 104 > c. 604.506.3311 > f. 604.988.3105 > Please consider the environment before printing this email. > > > -----Original Message----- > From: Shane Robinson [mailto:srobinson at simpeq.ca] > Sent: Thursday, February 26, 2015 11:17 AM > To: 'samba at lists.samba.org' > Subject: Wheezy member Server - Unable to edit permissions of share > without usermapping - shall I add to Wiki? > > Hello List! > > I have a Samba AD domain with two virtualized DC's running 4.1.15 and > 4.1.17. I have had two member file servers with odd permissions > problems that I've now given up on, and decided to start fresh. > > I have created a File server (FS3) with Debian wheezy, built samba > 4.1.17 from source, with configure options of : > --with-ads --with-shared-modules=idmap_ad > > ... and placed the attached smb.conf into /usr/local/samba/etc/ . I > successfully joined it to the domain, and set up the shared > directories as defined in the aforementioned smb.conf. > > I followed the AD Member Server setup wiki page, and getent passwd > "INTERNAL\<domain user>" works, as does getent group and wbinfo. The > SeDiskOperatorPrivilege was granted to the administrator without issue. > > The file system is ext4, mounted with user_xattr,acl,barrier=1. I have > tried to follow the wiki to the letter, with one exception, linking > libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition to /lib64. > > As the domain administrator, from a Win7 member, I was able to give > Domain Admins full control in the "Share Permissions" tab (from > Computer Management). > > Upon trying to give Domain Admins full control to the share, I get an > Access Denied error (as in the screenshot attached). > > The log.smbd (level 8) of that interaction is also attached. > > The "Setup and Configure file shares with Windows ACLs" wiki page has > a troubleshooting section which mentions trying: > > setfacl -R -m default:group:domain\ admins:rwx /srv/sites > > ... so I did. The result of getfacl is now: > > shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites > getfacl: Removing leading '/' from absolute path names # file: > srv/sites # > owner: root # group: root user::rwx group::r-x other::r-x > default:user::rwx default:group::r-x > default:group:domain\040admins:rwx > default:mask::rwx > default:other::r-x > > ... but the access denied error persists. > > As a list subscriber for a few years, I recalled Louis van Belle > publishing a samba4 wheezy member script. Within the smb.conf it > defines, I find that the username map option. > > I added the username map option to the smb.conf of FS3, and created > the mapping file with: > > !root = "INTERNAL\Administrator" "INTERNAL\administrator" > > Upon trying this, I have success. (yay!) > > > > SO: The script is now relegated to an "old_set_of_scripts" repository, > so I'm not sure if this is still the Right Thing to do. > > Are there ramifications to this mapping that need to be considered? > > Is this a debian-specific issue, like the libnss_winbind.so linking? > > Are there any reasons that I should NOT add these steps to the wiki (I > have a logon already, and I'm just itching to use it)? > > > Thank you in advance for any and all help you are able to provide! > > Shane Robinson > Chief Administrative Officer > SimpeQ Care Inc. > t. 604.988.3103 ext. 104 > c. 604.506.3311 > f. 604.988.3105 > Please consider the environment before printing this email. > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- *****SPAM***** Re: Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Wheezy member Server - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?