Ian
2016-Feb-17 17:27 UTC
[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
On 2/17/2016 5:00 AM, Rowland penny wrote:> On 17/02/16 00:03, Ian wrote: >> I've recently attempted to migrate some windows server files over to >> samba 4 hosted on a FreeNAS server. >> >> Using robocopy with the /copyall switch, I expected everything, >> including ACL's and ownership information to transfer over. For the >> most part they have. The one problem I've ran into however, is that I'm >> getting errors any time I or robocopy attempt to change the ownership to >> BUILTIN\Administrators. >> >> I've brought this up with the FreeNAS community, but so far it's unclear >> if this is by design, there is a configuration issue somewhere, or >> there's a bug. >> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384 >> >> >> When I attempt to change ownership to Builtin\Administrators, I get an >> error that I don't have the Restore Privilege required, or if I have >> inheritance enabled when changing ownership, "This security ID may not >> be assigned as the owner of this object." >> >> As mentioned in that thread I linked to (lots more details there), I >> verified that I do have the Restore Privilege right. I also verified >> that I can assign any other owner successfully -- it's just >> Builtin\Administrators that's giving me trouble. >> >> After turning up the logging in the samba configuration file and >> restarting the service, this was the output when I attempted to change >> ownership: >> >> >> [2016/02/16 15:33:02.077685, 3] >> ../source3/smbd/vfs.c:1137(check_reduced_name) >> check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy] >> [2016/02/16 15:33:02.077890, 3] >> ../source3/smbd/vfs.c:1267(check_reduced_name) >> check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib >> [2016/02/16 15:33:02.078111, 3] >> ../source3/smbd/dosmode.c:163(unix_mode) >> unix_mode(CoreLib) returning 0666 >> [2016/02/16 15:33:02.080039, 3] >> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners) >> unpack_nt_owners: unable to validate owner sid for S-1-5-32-544 >> [2016/02/16 15:33:04.251911, 3] >> ../source3/smbd/service.c:1130(close_cnum) >> 192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to >> service IPC$ >> >> Googling for "unable to validate owner sid for S-1-5-32-544" brings up a >> thread a decade old: >> https://lists.samba.org/archive/samba-technical/2006-October/050007.html >> >> There was some discussion about sid/gid conflicts and ACLs with some >> futher discussion about fixing it. Since there's so little found when >> Googling, I have to believe that this has been fixed since I would >> expect there to be a lot more complaints from people like myself who are >> migrating files from windows to samba. >> >> Any feedback is welcome, even if the advice is to change ownership to >> something other than builtin\Administrators because that's broken. :) >> > > Does 'getent group BUILTIN\\Administrators' give any result ? > If smb.conf is setup correctly, you should get something like: > > BUILTIN\administrators:x:2001: > > If you do not get anything, then you need to change smb.conf, in which > case, can you post your smb.conf. > > Rowland > >Rowland, 'getent group BUILTIN\Administrators' returns nothing. Yes, this is a domain member, not AD. My /usr/local/etc/smb4.conf file should be "default" for FreeNAS FreeNAS-9.3-STABLE-201602031011. I believe the gui is the only recommended way to alter it ( think any hand editing gets wiped at reboot?). The only changes I've made through the GUI is to disable oplocks for one of the shares [applied]. The share I've been testing from however is [deploy]. If it helps, 'net groupmap list verbose' returns this: Administrators SID : S-1-5-32-544 Unix gid : 90000001 Unix group: BUILTIN\administrators Group type: Local Group Comment : Users SID : S-1-5-32-545 Unix gid : 90000002 Unix group: BUILTIN\users Group type: Local Group Comment : Here's the smb4.conf file contents: [global] server max protocol = SMB2 encrypt passwords = yes dns proxy = no strict locking = no oplocks = yes deadtime = 15 max log size = 51200 max open files = 942185 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes getwd cache = yes guest account = nobody map to guest = Bad User obey pam restrictions = yes directory name cache size = 0 kernel change notify = no panic action = /usr/local/libexec/samba/samba-backtrace nsupdate command = /usr/local/bin/samba-nsupdate -g server string = FreeNAS Server ea support = yes store dos attributes = yes lm announce = yes hostname lookups = yes acl allow execute always = true acl check permissions = true dos filemode = yes multicast dns register = yes domain logons = no idmap config *: backend = tdb idmap config *: range = 90000001-100000000 server role = member server netbios name = FREENAS workgroup = MMIA realm = INTRANET.MITCHELLANDMITCHELL.COM security = ADS client use spnego = yes cache directory = /var/tmp/.cache/.samba local master = no domain master = no preferred master = no ads dns update = yes winbind cache time = 7200 winbind offline logon = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = no winbind refresh tickets = yes idmap config MMIA: backend = rid idmap config MMIA: range = 20000-90000000 allow trusted domains = no client ldap sasl wrapping = plain template shell = /bin/sh template homedir = /home/%D/%U pid directory = /var/run/samba create mask = 0666 directory mask = 0777 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 1 [applied] path = /mnt/trunk/MM/applied printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-1w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/ [deploy] path = /mnt/trunk/MM/deploy printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-1w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [eim] path = /mnt/trunk/MM/applied/EIM printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-1w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [home] path = /mnt/trunk/MM/home printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-1w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [profiles] path = /mnt/trunk/MM/profiles printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-1w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [shared] path = /mnt/trunk/MM/shared printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-1w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare Appreciate any insight. Note that this server is not "live" yet, so I'm game to experiment with any ideas you may have.
Rowland penny
2016-Feb-17 17:43 UTC
[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
On 17/02/16 17:27, Ian wrote:> > On 2/17/2016 5:00 AM, Rowland penny wrote: >> On 17/02/16 00:03, Ian wrote: >>> I've recently attempted to migrate some windows server files over to >>> samba 4 hosted on a FreeNAS server. >>> >>> Using robocopy with the /copyall switch, I expected everything, >>> including ACL's and ownership information to transfer over. For the >>> most part they have. The one problem I've ran into however, is that I'm >>> getting errors any time I or robocopy attempt to change the ownership to >>> BUILTIN\Administrators. >>> >>> I've brought this up with the FreeNAS community, but so far it's unclear >>> if this is by design, there is a configuration issue somewhere, or >>> there's a bug. >>> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384 >>> >>> >>> When I attempt to change ownership to Builtin\Administrators, I get an >>> error that I don't have the Restore Privilege required, or if I have >>> inheritance enabled when changing ownership, "This security ID may not >>> be assigned as the owner of this object." >>> >>> As mentioned in that thread I linked to (lots more details there), I >>> verified that I do have the Restore Privilege right. I also verified >>> that I can assign any other owner successfully -- it's just >>> Builtin\Administrators that's giving me trouble. >>> >>> After turning up the logging in the samba configuration file and >>> restarting the service, this was the output when I attempted to change >>> ownership: >>> >>> >>> [2016/02/16 15:33:02.077685, 3] >>> ../source3/smbd/vfs.c:1137(check_reduced_name) >>> check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy] >>> [2016/02/16 15:33:02.077890, 3] >>> ../source3/smbd/vfs.c:1267(check_reduced_name) >>> check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib >>> [2016/02/16 15:33:02.078111, 3] >>> ../source3/smbd/dosmode.c:163(unix_mode) >>> unix_mode(CoreLib) returning 0666 >>> [2016/02/16 15:33:02.080039, 3] >>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners) >>> unpack_nt_owners: unable to validate owner sid for S-1-5-32-544 >>> [2016/02/16 15:33:04.251911, 3] >>> ../source3/smbd/service.c:1130(close_cnum) >>> 192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to >>> service IPC$ >>> >>> Googling for "unable to validate owner sid for S-1-5-32-544" brings up a >>> thread a decade old: >>> https://lists.samba.org/archive/samba-technical/2006-October/050007.html >>> >>> There was some discussion about sid/gid conflicts and ACLs with some >>> futher discussion about fixing it. Since there's so little found when >>> Googling, I have to believe that this has been fixed since I would >>> expect there to be a lot more complaints from people like myself who are >>> migrating files from windows to samba. >>> >>> Any feedback is welcome, even if the advice is to change ownership to >>> something other than builtin\Administrators because that's broken. :) >>> >> Does 'getent group BUILTIN\\Administrators' give any result ? >> If smb.conf is setup correctly, you should get something like: >> >> BUILTIN\administrators:x:2001: >> >> If you do not get anything, then you need to change smb.conf, in which >> case, can you post your smb.conf. >> >> Rowland >> >> > Rowland, > > 'getent group BUILTIN\Administrators' returns nothing. Yes, this is a > domain member, not AD.Well, I think that explains it, on a domain member in my domain, it returns a result and I (as root) can chgrp a file to 'BUILTIN\Administrators' I know very little about freebsd (I think freenas runs on freebsd) but does it use PAM ? because I think this is your problem, winbind isn't returning the BUILTIN info, is libnss_winbind setup ? does freenas use libnss_winbind ? Rowland> > My /usr/local/etc/smb4.conf file should be "default" for FreeNAS > FreeNAS-9.3-STABLE-201602031011. I believe the gui is the only > recommended way to alter it ( think any hand editing gets wiped at > reboot?). The only changes I've made through the GUI is to disable > oplocks for one of the shares [applied]. The share I've been testing > from however is [deploy]. > > If it helps, 'net groupmap list verbose' returns this: > > Administrators > SID : S-1-5-32-544 > Unix gid : 90000001 > Unix group: BUILTIN\administrators > Group type: Local Group > Comment : > Users > SID : S-1-5-32-545 > Unix gid : 90000002 > Unix group: BUILTIN\users > Group type: Local Group > Comment : > > Here's the smb4.conf file contents: > [global] > server max protocol = SMB2 > encrypt passwords = yes > dns proxy = no > strict locking = no > oplocks = yes > deadtime = 15 > max log size = 51200 > max open files = 942185 > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > getwd cache = yes > guest account = nobody > map to guest = Bad User > obey pam restrictions = yes > directory name cache size = 0 > kernel change notify = no > panic action = /usr/local/libexec/samba/samba-backtrace > nsupdate command = /usr/local/bin/samba-nsupdate -g > server string = FreeNAS Server > ea support = yes > store dos attributes = yes > lm announce = yes > hostname lookups = yes > acl allow execute always = true > acl check permissions = true > dos filemode = yes > multicast dns register = yes > domain logons = no > idmap config *: backend = tdb > idmap config *: range = 90000001-100000000 > server role = member server > netbios name = FREENAS > workgroup = MMIA > realm = INTRANET.MITCHELLANDMITCHELL.COM > security = ADS > client use spnego = yes > cache directory = /var/tmp/.cache/.samba > local master = no > domain master = no > preferred master = no > ads dns update = yes > winbind cache time = 7200 > winbind offline logon = yes > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind use default domain = no > winbind refresh tickets = yes > idmap config MMIA: backend = rid > idmap config MMIA: range = 20000-90000000 > allow trusted domains = no > client ldap sasl wrapping = plain > template shell = /bin/sh > template homedir = /home/%D/%U > pid directory = /var/run/samba > create mask = 0666 > directory mask = 0777 > client ntlmv2 auth = yes > dos charset = CP437 > unix charset = UTF-8 > log level = 1 > > > [applied] > path = /mnt/trunk/MM/applied > printable = no > veto files = /.snapshot/.windows/.mac/.zfs/ > writeable = yes > browseable = yes > shadow:snapdir = .zfs/snapshot > shadow:sort = desc > shadow:localtime = yes > shadow:format = auto-%Y%m%d.%H%M-1w > shadow:snapdirseverywhere = yes > vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr > hide dot files = yes > guest ok = no > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = true > zfsacl:acesort = dontcare > veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/ > > > [deploy] > path = /mnt/trunk/MM/deploy > printable = no > veto files = /.snapshot/.windows/.mac/.zfs/ > writeable = yes > browseable = yes > shadow:snapdir = .zfs/snapshot > shadow:sort = desc > shadow:localtime = yes > shadow:format = auto-%Y%m%d.%H%M-1w > shadow:snapdirseverywhere = yes > vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr > hide dot files = yes > guest ok = no > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = true > zfsacl:acesort = dontcare > > > [eim] > path = /mnt/trunk/MM/applied/EIM > printable = no > veto files = /.snapshot/.windows/.mac/.zfs/ > writeable = yes > browseable = yes > shadow:snapdir = .zfs/snapshot > shadow:sort = desc > shadow:localtime = yes > shadow:format = auto-%Y%m%d.%H%M-1w > shadow:snapdirseverywhere = yes > vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr > hide dot files = yes > guest ok = no > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = true > zfsacl:acesort = dontcare > > > [home] > path = /mnt/trunk/MM/home > printable = no > veto files = /.snapshot/.windows/.mac/.zfs/ > writeable = yes > browseable = yes > shadow:snapdir = .zfs/snapshot > shadow:sort = desc > shadow:localtime = yes > shadow:format = auto-%Y%m%d.%H%M-1w > shadow:snapdirseverywhere = yes > vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr > hide dot files = yes > guest ok = no > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = true > zfsacl:acesort = dontcare > > > [profiles] > path = /mnt/trunk/MM/profiles > printable = no > veto files = /.snapshot/.windows/.mac/.zfs/ > writeable = yes > browseable = yes > shadow:snapdir = .zfs/snapshot > shadow:sort = desc > shadow:localtime = yes > shadow:format = auto-%Y%m%d.%H%M-1w > shadow:snapdirseverywhere = yes > vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr > hide dot files = yes > guest ok = no > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = true > zfsacl:acesort = dontcare > > > [shared] > path = /mnt/trunk/MM/shared > printable = no > veto files = /.snapshot/.windows/.mac/.zfs/ > writeable = yes > browseable = yes > shadow:snapdir = .zfs/snapshot > shadow:sort = desc > shadow:localtime = yes > shadow:format = auto-%Y%m%d.%H%M-1w > shadow:snapdirseverywhere = yes > vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr > hide dot files = yes > guest ok = no > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = true > zfsacl:acesort = dontcare > > > Appreciate any insight. Note that this server is not "live" yet, so I'm > game to experiment with any ideas you may have. > >
Ian
2016-Feb-17 18:07 UTC
[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
On 2/17/2016 9:43 AM, Rowland penny wrote:> On 17/02/16 17:27, Ian wrote: >> >> On 2/17/2016 5:00 AM, Rowland penny wrote: >>> On 17/02/16 00:03, Ian wrote: >>>> I've recently attempted to migrate some windows server files over to >>>> samba 4 hosted on a FreeNAS server. >>>> >>>> Using robocopy with the /copyall switch, I expected everything, >>>> including ACL's and ownership information to transfer over. For the >>>> most part they have. The one problem I've ran into however, is >>>> that I'm >>>> getting errors any time I or robocopy attempt to change the >>>> ownership to >>>> BUILTIN\Administrators. >>>> >>>> I've brought this up with the FreeNAS community, but so far it's >>>> unclear >>>> if this is by design, there is a configuration issue somewhere, or >>>> there's a bug. >>>> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384 >>>> >>>> >>>> >>>> When I attempt to change ownership to Builtin\Administrators, I get an >>>> error that I don't have the Restore Privilege required, or if I have >>>> inheritance enabled when changing ownership, "This security ID may not >>>> be assigned as the owner of this object." >>>> >>>> As mentioned in that thread I linked to (lots more details there), I >>>> verified that I do have the Restore Privilege right. I also verified >>>> that I can assign any other owner successfully -- it's just >>>> Builtin\Administrators that's giving me trouble. >>>> >>>> After turning up the logging in the samba configuration file and >>>> restarting the service, this was the output when I attempted to change >>>> ownership: >>>> >>>> >>>> [2016/02/16 15:33:02.077685, 3] >>>> ../source3/smbd/vfs.c:1137(check_reduced_name) >>>> check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy] >>>> [2016/02/16 15:33:02.077890, 3] >>>> ../source3/smbd/vfs.c:1267(check_reduced_name) >>>> check_reduced_name: CoreLib reduced to >>>> /mnt/trunk/MM/deploy/CoreLib >>>> [2016/02/16 15:33:02.078111, 3] >>>> ../source3/smbd/dosmode.c:163(unix_mode) >>>> unix_mode(CoreLib) returning 0666 >>>> [2016/02/16 15:33:02.080039, 3] >>>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners) >>>> unpack_nt_owners: unable to validate owner sid for S-1-5-32-544 >>>> [2016/02/16 15:33:04.251911, 3] >>>> ../source3/smbd/service.c:1130(close_cnum) >>>> 192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to >>>> service IPC$ >>>> >>>> Googling for "unable to validate owner sid for S-1-5-32-544" brings >>>> up a >>>> thread a decade old: >>>> https://lists.samba.org/archive/samba-technical/2006-October/050007.html >>>> >>>> >>>> There was some discussion about sid/gid conflicts and ACLs with some >>>> futher discussion about fixing it. Since there's so little found >>>> when >>>> Googling, I have to believe that this has been fixed since I would >>>> expect there to be a lot more complaints from people like myself >>>> who are >>>> migrating files from windows to samba. >>>> >>>> Any feedback is welcome, even if the advice is to change ownership to >>>> something other than builtin\Administrators because that's broken. :) >>>> >>> Does 'getent group BUILTIN\\Administrators' give any result ? >>> If smb.conf is setup correctly, you should get something like: >>> >>> BUILTIN\administrators:x:2001: >>> >>> If you do not get anything, then you need to change smb.conf, in which >>> case, can you post your smb.conf. >>> >>> Rowland >>> >>> >> Rowland, >> >> 'getent group BUILTIN\Administrators' returns nothing. Yes, this is a >> domain member, not AD. > > Well, I think that explains it, on a domain member in my domain, it > returns a result and I (as root) can chgrp a file to > 'BUILTIN\Administrators'Actually, that works for me too. I just issued the command 'chgrp "BUILTIN\administrators" CoreLib' and it returned successfully for that folder. 'ls -la' shows: d---------+ 2 MMIA\domain admins BUILTIN\administrators 5 Dec 8 11:59 CoreLib// Note however, that it fails if I attempt to chown instead: [root at freenas] /mnt/trunk/MM/deploy# chown "BUILTIN\Administrators" CoreLib chown: BUILTIN\Administrators: illegal user name I can chown to other domain groups successfully.> > I know very little about freebsd (I think freenas runs on freebsd) but > does it use PAM ? because I think this is your problem, winbind isn't > returning the BUILTIN info, is libnss_winbind setup ? does freenas use > libnss_winbind ? >Yes Freebsd. uname -a shows: "FreeBSD 9.3-RELEASE-p31" smbstatus shows Samba version 4.1.21 I know it's using LDAP to talk to the DC since /usr/local/etc/openldap.ldap.conf contains my DC's info. /etc/krb5.conf also contains my domain's info, and inside of that is a setting for pam (forwardable = true). /etc/nsswitch.conf shows: group: files winbind passwd: files winbind there is a /etc/pam.d/samba file, so I'd have to say, yes pam is part of the system here, and winbind is tied into that.> Rowland > >> >> My /usr/local/etc/smb4.conf file should be "default" for FreeNAS >> FreeNAS-9.3-STABLE-201602031011. I believe the gui is the only >> recommended way to alter it ( think any hand editing gets wiped at >> reboot?). The only changes I've made through the GUI is to disable >> oplocks for one of the shares [applied]. The share I've been testing >> from however is [deploy]. >> >> If it helps, 'net groupmap list verbose' returns this: >> >> Administrators >> SID : S-1-5-32-544 >> Unix gid : 90000001 >> Unix group: BUILTIN\administrators >> Group type: Local Group >> Comment : >> Users >> SID : S-1-5-32-545 >> Unix gid : 90000002 >> Unix group: BUILTIN\users >> Group type: Local Group >> Comment : >> >> Here's the smb4.conf file contents: >> [global] >> server max protocol = SMB2 >> encrypt passwords = yes >> dns proxy = no >> strict locking = no >> oplocks = yes >> deadtime = 15 >> max log size = 51200 >> max open files = 942185 >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> getwd cache = yes >> guest account = nobody >> map to guest = Bad User >> obey pam restrictions = yes >> directory name cache size = 0 >> kernel change notify = no >> panic action = /usr/local/libexec/samba/samba-backtrace >> nsupdate command = /usr/local/bin/samba-nsupdate -g >> server string = FreeNAS Server >> ea support = yes >> store dos attributes = yes >> lm announce = yes >> hostname lookups = yes >> acl allow execute always = true >> acl check permissions = true >> dos filemode = yes >> multicast dns register = yes >> domain logons = no >> idmap config *: backend = tdb >> idmap config *: range = 90000001-100000000 >> server role = member server >> netbios name = FREENAS >> workgroup = MMIA >> realm = INTRANET.MITCHELLANDMITCHELL.COM >> security = ADS >> client use spnego = yes >> cache directory = /var/tmp/.cache/.samba >> local master = no >> domain master = no >> preferred master = no >> ads dns update = yes >> winbind cache time = 7200 >> winbind offline logon = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind nested groups = yes >> winbind use default domain = no >> winbind refresh tickets = yes >> idmap config MMIA: backend = rid >> idmap config MMIA: range = 20000-90000000 >> allow trusted domains = no >> client ldap sasl wrapping = plain >> template shell = /bin/sh >> template homedir = /home/%D/%U >> pid directory = /var/run/samba >> create mask = 0666 >> directory mask = 0777 >> client ntlmv2 auth = yes >> dos charset = CP437 >> unix charset = UTF-8 >> log level = 1 >> >> >> [applied] >> path = /mnt/trunk/MM/applied >> printable = no >> veto files = /.snapshot/.windows/.mac/.zfs/ >> writeable = yes >> browseable = yes >> shadow:snapdir = .zfs/snapshot >> shadow:sort = desc >> shadow:localtime = yes >> shadow:format = auto-%Y%m%d.%H%M-1w >> shadow:snapdirseverywhere = yes >> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread >> streams_xattr >> hide dot files = yes >> guest ok = no >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = true >> zfsacl:acesort = dontcare >> veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/ >> >> >> [deploy] >> path = /mnt/trunk/MM/deploy >> printable = no >> veto files = /.snapshot/.windows/.mac/.zfs/ >> writeable = yes >> browseable = yes >> shadow:snapdir = .zfs/snapshot >> shadow:sort = desc >> shadow:localtime = yes >> shadow:format = auto-%Y%m%d.%H%M-1w >> shadow:snapdirseverywhere = yes >> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread >> streams_xattr >> hide dot files = yes >> guest ok = no >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = true >> zfsacl:acesort = dontcare >> >> >> [eim] >> path = /mnt/trunk/MM/applied/EIM >> printable = no >> veto files = /.snapshot/.windows/.mac/.zfs/ >> writeable = yes >> browseable = yes >> shadow:snapdir = .zfs/snapshot >> shadow:sort = desc >> shadow:localtime = yes >> shadow:format = auto-%Y%m%d.%H%M-1w >> shadow:snapdirseverywhere = yes >> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread >> streams_xattr >> hide dot files = yes >> guest ok = no >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = true >> zfsacl:acesort = dontcare >> >> >> [home] >> path = /mnt/trunk/MM/home >> printable = no >> veto files = /.snapshot/.windows/.mac/.zfs/ >> writeable = yes >> browseable = yes >> shadow:snapdir = .zfs/snapshot >> shadow:sort = desc >> shadow:localtime = yes >> shadow:format = auto-%Y%m%d.%H%M-1w >> shadow:snapdirseverywhere = yes >> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread >> streams_xattr >> hide dot files = yes >> guest ok = no >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = true >> zfsacl:acesort = dontcare >> >> >> [profiles] >> path = /mnt/trunk/MM/profiles >> printable = no >> veto files = /.snapshot/.windows/.mac/.zfs/ >> writeable = yes >> browseable = yes >> shadow:snapdir = .zfs/snapshot >> shadow:sort = desc >> shadow:localtime = yes >> shadow:format = auto-%Y%m%d.%H%M-1w >> shadow:snapdirseverywhere = yes >> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread >> streams_xattr >> hide dot files = yes >> guest ok = no >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = true >> zfsacl:acesort = dontcare >> >> >> [shared] >> path = /mnt/trunk/MM/shared >> printable = no >> veto files = /.snapshot/.windows/.mac/.zfs/ >> writeable = yes >> browseable = yes >> shadow:snapdir = .zfs/snapshot >> shadow:sort = desc >> shadow:localtime = yes >> shadow:format = auto-%Y%m%d.%H%M-1w >> shadow:snapdirseverywhere = yes >> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread >> streams_xattr >> hide dot files = yes >> guest ok = no >> nfs4:mode = special >> nfs4:acedup = merge >> nfs4:chown = true >> zfsacl:acesort = dontcare >> >> >> Appreciate any insight. Note that this server is not "live" yet, so I'm >> game to experiment with any ideas you may have. >> >> > >