> OK, you have two DCs, on one, your user can access a share, you basically > copy the shares to another DC (with all the same permissions etc) and your > user cannot access the share on the second DC. > > How is AD set up ? are you using uidNumber & gidNumber attributes (you will > have added them manually) or are you using the xidNumbers created > automatically by Samba4.I'm not pretty sure about the difference, but I believe it's the 2nd alternative. I guess you could check it from my configuration shown lines below.> > If you have modified the smb.conf on the second DC, can you post this. > Can you post the smb.conf from your zential machine.This is the content of my Zentyal's Samba configuration: [global] workgroup = agn realm = REALM.COM.PE netbios name = fileserver server string = Linux Active Directory server role = dc server role check:inhibit = yes server services = -dns -winbindd +winbind server signing = auto dsdb:schema update allowed = yes drs:max object sync = 1200 idmap_ldb:use rfc2307 = yes interfaces = lo,eth0,eth0:0,eth0:0 bind interfaces only = yes log level = 3 log file = /var/log/samba/samba.log max log size = 100000 include = /etc/samba/shares.conf [netlogon] path = /var/lib/samba/sysvol/agn.com.pe/scripts browseable = no read only = yes [sysvol] path = /var/lib/samba/sysvol read only = no Here the contents of /etc/samba/shares.conf: [homes] comment = Directorios de usuario path = /home/%S read only = no browseable = no create mask = 0611 directory mask = 0711 vfs objects = acl_xattr full_audit recycle full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename recycle: directory_mode = 0700 recycle: inherit_nt_acl = Yes recycle: excludedir = /tmp|/var/tmp recycle: versions = Yes recycle: keeptree = Yes recycle: repository = RecycleBin [agnofi] comment = primer compartido path = /home/samba/shares/agnofi browseable = Yes read only = No force create mode = 0660 force directory mode = 0660 vfs objects = acl_xattr full_audit recycle acl_xattr:ignore system acls = yes full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename recycle: directory_mode = 0700 recycle: inherit_nt_acl = Yes recycle: excludedir = /tmp|/var/tmp recycle: versions = Yes recycle: keeptree = Yes recycle: repository = RecycleBin There a lot of other additional shares but all of them have the same configuration except for the path. This is the configuration for my 2nd Samba DC: [global] workgroup = AGN realm = realm.com.pe netbios name = FILESERVERSJL server role = active directory domain controller log file = /var/log/samba.log log level = 3 include = /etc/samba/shares.conf server services = -dns -winbindd +winbind server signing = auto dsdb:schema update allowed = yes drs:max object sync = 1200 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba-4.3.5/var/locks/sysvol/agn.com.pe/scripts read only = No [sysvol] path = /usr/local/samba-4.3.5/var/locks/sysvol read only = No The contents of the /etc/samba/shares.conf is exactly the same as in Zentyal's server because I copy this file using rsync. Hope this helps. Thanks a lot for your help.
On 27/04/16 19:55, Jason Voorhees wrote:>> OK, you have two DCs, on one, your user can access a share, you basically >> copy the shares to another DC (with all the same permissions etc) and your >> user cannot access the share on the second DC. >> >> How is AD set up ? are you using uidNumber & gidNumber attributes (you will >> have added them manually) or are you using the xidNumbers created >> automatically by Samba4. > I'm not pretty sure about the difference, but I believe it's the 2nd > alternative. I guess you could check it from my configuration shown > lines below. > >> If you have modified the smb.conf on the second DC, can you post this. >> Can you post the smb.conf from your zential machine. > > This is the content of my Zentyal's Samba configuration: > > [global] > workgroup = agn > realm = REALM.COM.PE > netbios name = fileserver > server string = Linux Active Directory > server role = dc > server role check:inhibit = yes > server services = -dns -winbindd +winbind > server signing = auto > dsdb:schema update allowed = yes > drs:max object sync = 1200 > idmap_ldb:use rfc2307 = yes > interfaces = lo,eth0,eth0:0,eth0:0 > bind interfaces only = yes > log level = 3 > log file = /var/log/samba/samba.log > max log size = 100000 > include = /etc/samba/shares.conf > [netlogon] > path = /var/lib/samba/sysvol/agn.com.pe/scripts > browseable = no > read only = yes > [sysvol] > path = /var/lib/samba/sysvol > read only = no > > Here the contents of /etc/samba/shares.conf: > > [homes] > comment = Directorios de usuario > path = /home/%S > read only = no > browseable = no > create mask = 0611 > directory mask = 0711 > vfs objects = acl_xattr full_audit recycle > full_audit:success = connect opendir disconnect unlink mkdir rmdir > open rename > full_audit:failure = connect opendir disconnect unlink mkdir rmdir > open rename > recycle: directory_mode = 0700 > recycle: inherit_nt_acl = Yes > recycle: excludedir = /tmp|/var/tmp > recycle: versions = Yes > recycle: keeptree = Yes > recycle: repository = RecycleBin > > [agnofi] > comment = primer compartido > path = /home/samba/shares/agnofi > browseable = Yes > read only = No > force create mode = 0660 > force directory mode = 0660 > vfs objects = acl_xattr full_audit recycle > acl_xattr:ignore system acls = yes > full_audit:success = connect opendir disconnect unlink mkdir rmdir > open rename > full_audit:failure = connect opendir disconnect unlink mkdir rmdir > open rename > recycle: directory_mode = 0700 > recycle: inherit_nt_acl = Yes > recycle: excludedir = /tmp|/var/tmp > recycle: versions = Yes > recycle: keeptree = Yes > recycle: repository = RecycleBin > > There a lot of other additional shares but all of them have the same > configuration except for the path. > > This is the configuration for my 2nd Samba DC: > > [global] > workgroup = AGN > realm = realm.com.pe > netbios name = FILESERVERSJL > server role = active directory domain controller > log file = /var/log/samba.log > log level = 3 > include = /etc/samba/shares.conf > server services = -dns -winbindd +winbind > server signing = auto > dsdb:schema update allowed = yes > drs:max object sync = 1200 > idmap_ldb:use rfc2307 = yes > [netlogon] > path = /usr/local/samba-4.3.5/var/locks/sysvol/agn.com.pe/scripts > read only = No > [sysvol] > path = /usr/local/samba-4.3.5/var/locks/sysvol > read only = No > > The contents of the /etc/samba/shares.conf is exactly the same as in > Zentyal's server because I copy this file using rsync. > > Hope this helps. Thanks a lot for your help.No, I cannot tell what type of UIDs you are using from your smb.conf files, but I can make an educated guess, you are probably using 'xidNumber' attributes stored in 'idmap.ldb'. Now there is an interesting fact about xidNumber attributes, there is a very good chance a user will get a different number on each DC and this could well be your problem. It is further compounded (in my opinion) by the fact that zentyal appears to have turned of the better 'winbindd', in favour of the 'winbind' built into the 'samba' deamon. If you want to be 100% certain that your users have the same UID on every Unix machine, you need to use 'uidNumber' attributes. You also need to use 'gidNumber' attributes for the groups. Have a look here, please read the entire page: https://wiki.samba.org/index.php/Idmap_config_ad You will undoubtedly have further questions, but lets deal with them once you have read the wiki page. Rowland
This is a normal behaviour if you are using several dcs. Users und groups do have another gid/uid on each server until you fix it manually. This was a hard experiennce and work even fo rme which I suggest that this should be the next goal for the samba 4 developers to solve and fix it in an easy way for the admins. In my opinion, if I run several dcs in a domain this should be done between the dcs automatically without intervention. Greetings Daniel EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----Ursprüngliche Nachricht----- Von: Rowland penny [mailto:rpenny at samba.org] Gesendet: Mittwoch, 27. April 2016 21:17 An: samba at lists.samba.org Betreff: Re: [Samba] Samba 4 permissions error On 27/04/16 19:55, Jason Voorhees wrote:>> OK, you have two DCs, on one, your user can access a share, you >> basically copy the shares to another DC (with all the same >> permissions etc) and your user cannot access the share on the second DC. >> >> How is AD set up ? are you using uidNumber & gidNumber attributes >> (you will have added them manually) or are you using the xidNumbers >> created automatically by Samba4. > I'm not pretty sure about the difference, but I believe it's the 2nd > alternative. I guess you could check it from my configuration shown > lines below. > >> If you have modified the smb.conf on the second DC, can you post this. >> Can you post the smb.conf from your zential machine. > > This is the content of my Zentyal's Samba configuration: > > [global] > workgroup = agn > realm = REALM.COM.PE > netbios name = fileserver > server string = Linux Active Directory > server role = dc > server role check:inhibit = yes > server services = -dns -winbindd +winbind > server signing = auto > dsdb:schema update allowed = yes > drs:max object sync = 1200 > idmap_ldb:use rfc2307 = yes > interfaces = lo,eth0,eth0:0,eth0:0 > bind interfaces only = yes > log level = 3 > log file = /var/log/samba/samba.log > max log size = 100000 > include = /etc/samba/shares.conf > [netlogon] > path = /var/lib/samba/sysvol/agn.com.pe/scripts > browseable = no > read only = yes > [sysvol] > path = /var/lib/samba/sysvol > read only = no > > Here the contents of /etc/samba/shares.conf: > > [homes] > comment = Directorios de usuario > path = /home/%S > read only = no > browseable = no > create mask = 0611 > directory mask = 0711 > vfs objects = acl_xattr full_audit recycle > full_audit:success = connect opendir disconnect unlink mkdir > rmdir open rename > full_audit:failure = connect opendir disconnect unlink mkdir > rmdir open rename > recycle: directory_mode = 0700 > recycle: inherit_nt_acl = Yes > recycle: excludedir = /tmp|/var/tmp > recycle: versions = Yes > recycle: keeptree = Yes > recycle: repository = RecycleBin > > [agnofi] > comment = primer compartido > path = /home/samba/shares/agnofi > browseable = Yes > read only = No > force create mode = 0660 > force directory mode = 0660 > vfs objects = acl_xattr full_audit recycle > acl_xattr:ignore system acls = yes > full_audit:success = connect opendir disconnect unlink mkdir > rmdir open rename > full_audit:failure = connect opendir disconnect unlink mkdir > rmdir open rename > recycle: directory_mode = 0700 > recycle: inherit_nt_acl = Yes > recycle: excludedir = /tmp|/var/tmp > recycle: versions = Yes > recycle: keeptree = Yes > recycle: repository = RecycleBin > > There a lot of other additional shares but all of them have the same > configuration except for the path. > > This is the configuration for my 2nd Samba DC: > > [global] > workgroup = AGN > realm = realm.com.pe > netbios name = FILESERVERSJL > server role = active directory domain controller > log file = /var/log/samba.log > log level = 3 > include = /etc/samba/shares.conf > server services = -dns -winbindd +winbind > server signing = auto > dsdb:schema update allowed = yes > drs:max object sync = 1200 > idmap_ldb:use rfc2307 = yes > [netlogon] > path = /usr/local/samba-4.3.5/var/locks/sysvol/agn.com.pe/scripts > read only = No > [sysvol] > path = /usr/local/samba-4.3.5/var/locks/sysvol > read only = No > > The contents of the /etc/samba/shares.conf is exactly the same as in > Zentyal's server because I copy this file using rsync. > > Hope this helps. Thanks a lot for your help.No, I cannot tell what type of UIDs you are using from your smb.conf files, but I can make an educated guess, you are probably using 'xidNumber' attributes stored in 'idmap.ldb'. Now there is an interesting fact about xidNumber attributes, there is a very good chance a user will get a different number on each DC and this could well be your problem. It is further compounded (in my opinion) by the fact that zentyal appears to have turned of the better 'winbindd', in favour of the 'winbind' built into the 'samba' deamon. If you want to be 100% certain that your users have the same UID on every Unix machine, you need to use 'uidNumber' attributes. You also need to use 'gidNumber' attributes for the groups. Have a look here, please read the entire page: https://wiki.samba.org/index.php/Idmap_config_ad You will undoubtedly have further questions, but lets deal with them once you have read the wiki page. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba