Shane Robinson
2015-Mar-04 18:31 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
Hello again Rowland, list! Sorry for the delayed response, and top posting. To recap: I'd like to complete the member server wiki so that ACLs can be set from windows without taking undocumented steps. The three ways I've found to do this are: 1) map root to administrator. (LPH VanBelle's script uses this option.) 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share 3) chown -R "<DOMAIN>\Administrator" /srv/share I'm leaning towards 2, but would like a better idea of pros and cons so I may complete the wiki. Rowland: From your last response, I was searching for how the ID_TYPE_BOTH relates to the above, and found a recent thread between yourself and Andrew (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The differences you point out W.R.T. sysvol appear to relate more to that thread. If those differences are important to my current issue, I apologize for being obtuse, but would you mind explaining? Otherwise, List, please let me know which of the above options you prefer and why. I will then document them to the best of my knowledge on the wiki. Thank you kindly, Shane Robinson Chief Administrative Officer SimpeQ Care Inc. t. 604.988.3103 ext. 104 c. 604.506.3311 f. 604.988.3105 Please consider the environment before printing this email. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, February 27, 2015 1:36 PM To: samba at lists.samba.org Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki? On 27/02/15 21:00, Shane Robinson wrote:> Hi Rowland, > > I'm also not an expert, but with the amount of help you provide on the > list, I will defer to you. > > I'd love to know your rational for prefering the "change ownership to > administrator" approach over the "change group to Domain Admins approach". > If it's just gut, that's fine too! > > Thanks! > > > -----Original Message----- > From: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] > On Behalf Of Rowland Penny > Sent: Friday, February 27, 2015 12:44 PM > To: samba at lists.samba.org > Subject: *****SPAM***** Re: [Samba] *****SPAM***** Re: Domain Member > Server > (wheezy) - Unable to edit permissions of share without usermapping - > shall I add to Wiki? > > On 27/02/15 20:07, Shane Robinson wrote: >> Hi Rowland, >> >> Chown to Administrator seems less flexible than Chgrp to Domain >> Admins on the face of it. You could add/remove users from the Domain >> Admins group, which allows/denies them the ability to change the >> permissions on the > share. >> By changing the owner to Administrator, only those credentials would >> have that ability, no? >> >> What advantages do you predict with the change owner approach? What >> disadvantages do you see to the change group approach? >> >> Thank you! >> >> -----Original Message----- >> From: samba-bounces at lists.samba.org >> [mailto:samba-bounces at lists.samba.org] >> On Behalf Of Rowland Penny >> Sent: Friday, February 27, 2015 11:51 AM >> To: samba at lists.samba.org >> Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - >> Unable to edit permissions of share without usermapping - shall I add toWiki?>> >> On 27/02/15 19:46, Shane Robinson wrote: >>> Hello all, >>> >>> Sorry about the top-posting. >>> >>> I have added the bit about the linking (YAY!, I'm helping!). >>> >>> Now if we can clear up the ACL issue, this will be a great day! >>> >>> Summary: To edit ACL's from Windows on a Debian Member server, we >>> need to either >>> 1) map the domain admin to root OR >>> 2) give explicit permissions to Domain Admins with a chmod 0755 and >>> chgrp "MYDOM\Domain Admins" >>> >>> Which is better and why? >>> >>> Thanks everyone! >>> >>> Shane >>> >>> -----Original Message----- >>> From: samba-bounces at lists.samba.org >>> [mailto:samba-bounces at lists.samba.org] >>> On Behalf Of Rowland Penny >>> Sent: Friday, February 27, 2015 11:25 AM >>> To: samba at lists.samba.org >>> Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - >>> Unable to edit permissions of share without usermapping - shall I >>> add to >> Wiki? >>> On 27/02/15 19:09, Shane Robinson wrote: >>>> Hello again List, Marc, and Louis! >>>> >>>> I'm afraid my message from yesterday may have been TL;DR. The short >>>> version is as follows: >>>> >>>> Following the wiki's for AD member server (building from source on >>>> Debian >>>> Wheezy) and Setting up shares with Windows acls did not give the >>>> expected results >>>> >>>> First, I needed to link libnss_winbind.so to >>>> /usr/lib/x86_64-linux-gnu for winbind to work. Marc - may I add >>>> this to the wiki, or is there a reason not to that I'm unaware of? >>> I think this would be a good idea, the problem is the wiki is a bit >>> RH centric, so go ahead and add something about setting the link for >>> debian, but follow the format that is already there, don't worry if >>> it isn't quite right, Marc will change it. >>> >>>> Second, setting permissions on a share did not work until I mapped >>>> the domain administrator to root. This is mentioned in the >>>> Troubleshooting member server wiki page, but only in relation to >>>> granting the SeDiskOperatorPrivilege, which was not an issue for me. >>>> >>>> Does this mapping have any ramifications that I (or others) should >>>> be aware of? >>> No, but I don't think it has to be done this way, I am beginning to >>> think there are other ways of doing this. >>> >>> Rowland >>> >>>> The other way to allow ACL changes from windows (which I did on my >>>> now-defunct member File Servers) was something like this: >>>> "sudo chmod 0775 /srv/myshare" and >>>> "sudo chgrp 'Domain Admins' /srv/myshare" >>>> .. which as result will give full access to the members of the >>>> group "MYDOM\Domain Admins" >>>> >>>> Is one better than the other? >>>> >>>> If you'd like any further information, I'd be happy to provide it. >>>> >>>> Thank you very much for your help! >>>> >>>> PS - I included Louis in the TO line because of your unanswered >>>> email of February 16th ("Samba_Member_Server_Troubleshooting"). >>>> >>>> >>>> Shane Robinson >>>> Chief Administrative Officer >>>> SimpeQ Care Inc. >>>> t. 604.988.3103 ext. 104 >>>> c. 604.506.3311 >>>> f. 604.988.3105 >>>> Please consider the environment before printing this email. >>>> >>>> >>>> -----Original Message----- >>>> From: Shane Robinson [mailto:srobinson at simpeq.ca] >>>> Sent: Thursday, February 26, 2015 11:17 AM >>>> To: 'samba at lists.samba.org' >>>> Subject: Wheezy member Server - Unable to edit permissions of share >>>> without usermapping - shall I add to Wiki? >>>> >>>> Hello List! >>>> >>>> I have a Samba AD domain with two virtualized DC's running 4.1.15 >>>> and 4.1.17. I have had two member file servers with odd permissions >>>> problems that I've now given up on, and decided to start fresh. >>>> >>>> I have created a File server (FS3) with Debian wheezy, built samba >>>> 4.1.17 from source, with configure options of : >>>> --with-ads --with-shared-modules=idmap_ad >>>> >>>> ... and placed the attached smb.conf into /usr/local/samba/etc/ . I >>>> successfully joined it to the domain, and set up the shared >>>> directories as defined in the aforementioned smb.conf. >>>> >>>> I followed the AD Member Server setup wiki page, and getent passwd >>>> "INTERNAL\<domain user>" works, as does getent group and wbinfo. >>>> The SeDiskOperatorPrivilege was granted to the administrator withoutissue.>>>> >>>> The file system is ext4, mounted with user_xattr,acl,barrier=1. I >>>> have tried to follow the wiki to the letter, with one exception, >>>> linking libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition >>>> to >> /lib64. >>>> As the domain administrator, from a Win7 member, I was able to give >>>> Domain Admins full control in the "Share Permissions" tab (from >>>> Computer Management). >>>> >>>> Upon trying to give Domain Admins full control to the share, I get >>>> an Access Denied error (as in the screenshot attached). >>>> >>>> The log.smbd (level 8) of that interaction is also attached. >>>> >>>> The "Setup and Configure file shares with Windows ACLs" wiki page >>>> has a troubleshooting section which mentions trying: >>>> >>>> setfacl -R -m default:group:domain\ admins:rwx /srv/sites >>>> >>>> ... so I did. The result of getfacl is now: >>>> >>>> shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites >>>> getfacl: Removing leading '/' from absolute path names # file: >>>> srv/sites # >>>> owner: root # group: root user::rwx group::r-x other::r-x >>>> default:user::rwx default:group::r-x >>>> default:group:domain\040admins:rwx >>>> default:mask::rwx >>>> default:other::r-x >>>> >>>> ... but the access denied error persists. >>>> >>>> As a list subscriber for a few years, I recalled Louis van Belle >>>> publishing a samba4 wheezy member script. Within the smb.conf it >>>> defines, I find that the username map option. >>>> >>>> I added the username map option to the smb.conf of FS3, and created >>>> the mapping file with: >>>> >>>> !root = "INTERNAL\Administrator" "INTERNAL\administrator" >>>> >>>> Upon trying this, I have success. (yay!) >>>> >>>> >>>> >>>> SO: The script is now relegated to an "old_set_of_scripts" >>>> repository, so I'm not sure if this is still the Right Thing to do. >>>> >>>> Are there ramifications to this mapping that need to be considered? >>>> >>>> Is this a debian-specific issue, like the libnss_winbind.so linking? >>>> >>>> Are there any reasons that I should NOT add these steps to the wiki >>>> (I have a logon already, and I'm just itching to use it)? >>>> >>>> >>>> Thank you in advance for any and all help you are able to provide! >>>> >>>> Shane Robinson >>>> Chief Administrative Officer >>>> SimpeQ Care Inc. >>>> t. 604.988.3103 ext. 104 >>>> c. 604.506.3311 >>>> f. 604.988.3105 >>>> Please consider the environment before printing this email. >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> there is a third way, the one I am coming round to thinking is the >> best > way, >> give Administrator a proper uidNumber and change ownership to > Administrator >> not root. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > The thing is (and I am no expert here by any means), I don't think > that windows gives a flying fig just who owns anything as long as the > ACL contains an ACE giving who or whatever the correct access rights, > so by making a directory owned by Administrator (with a uidNumber that > isn't 0), he could then set the correct ACLs from windows. > > Rowland >If you look inside idmap.ldb you will find 'ID_TYPE_BOTH', I am reliably informed that is there because a windows group has to own files in sysvol.>From my investigations, the group appears to be Administrators and the fileis actually the 'Policies' directory and what is in it. From my further investigations, it appears it doesn't matter who owns 'Policies' 'Administrator' or 'Administrators' and if 'Administrators' doesn't need to own anything, then 'ID_TYPE_BOTH' doesn't need to exist and the ACLs on sysvol go from this: getfacl /var/lib/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:r-x user:3000003:rwx group::rwx group:3000000:rwx group:3000001:r-x group:3000002:r-x group:3000003:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:r-x default:user:3000003:rwx default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:r-x default:group:3000003:rwx default:mask::rwx default:other::--- To this: getfacl /var/lib/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: HOME\134Administrator # group: 3000000 user::rwx user:3000002:rwx user:HOME\134Administrator:rwx group::rwx group:3000000:rwx group:3000001:r-x group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:3000002:rwx default:user:HOME\134Administrator:rwx default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000003:r-x default:mask::rwx default:other::--- That answer you question ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Mar-04 18:59 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
On 04/03/15 18:31, Shane Robinson wrote:> Hello again Rowland, list! > > Sorry for the delayed response, and top posting. > > To recap: > I'd like to complete the member server wiki so that ACLs can be set from > windows without taking undocumented steps. > > The three ways I've found to do this are: > > 1) map root to administrator. (LPH VanBelle's script uses this option.)This is the way that I have be using for some time, it works, but is it the best way ? You are making the windows Administrator have exactly the same powers that 'root' has, do you want/need to do this ?> > 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/shareThis is a better way, you are only giving members of Domain Admins the rights to the directory and remember that Administrator is a member of Domain Admins.> > 3) chown -R "<DOMAIN>\Administrator" /srv/shareThis would mean that you would have to give Administrator a different ID other than '0'. I am now leaning towards a mixture of 2 & 3> > I'm leaning towards 2, but would like a better idea of pros and cons so I > may complete the wiki. > > Rowland: From your last response, I was searching for how the ID_TYPE_BOTH > relates to the above, and found a recent thread between yourself and Andrew > (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The differences > you point out W.R.T. sysvol appear to relate more to that thread.You are correct that the thread was all about sysvol, but you seem to be missing the point. If there wasn't 'ID_TYPE_BOTH' then getfacl would work better, a windows group would show up as only a group, not as it is now, showing as a group and a user! The same goes for windows users. Rowland> > > If those differences are important to my current issue, I apologize for > being obtuse, but would you mind explaining? > > Otherwise, List, please let me know which of the above options you prefer > and why. I will then document them to the best of my knowledge on the wiki. > > Thank you kindly, >
Davor Vusir
2015-Mar-04 19:25 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
2015-03-04 19:59 GMT+01:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 04/03/15 18:31, Shane Robinson wrote: >> >> Hello again Rowland, list! >> >> Sorry for the delayed response, and top posting. >> >> To recap: >> I'd like to complete the member server wiki so that ACLs can be set from >> windows without taking undocumented steps. >> >> The three ways I've found to do this are: >> >> 1) map root to administrator. (LPH VanBelle's script uses this option.) > > > This is the way that I have be using for some time, it works, but is it the > best way ? > You are making the windows Administrator have exactly the same powers that > 'root' has, do you want/need to do this ? > >> >> 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share > > > This is a better way, you are only giving members of Domain Admins the > rights to the directory and remember that Administrator is a member of > Domain Admins. > >> >> 3) chown -R "<DOMAIN>\Administrator" /srv/share > > > This would mean that you would have to give Administrator a different ID > other than '0'. > > I am now leaning towards a mixture of 2 & 3 >If I remember correctly it doesn't matter what combinations you 'chmod' to. It changes to 755 as soon as you change ACLs from Windows. I suggest you add uid- and gidnumber to all users and groups and chown to a user:group (or perhaps group:group if possible). For example chown FileShareAdmin:FileShareAdminGroup and let the user account which operates the file share be a member of group FileShareAdminGroup. With this approach you get some degree of security if you also allow users to logon to the server with ssh for example. And of course home directories. Choice 3 and uid-/gidNumber assigned. Regards Davor>> >> I'm leaning towards 2, but would like a better idea of pros and cons so I >> may complete the wiki. >> >> Rowland: From your last response, I was searching for how the ID_TYPE_BOTH >> relates to the above, and found a recent thread between yourself and >> Andrew >> (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The >> differences >> you point out W.R.T. sysvol appear to relate more to that thread. > > > You are correct that the thread was all about sysvol, but you seem to be > missing the point. If there wasn't 'ID_TYPE_BOTH' then getfacl would work > better, a windows group would show up as only a group, not as it is now, > showing as a group and a user! > The same goes for windows users. > > Rowland > >> >> If those differences are important to my current issue, I apologize for >> being obtuse, but would you mind explaining? >> >> Otherwise, List, please let me know which of the above options you prefer >> and why. I will then document them to the best of my knowledge on the >> wiki. >> >> Thank you kindly, >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Shane Robinson
2015-Mar-04 21:12 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
Hello Rowland, Oh dear! I do feel rather silly. :/ Thanks so much for your patience! I think I'll clarify the wiki (which does mention this, but only mentions the local administrator). When I read it, it mentions that there will be mapping for non-domain accounts in TDB. I (quite wrongly) assumed that my domain administrator was not included in this, and, therefore, would need a UIDnumber to be able to do anything. I will review idmap.ldb and try to list on the wiki which commonly-used accounts/groups do not need UIDnumbers/gidnumbers. If I'm off-base (yet again) please let me know. Thanks! Shane Robinson Chief Administrative Officer SimpeQ Care Inc. t. 604.988.3103 ext. 104 c. 604.506.3311 f. 604.988.3105 Please consider the environment before printing this email. -----Original Message----- From: Rowland Penny [mailto:rowlandpenny at googlemail.com] Sent: Wednesday, March 04, 2015 12:53 PM To: Shane Robinson Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki? On 04/03/15 20:32, Shane Robinson wrote:> Hi Rowland, > > Thanks for getting back to me! > > So, if you, and others are mapping root to Administrator, shall I add > that to the wiki? > > Upon reading your response, could my problem have always been that I > immediately gave the Administrator account a UIDnumber? Is the > Administrator's UIDnumber automagically set to '0'? (I'm going to feel > awfully silly if that's a yes)ER, start feeling silly :-) If you examine idmap.ldb on the samba4 DC, you will find that Administrator is indeed mapped to '0'> I think I agree that ID_TYPE_BOTH may simply confuse matters, but it > is present currently, so, given that, why would chown administrator be > preferred over chgrp Domain Admins or visa versa? In my testing, both > seem to allow the changing of acls from windows.At the moment, with 'ID_TYPE_BOTH' and if you do not give Domain Admins a gidNumber, it doesn't make any difference. To change the ACLs from windows the user must be known to Unix and if you are changing the group, this must be known as well (I am probably telling you what you already know). So the user and group must be either mapped or they must have a uidNumber or gidNumber, so It probably doesn't really matter which way you do it. just so long as you can set the ACLs from windows Rowland> Thanks! > > Shane Robinson > Chief Administrative Officer > SimpeQ Care Inc. > t. 604.988.3103 ext. 104 > c. 604.506.3311 > f. 604.988.3105 > Please consider the environment before printing this email. > > > -----Original Message----- > From: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] > On Behalf Of Rowland Penny > Sent: Wednesday, March 04, 2015 10:59 AM > To: samba at lists.samba.org > Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit > permissions of share without usermapping - shall I add to Wiki? > > On 04/03/15 18:31, Shane Robinson wrote: >> Hello again Rowland, list! >> >> Sorry for the delayed response, and top posting. >> >> To recap: >> I'd like to complete the member server wiki so that ACLs can be set >> from windows without taking undocumented steps. >> >> The three ways I've found to do this are: >> >> 1) map root to administrator. (LPH VanBelle's script uses this >> option.) > This is the way that I have be using for some time, it works, but is > it the best way ? > You are making the windows Administrator have exactly the same powers > that 'root' has, do you want/need to do this ? > >> 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share > This is a better way, you are only giving members of Domain Admins the > rights to the directory and remember that Administrator is a member of > Domain Admins. > >> 3) chown -R "<DOMAIN>\Administrator" /srv/share > This would mean that you would have to give Administrator a different > ID other than '0'. > > I am now leaning towards a mixture of 2 & 3 > >> I'm leaning towards 2, but would like a better idea of pros and cons >> so I may complete the wiki. >> >> Rowland: From your last response, I was searching for how the >> ID_TYPE_BOTH relates to the above, and found a recent thread between >> yourself and > Andrew >> (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The > differences >> you point out W.R.T. sysvol appear to relate more to that thread. > You are correct that the thread was all about sysvol, but you seem to > be missing the point. If there wasn't 'ID_TYPE_BOTH' then getfacl > would work better, a windows group would show up as only a group, not > as it is now, showing as a group and a user! > The same goes for windows users. > > Rowland > >> >> >> If those differences are important to my current issue, I apologize >> for being obtuse, but would you mind explaining? >> >> Otherwise, List, please let me know which of the above options you >> prefer and why. I will then document them to the best of my knowledge >> on the > wiki. >> Thank you kindly, >>
Reasonably Related Threads
- FW: Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?