samba - Mar 2017 - File/dir user permissions on Samba fileserver in DC

Hi, aLL

Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ 
container (ProxMox VE). Domain is also build on Samba-4.3.5 (another 
VM). Fileserver's VM is mounted with acl, user_xattr options, Samba 
compiled with ACL support.

There're domain users, for example, "usr1", "usr2".
They're in domain
group "dg1".

There's a filepath "/somepath/dir". Access to this directory is
granted
according to domain group membership. "usr1" can access
"dir", another
users from "dg1" also can access "dir", create files or
directories into
it. But none of "dg1" users (except "usr2" and root ofc)
can't delete
any files in this folder. Windows clients says "You must have 
permissions from usr2 to delete this file/directory". This is wrong.

Like "sticky bit" is set, but there's no it on file objects.

When file objects are created Samba sets next user rights:
==:~# ls -l /somepath/dir

drwxrwx---  2 usr2  24 4096 mar 10 11:32 /somepath/dir
==As we can see there, no SGUD bit on folders are set (and on parent 
folder too). Owner of all file objects is "usr2".
==:~# getfacl /somepath/dir
# file: dir
# owner: usr2
# group: dg1
user::rwx
group::rwx
other::---
==
lsattr /somepath/dir also gives none bits are set.

Even if file object has 0777 rights - this doesn't help at all...

smb.conf:
==[global]

workgroup = WG
security = ADS
realm = WG.LOCAL

netbios name = FSRV
server role = auto
encrypt passwords = yes
auth methods = winbind

log level = 0 vfs:1

idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

max log size = 1000

syslog = 1

passdb backend = tdbsam
obey pam restrictions = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix password sync = yes

load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

os level = 1
case sensitive = no
hide unreadable = yes
#hide unwriteable files = yes
log writeable files on exit = yes

deadtime = 600
ea support = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY..

#======================= Share Definitions ======================[q]
     comment = File share
     browseable = yes
     path = /somepath
     guest ok = no
     read only = no
     delete readonly = yes
     strict sync = yes
     sync always = yes

     inherit permissions = Yes
     inherit acls = Yes
     inherit owner = Yes
     map acl inherit = yes
     nt acl support = yes

     map system = yes
     veto files = /.snap/quota*/*.vmx/autorun.inf/

     valid users = +WG\all WG\admin
     admin users = +WG\it  WG\admin

     hide unreadable = yes
     vfs objects= acl_xattr

     access based share enum = yes
     map acl inherit = yes
     acl check permissions = yes
     map system = yes
==
What I'm doing wrong?

On Fri, 10 Mar 2017 16:23:18 +0300
Dmitry via samba <samba at lists.samba.org> wrote:
> Hi, aLL
> 
> Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ 
> container (ProxMox VE). Domain is also build on Samba-4.3.5 (another 
> VM). Fileserver's VM is mounted with acl, user_xattr options, Samba 
> compiled with ACL support.
> 
> What I'm doing wrong?
> 
You say your Samba client is an AD-member aka domain member, but you
haven't set up your smb.conf correctly, you also seem to be still
thinking in Samba3 workgroup terms. Can I suggest you go and read the
Samba wiki, start here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

On Fri, 10 Mar 2017 17:21:40 +0300
it at mdsdnr.ru wrote:
> Rowland Penny via samba писал 2017-03-10 16:58:
> 
> Can you say more concrete what's wrong in my smb.conf?
> 
> > You say your Samba client is an AD-member aka domain member, but you
> > haven't set up your smb.conf correctly, you also seem to be still
> > thinking in Samba3 workgroup terms. Can I suggest you go and read
> > the Samba wiki, start here:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> > Rowland
If you read the samba wiki, you would find out, but if it is unclear,
please says so ;-)

But I will give you a hint, this is wrong:

idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes

The backend is wrong in the top line
You do not need the third line
The four line is only used with the 'ad' backend
The fifth line is only used on a DC

You do not have the required DOMAIN lines

Rowland

On Mon, 13 Mar 2017 12:01:28 +0300
it at mdsdnr.ru wrote:
> Thank you for pointing me to errors. I've corrected'em (I think),
so
> smb.conf now looks like:
> 
Can I ask if you are having problems following the Samba wiki ?
You still do not seem to have set up the smb.conf correctly, if you are
having problems following the wiki, please say so and if possible give
examples. Without feedback, we do not know of any problem areas.

Having got that out of the way, I have gone through your smb.conf and
corrected it by removing default lines. I have also added some comments:

[global]
    workgroup = WG
    security = ADS
    realm = WG.LOCAL

    #netbios name = FSRV # see [1] below

    log level = 0 vfs:1

    #idmap config MDS:backend = ad # see [2] below

    idmap config * : backend = tdb
    idmap config *:range = 2000-9999
    idmap config WG : backend = ad
    idmap config WG : range = 10000-999999
    idmap config WG : schema_mode = rfc2307 # see [3] below

    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind enum users = yes # see [4] below
    winbind enum groups = yes # see [4] below
    winbind refresh tickets = yes

    max log size = 1000
    syslog = 1

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    #unix password sync = yes # NO, no a thousand times NO, see [5] below

    load printers = no
    show add printer wizard = no
    disable spoolss = yes
    printcap name = /dev/null

    hide unreadable = yes # see [6]
    log writeable files on exit = yes
    deadtime = 600 # see [7]
    ea support = yes # see [8]
    #socket options = TCP_NODELAY IPTOS_LOWDELAY # see [9]

#======================= Share Definitions ======================[q] # see [10]
     comment = File share
     path = /somepath
     read only = no
     delete readonly = yes
     strict sync = yes
     sync always = yes

     inherit permissions = Yes
     inherit owner = Yes

     veto files = /.snap/quota*/*.vmx/autorun.inf/

     valid users = +WG\all WG\admin
     admin users = +WG\it  WG\admin

     access based share enum = yes

==
[1] this is not strictly required, provided hostname resolution is
    set up correctly and if it isn't, you need to fix this, not Samba

[2] you have set workgroup to 'WG'

[3] this could also be 'template'

[4] you should only set these to for testing purposes

[5] You are using AD and with this, all your users must be stored in
    AD, you cannot also store them in /etc/passwd i.e, you cannot have
    the user 'fred' in AD and /etc/passwd. The same goes for groups.
 
[6] Do you really want to do this ? See 'man smb.conf'

[7] 10 hours ?

[8] I have never needed this

[9] You shouldn't set these any more, just rely on the kernel

[10] You will probably be better off using POSIX acls and setting access
     rights from Windows

You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber
attribute ? If you haven't and want to use the 'ad' backend, you
will
need to do so.

Any question, please ask.

Rowland

On Tue, 14 Mar 2017 18:50:54 +0300
it at mdsdnr.ru wrote:

> I've corrected your marks, now config looks like:
> 
Still not really right ;-)

encrypt passwords = yes # you do not need this, it is a default setting
auth methods = winbind # remove this, it is not required

winbind trusted domains only = no # you do not need this,
                                    it is a default setting

passdb backend = tdbsam # you do not need this, it is a default setting
obey pam restrictions = yes # remove this, it is not required
> 
> os level = 1
> case sensitive = no
> hide unreadable = yes
> log [q]
>      comment = File share
>      browseable = yes
>      path = /opt/q
>      guest ok = no
>      read only = no
>      delete readonly = yes
>      strict sync = yes
>      sync always = yes
> 
>      inherit permissions = Yes
>      inherit acls = Yes
>      inherit owner = Yes
>      map acl inherit = yes
>      nt acl support = yes
> 
>      map system = yes
>      veto files = /.snap/quota*/*.vmx/autorun.inf/
> 
>      valid users = @WG\all WG\srvadmin
>      admin users = @WG\it WG\administrator WG\srvadmin
> 
>      hide unreadable = yes
>      vfs objects= full_audit, recycle, acl_xattr
>      writeable files on exit = yes
>      access based share enum = yes
>      map acl inherit = yes
>      map system = yes
Words fail me on the above, default lines, duplicate lines, acl_xattr
is a share and in global, the other two 'vfs objects' don't have any
of
the other required lines to make them actually work.
Can I suggest you use Windows ACLs (the info howto is on the SAmba
wiki) and remove all that clutter.
> ==> > You are using the winbind 'ad' backend, have you given
your users a
> > unique uidNumber attribute and also given Domain Users a gidNumber
> > attribute ? If you haven't and want to use the 'ad'
backend, you
> > will need to do so.
> 
> Using MMC from Win PC in domain, in group properties tab "UNIX 
> attributes" assigned gid to domain group "all" from range
> 500000-600000, as in domain, for user srvadmin in same tab add
> "primary group name/GID" 
Yes, but have you given Domain Users a gidNumber ???
> - group "all". As I understood this from here: 
> https://wiki.samba.org/index.php/Installing_RSAT and here: 
>
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
If you haven't given Domain Users a gidNumber and are using Samba
4.6.x, you can follow the info here:

https://wiki.samba.org/index.php/Idmap_config_ad
> 
> Result:
> wbinfo -u - shows users
> wbinfo -p - ping OK
> wbinfo -n srvadmin - shows user SID (srvadmin - domain user)
> wbinfo -i srvadmin - error:
> id srvadmin says 'no such user'.
Probably because you haven't given Domain Users a gidNumber, have you
spotted the running theme here yet ?

> What additional info is needed? I'll post more and more. Simply I'm
> trying not to post too long messages...
> Sometimes wiki has too few info about something, or too unclear what
> has to be set up or done.
Unless we are told what any possible problems on the wiki are, we
cannot fix them, or you could register and fix them yourself ;-)

Rowland

OK, use this smb.conf. DO NOT CHANGE ANYTHING, DO NOT ADD ANYTHING.

This is based on what you have posted. 
If WG isn't your workgroup, change it to your actual workgroup
If WG.LOCAL isn't your realm, change it to your actual realm
NOTE: if '.local' is your TLD, then turn off Avahi if it is running.

[global]
    workgroup = WG
    security = ADS
    realm = WG.LOCAL

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    log level = 10 vfs:1

    idmap config * : backend = tdb
    idmap config * : range = 2000-10000

    idmap config WG : backend = ad
    idmap config WG : schema_mode = rfc2307
    idmap config WG : range = 500000-600000

    winbind use default domain = yes
    winbind nss info = rfc2307
    winbind refresh tickets = yes

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    max log size = 1000
    syslog = 10

    load printers = no
    printing = bsd
    show add printer wizard = no
    disable spoolss = yes
    printcap name = /dev/null

#======================= Share Definitions ======================
[q]
     comment = File share
     path = /opt/q
     read only = no

Create the user.map referenced above.

nano /etc/samba/user.map

!root = WG\Administrator WG\administrator Administrator administrator

Now create an LDIF on the DC, again change 'wg' and 'local' if
required.
You will also probably need to change '500000' to the next free GID
number in the
'500000-600000' range

nano /tmp/DU.ldif

dn: CN=Domain Users,CN=Users,DC=wg,DC=local 
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: wg
-
add: msSFU30Name
msSFU30Name: Domain Users
-
add: gidNumber
gidNumber: 500000
-

Now add the gidNumber to Domain Users with:

ldbmodify -H /var/lib/samba/private/sam.ldb -U Administrator /tmp/DU.ldif

NOTE: you may have to install the ldb-tools package.

Back to the client and leave the domain:

First stop all Samba processes

net ads leave -U Administrator

Alter /etc/krb5.conf to just this:

[libdefaults]
     default_realm = WG.LOCAL
     dns_lookup_realm = false
     dns_lookup_kdc = true

Then, re-join:

net ads join -U Administrator

> > Yes, but have you given Domain Users a gidNumber ???
> Samba-4.3.5 is used.
> Domain group "all" was set up: in UNIX Attributes "NIS
domain" set up
> as "WG", Group ID set up as 550000. But when I check "Unix
> Attributes" tab in group properties it gives me a window
"Unvilling
> to perform" (in translation from russian), but it saves changes I
> make there. Same done for user: NIS Domain set to "WG", UID is
set up
> to 500010, Primary group name is set to "all". No errors as
above,
> when selecting tab "Unix Attributes" is shown.
The 'unwilling to perform error' is fairly common and can be ignored.

By setting the 'NIS DOMAIN' to 'all' , all you are doing is
adding the
gidNumber for 'all' to the user, this doesn't affect the users
primary
group, which windows and winbind expects to be 'Domain Users', this
means that 'Domain Users' must have a gidNumber, if 'Domain
Users'
doesn't have a gidNumber, then ALL your users will be ignored by
winbind.
If you later upgrade to Samba 4.6.x, you will be able to use the 'NIS
Domain as the users Unix primary group.

Rowland

On Thu, 16 Mar 2017 10:13:10 +0300
it at mdsdnr.ru wrote:
> Another big thanks for help!
> 
> All done as you wrote on samba filesrver. In tab "UNIX
Attributes"
> GID was assigned, two users: "usr1", "usr2" gets UID
from same tab
> and set to "Domain Users" primary group. Also these users in one
> group in domain. Tried to do same for other groups like "all" -
same
> result. Now, on file server, 'id usr1' shows user info. Same for
> "usr2". Another users, not "shared" from "UNIX
attributes" tab don't
> "visible" by 'id' command These users can access share,
but all is
> the same, as was written in first message of this topic: "usr1"
can
> create files/folders, also as "usr2", but "usr2"
can't delete file
> objects, created by "usr1", and vice versa.
> 
> I'don't uderstand next: all you wrote to did is, in general,
mapping
> domain credentials to linux host. To work commands like 'id', 
> gethostbyname() system calls and so on. Earlier (and now) winbind did 
> "all things" with domain "conversations" and all has to
be done on
> domain member to work with domain credentials, is correctly set up 
> NSswitch and libs for it. Then, why so complicate "things" have
to be
> done (modifying LDAP, adding fileds, incremets, mapping users/groups
> "by hand" in RSAT, etc) is needed, If all I need is filesrver for
MS
> Win clients in domain and domain is running Samba too?
> 
> If there may be problems that first filesrver was set up with
> idmap_rid, and now - idmap_ad is used? I did 'net cache flush'. Did
> leave/join domain.
The only problem there may be, files and dirs might be owned by the
wrong users and groups.

If you are connecting a windows user to a Unix machine running
Samba, there are three ways that the user can connect. 

Use the winbind 'rid' backend, this is the easiest way to map a windows
user to a Unix user as the Unix ID is calculated from the windows users
RID.

Use the winbind 'ad' backend, this involves (at a minimum) giving the
user a unique uidNumber in AD AND giving the users primary group
(usually Domain Users) a gidNumber. You will also need to set the
'idmap config DOMAIN' range in smb.conf based on the numbers you use.
Note: this has changed slightly with Samba 4.6.0, you can now use the
users gidNumber attribute for the users Unix primary group.

Add 'map to guest = Bad User' to smb.conf, with this, users unknown to
Samba will be mapped to the guest account and allowed access.

To test if a user is known to the OS, you need to run 'getent passwd
username' or 'id username'. If you don't get any output, the
user is
unknown to the OS and hence Samba. Testing if a user exists with
'wbinfo -u' will not tell you if the OS is aware of the user, it just
tells you that the user exists in AD.

Hope this helps 

Rowland