Hi Rowland, I had to split smbd and winbindd config to work around some bugs in credentials offline caching. I have a separate winbindd.conf, it looks like this: [global] ### Network ### netbios name = Fileserver server string = Fileserver (%h V:%v) ### ad member ### workgroup = INTRANET realm = INTRANET.MYCOMPANY.DE security = ADS kerberos method = secrets and keytab ### WINS ### wins server = 192.168.0.197 name resolve order = wins host bcast ### winbind config ### winbind offline logon = yes winbind cache time = 600 winbind enum users = yes winbind enum groups = yes winbind expand groups = 1 winbind nested groups = yes winbind use default domain = yes winbind refresh tickets = yes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 1000000 - 1999999 idmap config INTRANET : backend = ad idmap config INTRANET : schema_mode = rfc2307 idmap config INTRANET : range = 5000 - 40000 ### offline mode is not working without those ### winbind normalize names = no map untrusted to domain = no ### performance ### socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE Greetings, Felix -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny Gesendet: Dienstag, 4. August 2015 15:17 An: samba at lists.samba.org Betreff: Re: [Samba] Cannot change directory permissions On 04/08/15 14:11, Felix Matouschek wrote:> Hi Rowland, > > my users are known to the OSThe smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? Rowland> , they also have the correct permissions to alter the settings. > Doing so on the CLI does work when logged in via SSH. > > When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. > I also cannot set any checkmarks for Read, Write etc. > > When viewing the Security Tab of a file everything works and I can see and set the checkmarks. > > Do you know what could be wrong? > > Greetings, > Felix > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland Penny > Gesendet: Dienstag, 4. August 2015 12:55 > An: samba at lists.samba.org > Betreff: Re: [Samba] Cannot change directory permissions > > On 04/08/15 11:46, Felix Matouschek wrote: >> Hi Rowland, >> >> when saying 'I' I theoretically meant any user that has write access to the share. >> >> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >> >> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >> >> Greetings, >> Felix >> >> -----Ursprüngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >> Rowland Penny >> Gesendet: Dienstag, 4. August 2015 11:57 >> An: samba at lists.samba.org >> Betreff: Re: [Samba] Cannot change directory permissions >> >> On 04/08/15 10:07, Felix Matouschek wrote: >>> Hello, >>> >>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>> >>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>> >>> Is there anything I misconfigured? >>> >>> My smb.conf looks like this: >>> >>> [global] >>> ### Network ### >>> netbios name = Fileserver >>> server string = Fileserver (%h V:%v) >>> >>> ### ad member ### >>> workgroup = INTRANET >>> realm = INTRANET.MYCOMPANY.DE >>> security = ADS >>> kerberos method = secrets and keytab >>> >>> ### WINS ### >>> wins server = 192.168.0.197 >>> name resolve order = wins host bcast >>> >>> ### logins without prepending INTRANET\ ### >>> map untrusted to domain = yes >>> >>> ### other settings ### >>> unix extensions = no >>> invalid users = root >>> >>> ### make exe files executable on windows without x bit ### >>> acl allow execute always = yes >>> >>> ### performance ### >>> deadtime = 10 >>> use sendfile = yes >>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>> >>> ### prevent unwanted files ### >>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>> delete veto files = yes >>> >>> ### SHARES ### >>> >>> [Exchange] >>> path = /home/nobackup/exchange >>> guest ok = yes >>> read only = no >>> create mask = 660 >>> directory mask = 770 >>> force group = exchange-users >>> >>> Greetings, >>> Felix >> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 04/08/15 15:29, Felix Matouschek wrote:> Hi Rowland, > > I had to split smbd and winbindd config to work around some bugs in credentials offline caching. > I have a separate winbindd.conf, it looks like this: > > [global] > ### Network ### > netbios name = Fileserver > server string = Fileserver (%h V:%v) > > ### ad member ### > workgroup = INTRANET > realm = INTRANET.MYCOMPANY.DE > security = ADS > kerberos method = secrets and keytab > > ### WINS ### > wins server = 192.168.0.197 > name resolve order = wins host bcast > > ### winbind config ### > winbind offline logon = yes > winbind cache time = 600 > winbind enum users = yes > winbind enum groups = yes > winbind expand groups = 1 > winbind nested groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > winbind nss info = rfc2307 > idmap config * : backend = tdb > idmap config * : range = 1000000 - 1999999 > idmap config INTRANET : backend = ad > idmap config INTRANET : schema_mode = rfc2307 > idmap config INTRANET : range = 5000 - 40000 > > ### offline mode is not working without those ### > winbind normalize names = no > map untrusted to domain = no > > ### performance ### > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > > Greetings, > Felix > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny > Gesendet: Dienstag, 4. August 2015 15:17 > An: samba at lists.samba.org > Betreff: Re: [Samba] Cannot change directory permissions > > On 04/08/15 14:11, Felix Matouschek wrote: >> Hi Rowland, >> >> my users are known to the OS > The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? > > Rowland > >> , they also have the correct permissions to alter the settings. >> Doing so on the CLI does work when logged in via SSH. >> >> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. >> I also cannot set any checkmarks for Read, Write etc. >> >> When viewing the Security Tab of a file everything works and I can see and set the checkmarks. >> >> Do you know what could be wrong? >> >> Greetings, >> Felix >> >> -----Ursprüngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >> Rowland Penny >> Gesendet: Dienstag, 4. August 2015 12:55 >> An: samba at lists.samba.org >> Betreff: Re: [Samba] Cannot change directory permissions >> >> On 04/08/15 11:46, Felix Matouschek wrote: >>> Hi Rowland, >>> >>> when saying 'I' I theoretically meant any user that has write access to the share. >>> >>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >>> >>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >>> >>> Greetings, >>> Felix >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>> Rowland Penny >>> Gesendet: Dienstag, 4. August 2015 11:57 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] Cannot change directory permissions >>> >>> On 04/08/15 10:07, Felix Matouschek wrote: >>>> Hello, >>>> >>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>>> >>>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>>> >>>> Is there anything I misconfigured? >>>> >>>> My smb.conf looks like this: >>>> >>>> [global] >>>> ### Network ### >>>> netbios name = Fileserver >>>> server string = Fileserver (%h V:%v) >>>> >>>> ### ad member ### >>>> workgroup = INTRANET >>>> realm = INTRANET.MYCOMPANY.DE >>>> security = ADS >>>> kerberos method = secrets and keytab >>>> >>>> ### WINS ### >>>> wins server = 192.168.0.197 >>>> name resolve order = wins host bcast >>>> >>>> ### logins without prepending INTRANET\ ### >>>> map untrusted to domain = yes >>>> >>>> ### other settings ### >>>> unix extensions = no >>>> invalid users = root >>>> >>>> ### make exe files executable on windows without x bit ### >>>> acl allow execute always = yes >>>> >>>> ### performance ### >>>> deadtime = 10 >>>> use sendfile = yes >>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>>> >>>> ### prevent unwanted files ### >>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>>> delete veto files = yes >>>> >>>> ### SHARES ### >>>> >>>> [Exchange] >>>> path = /home/nobackup/exchange >>>> guest ok = yes >>>> read only = no >>>> create mask = 660 >>>> directory mask = 770 >>>> force group = exchange-users >>>> >>>> Greetings, >>>> Felix >>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. >> >> Rowland >> >>I am now officially lost, are you telling me that you have a smb.conf and a winbindd.conf ? If you have a winbindd.conf, how are you telling winbindd to load it ? Also I don't use the winbind offline logon feature, but I thought you have to have 'cached_login = yes' in the file: /etc/security/pam_winbind.conf. Does 'getent passwd' display all your AD domains ? Rowland Rowland
Hi Rowland, yes I do have two separate config files for smbd/nmbd and winbindd. You can tell winbindd to load a separate config file via the "-s" command line switch. Therefore I set "WINBINDD_EXTRA_OPTS" in "/etc/default/sernet-samba" to "-s /etc/samba/winbindd.conf". The "cached_login" option for pam is also set and working. The problem was the parameter "map untrusted to domain" in smb.conf. We need this parameter for smbd so that users with non-domain computers are able to enter just their username instead of INTRANET\username. However settting this parameter to yes prevents winbindd from correctly enabling the offline logons. (Maybe a bug?) Hence I set "map untrusted to domain" in smb.conf to yes and in winbindd.conf to no. All other settings that are used by both daemons are equal. "getent passwd" and "getent group" work, I see all my domain users and groups. It is just that users cannot modify the read/write permissions of directories via the Windows security tab. How can I solve this problem? Greetings, Felix> Am 04.08.2015 um 17:38 schrieb Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 04/08/15 15:29, Felix Matouschek wrote: >> Hi Rowland, >> >> I had to split smbd and winbindd config to work around some bugs in credentials offline caching. >> I have a separate winbindd.conf, it looks like this: >> >> [global] >> ### Network ### >> netbios name = Fileserver >> server string = Fileserver (%h V:%v) >> >> ### ad member ### >> workgroup = INTRANET >> realm = INTRANET.MYCOMPANY.DE >> security = ADS >> kerberos method = secrets and keytab >> >> ### WINS ### >> wins server = 192.168.0.197 >> name resolve order = wins host bcast >> >> ### winbind config ### >> winbind offline logon = yes >> winbind cache time = 600 >> winbind enum users = yes >> winbind enum groups = yes >> winbind expand groups = 1 >> winbind nested groups = yes >> winbind use default domain = yes >> winbind refresh tickets = yes >> winbind nss info = rfc2307 >> idmap config * : backend = tdb >> idmap config * : range = 1000000 - 1999999 >> idmap config INTRANET : backend = ad >> idmap config INTRANET : schema_mode = rfc2307 >> idmap config INTRANET : range = 5000 - 40000 >> >> ### offline mode is not working without those ### >> winbind normalize names = no >> map untrusted to domain = no >> >> ### performance ### >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >> >> Greetings, >> Felix >> >> -----Ursprüngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny >> Gesendet: Dienstag, 4. August 2015 15:17 >> An: samba at lists.samba.org >> Betreff: Re: [Samba] Cannot change directory permissions >> >>> On 04/08/15 14:11, Felix Matouschek wrote: >>> Hi Rowland, >>> >>> my users are known to the OS >> The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? >> >> Rowland >> >>> , they also have the correct permissions to alter the settings. >>> Doing so on the CLI does work when logged in via SSH. >>> >>> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. >>> I also cannot set any checkmarks for Read, Write etc. >>> >>> When viewing the Security Tab of a file everything works and I can see and set the checkmarks. >>> >>> Do you know what could be wrong? >>> >>> Greetings, >>> Felix >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>> Rowland Penny >>> Gesendet: Dienstag, 4. August 2015 12:55 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] Cannot change directory permissions >>> >>>> On 04/08/15 11:46, Felix Matouschek wrote: >>>> Hi Rowland, >>>> >>>> when saying 'I' I theoretically meant any user that has write access to the share. >>>> >>>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >>>> >>>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >>>> >>>> Greetings, >>>> Felix >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>>> Rowland Penny >>>> Gesendet: Dienstag, 4. August 2015 11:57 >>>> An: samba at lists.samba.org >>>> Betreff: Re: [Samba] Cannot change directory permissions >>>> >>>>> On 04/08/15 10:07, Felix Matouschek wrote: >>>>> Hello, >>>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>>>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>>>> Is there anything I misconfigured? >>>>> My smb.conf looks like this: >>>>> [global] >>>>> ### Network ### >>>>> netbios name = Fileserver >>>>> server string = Fileserver (%h V:%v) >>>>> ### ad member ### >>>>> workgroup = INTRANET >>>>> realm = INTRANET.MYCOMPANY.DE >>>>> security = ADS >>>>> kerberos method = secrets and keytab >>>>> ### WINS ### >>>>> wins server = 192.168.0.197 >>>>> name resolve order = wins host bcast >>>>> ### logins without prepending INTRANET\ ### >>>>> map untrusted to domain = yes >>>>> ### other settings ### >>>>> unix extensions = no >>>>> invalid users = root >>>>> ### make exe files executable on windows without x bit ### >>>>> acl allow execute always = yes >>>>> ### performance ### >>>>> deadtime = 10 >>>>> use sendfile = yes >>>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>>>> ### prevent unwanted files ### >>>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>>>> delete veto files = yes >>>>> ### SHARES ### >>>>> [Exchange] >>>>> path = /home/nobackup/exchange >>>>> guest ok = yes >>>>> read only = no >>>>> create mask = 660 >>>>> directory mask = 770 >>>>> force group = exchange-users >>>>> Greetings, >>>>> Felix >>>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: >>> >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. >>> >>> Rowland > > I am now officially lost, are you telling me that you have a smb.conf and a winbindd.conf ? > > If you have a winbindd.conf, how are you telling winbindd to load it ? > > Also I don't use the winbind offline logon feature, but I thought you have to have 'cached_login = yes' in the file: /etc/security/pam_winbind.conf. > > Does 'getent passwd' display all your AD domains ? > > Rowland > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba