Jakub Kulesza
2017-May-03 20:48 UTC
[Samba] Problems with samba and profile syncing from various windows versions
Thanks for pointing this out. I have read that again, now my profiles do not have "vfs objects full_audit" and disabled the csc policy. I have verified that I have set up my profiles share properly and that it has all the right entitlements. I have reset the entitlements for the users that have issues (as Administrator right click on the folder and do the dance there with Windows). We'll see tomorrow. Is "profile acls" required anymore on Samba 4.3? What effect will it have on Windows 10? 2017-05-03 9:52 GMT+02:00 Rowland Penny <rpenny at samba.org>:> On Wed, 3 May 2017 09:15:30 +0200 > Jakub Kulesza via samba <samba at lists.samba.org> wrote: > > > > > [profiles] > > path = /var/local/samba/var/lib/samba/profiles > > read only = no > > browseable = no > > create mask = 0600 > > directory mask = 0700 > > profile acls = yes > > vfs objects = full_audit > > > > Sorry, but this doesn't work on a Samba AD DC, you will have to use > windows ACL's, see here: > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Rowland > > >
Rowland Penny
2017-May-04 06:45 UTC
[Samba] Problems with samba and profile syncing from various windows versions
On Wed, 3 May 2017 22:48:06 +0200 Jakub Kulesza via samba <samba at lists.samba.org> wrote:> Thanks for pointing this out. > > I have read that again, now my profiles do not have "vfs objects > full_audit" and disabled the csc policy. I have verified that I have > set up my profiles share properly and that it has all the right > entitlements. I have reset the entitlements for the users that have > issues (as Administrator right click on the folder and do the dance > there with Windows). We'll see tomorrow. > > Is "profile acls" required anymore on Samba 4.3? What effect will it > have on Windows 10? >On a Samba AD DC, no, you must use windows ACLs, but, on a Unix domain member, you can use the old way i.e. 'create mask' etc Rowland
Rowland Penny
2017-May-04 07:36 UTC
[Samba] Problems with samba and profile syncing from various windows versions
On Thu, 4 May 2017 09:07:11 +0200 Arnaud FLORENT <aflorent at iris-tech.fr> wrote:> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit : > > On Wed, 3 May 2017 22:48:06 +0200 > > Jakub Kulesza via samba <samba at lists.samba.org> wrote: > > > >> Thanks for pointing this out. > >> > >> I have read that again, now my profiles do not have "vfs objects > >> full_audit" and disabled the csc policy. I have verified that I > >> have set up my profiles share properly and that it has all the > >> right entitlements. I have reset the entitlements for the users > >> that have issues (as Administrator right click on the folder and > >> do the dance there with Windows). We'll see tomorrow. > >> > >> Is "profile acls" required anymore on Samba 4.3? What effect will > >> it have on Windows 10? > >> > > On a Samba AD DC, no, you must use windows ACLs, but, on a Unix > > domain member, you can use the old way i.e. 'create mask' etc > > > > Rowland > > > > > Could you explain why the old way can not be used please? > > why only shares using extended ACLs are supported on a Samba AD DC? > > extended ACL support is automatically enabled globally > but there may be a way to disable it for a specific share?You answered your question yourself ;-) Extended ACL support is automatically enabled globally and you cannot turn it off. Rowland
Rowland Penny
2017-May-04 08:01 UTC
[Samba] Problems with samba and profile syncing from various windows versions
On Thu, 4 May 2017 09:39:17 +0200 Arnaud FLORENT <aflorent at iris-tech.fr> wrote:> > > Le 04/05/2017 à 09:36, Rowland Penny a écrit : > > On Thu, 4 May 2017 09:07:11 +0200 > > Arnaud FLORENT <aflorent at iris-tech.fr> wrote: > > > >> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit : > >>> On Wed, 3 May 2017 22:48:06 +0200 > >>> Jakub Kulesza via samba <samba at lists.samba.org> wrote: > >>> > >>>> Thanks for pointing this out. > >>>> > >>>> I have read that again, now my profiles do not have "vfs objects > >>>> = full_audit" and disabled the csc policy. I have verified that I > >>>> have set up my profiles share properly and that it has all the > >>>> right entitlements. I have reset the entitlements for the users > >>>> that have issues (as Administrator right click on the folder and > >>>> do the dance there with Windows). We'll see tomorrow. > >>>> > >>>> Is "profile acls" required anymore on Samba 4.3? What effect will > >>>> it have on Windows 10? > >>>> > >>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix > >>> domain member, you can use the old way i.e. 'create mask' etc > >>> > >>> Rowland > >>> > >>> > >> Could you explain why the old way can not be used please? > >> > >> why only shares using extended ACLs are supported on a Samba AD DC? > >> > >> extended ACL support is automatically enabled globally > >> but there may be a way to disable it for a specific share? > > You answered your question yourself ;-) > > > > Extended ACL support is automatically enabled globally and you > > cannot turn it off. > > > > Rowland > > > > > nt acl =no > seems to work > > am i wrong to use this?YES!> what kind of errors may occurs?The AD DC relies on NT ACLs, you need to accept that you must use Windows ACLs on a Samba AD DC if you use it as a fileserver. If you must use the old way of doing things, set up a Unix domain member and use this as a fileserver instead. If you go here: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Under the heading 'Using POSIX ACLs', you will find an info box containing this: When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see Enable Extended ACL Support in the smb.conf File. To set up the share on a Samba AD DC, see Setting up the Profiles Share on the Samba File Server - Using Windows ACLs. This wasn't written for no reason. Rowland
Arnaud FLORENT
2017-May-04 08:22 UTC
[Samba] Problems with samba and profile syncing from various windows versions
Le 04/05/2017 à 10:01, Rowland Penny a écrit :> On Thu, 4 May 2017 09:39:17 +0200 > Arnaud FLORENT <aflorent at iris-tech.fr> wrote: > >> >> Le 04/05/2017 à 09:36, Rowland Penny a écrit : >>> On Thu, 4 May 2017 09:07:11 +0200 >>> Arnaud FLORENT <aflorent at iris-tech.fr> wrote: >>> >>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit : >>>>> On Wed, 3 May 2017 22:48:06 +0200 >>>>> Jakub Kulesza via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Thanks for pointing this out. >>>>>> >>>>>> I have read that again, now my profiles do not have "vfs objects >>>>>> = full_audit" and disabled the csc policy. I have verified that I >>>>>> have set up my profiles share properly and that it has all the >>>>>> right entitlements. I have reset the entitlements for the users >>>>>> that have issues (as Administrator right click on the folder and >>>>>> do the dance there with Windows). We'll see tomorrow. >>>>>> >>>>>> Is "profile acls" required anymore on Samba 4.3? What effect will >>>>>> it have on Windows 10? >>>>>> >>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix >>>>> domain member, you can use the old way i.e. 'create mask' etc >>>>> >>>>> Rowland >>>>> >>>>> >>>> Could you explain why the old way can not be used please? >>>> >>>> why only shares using extended ACLs are supported on a Samba AD DC? >>>> >>>> extended ACL support is automatically enabled globally >>>> but there may be a way to disable it for a specific share? >>> You answered your question yourself ;-) >>> >>> Extended ACL support is automatically enabled globally and you >>> cannot turn it off. >>> >>> Rowland >>> >>> >> nt acl =no >> seems to work >> >> am i wrong to use this? > YES! > >> what kind of errors may occurs? > The AD DC relies on NT ACLs, you need to accept that you must use > Windows ACLs on a Samba AD DC if you use it as a fileserver. If you > must use the old way of doing things, set up a Unix domain member and > use this as a fileserver instead. > > If you go here: > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Under the heading 'Using POSIX ACLs', you will find an info box > containing this: > > When setting up the share on a Samba Active Directory (AD) domain > controller (DC), you cannot use POSIX ACLs. On an Samba DC, only > shares using extended ACLs are supported. For further details, see > Enable Extended ACL Support in the smb.conf File. To set up the share > on a Samba AD DC, see Setting up the Profiles Share on the Samba File > Server - Using Windows ACLs. > > This wasn't written for no reason. > > RowlandThank you Rowloand so my next question is is there a way to setup the share and windows acl only from server command line?
L.P.H. van Belle
2017-May-04 09:11 UTC
[Samba] Problems with samba and profile syncing from various windows versions
A way to do this is for the ACL, copy the default create a file from it and use that. For the share right, i dont know, havent tried that. getfact path_to_sysvol You get something like this : getfacl /var/lib/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Create a file with the needed content. Then setfacl -M FILE-ACL.txt -R /var/lib/samba/sysvol Change path to sysvol if needed. Important one. You need to find the id for user SYSTEM, in above example, 3000002 is for me SYSTEM. There are mostly 2 numeric id's and only one with RWX rights. Thats system. Most things work without system, i recommend you set it. But preffered is to do this from within windows. Just join a pc to the domain and login with a user with "Domain Admins" rights. And setup as the wiki shows. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Arnaud FLORENT via samba > Verzonden: donderdag 4 mei 2017 10:22 > Aan: Rowland Penny; samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with samba and profile > syncing from various windows versions > > > > Le 04/05/2017 à 10:01, Rowland Penny a écrit : > > On Thu, 4 May 2017 09:39:17 +0200 > > Arnaud FLORENT <aflorent at iris-tech.fr> wrote: > > > >> > >> Le 04/05/2017 à 09:36, Rowland Penny a écrit : > >>> On Thu, 4 May 2017 09:07:11 +0200 > >>> Arnaud FLORENT <aflorent at iris-tech.fr> wrote: > >>> > >>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit : > >>>>> On Wed, 3 May 2017 22:48:06 +0200 > >>>>> Jakub Kulesza via samba <samba at lists.samba.org> wrote: > >>>>> > >>>>>> Thanks for pointing this out. > >>>>>> > >>>>>> I have read that again, now my profiles do not have > "vfs objects > >>>>>> = full_audit" and disabled the csc policy. I have > verified that I > >>>>>> have set up my profiles share properly and that it has all the > >>>>>> right entitlements. I have reset the entitlements for > the users > >>>>>> that have issues (as Administrator right click on the > folder and > >>>>>> do the dance there with Windows). We'll see tomorrow. > >>>>>> > >>>>>> Is "profile acls" required anymore on Samba 4.3? What > effect will > >>>>>> it have on Windows 10? > >>>>>> > >>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix > >>>>> domain member, you can use the old way i.e. 'create mask' etc > >>>>> > >>>>> Rowland > >>>>> > >>>>> > >>>> Could you explain why the old way can not be used please? > >>>> > >>>> why only shares using extended ACLs are supported on a > Samba AD DC? > >>>> > >>>> extended ACL support is automatically enabled globally but there > >>>> may be a way to disable it for a specific share? > >>> You answered your question yourself ;-) > >>> > >>> Extended ACL support is automatically enabled globally and you > >>> cannot turn it off. > >>> > >>> Rowland > >>> > >>> > >> nt acl =no > >> seems to work > >> > >> am i wrong to use this? > > YES! > > > >> what kind of errors may occurs? > > The AD DC relies on NT ACLs, you need to accept that you must use > > Windows ACLs on a Samba AD DC if you use it as a fileserver. If you > > must use the old way of doing things, set up a Unix domain > member and > > use this as a fileserver instead. > > > > If you go here: > > > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > > > Under the heading 'Using POSIX ACLs', you will find an info box > > containing this: > > > > When setting up the share on a Samba Active Directory (AD) domain > > controller (DC), you cannot use POSIX ACLs. On an Samba DC, only > > shares using extended ACLs are supported. For further details, see > > Enable Extended ACL Support in the smb.conf File. To set > up the share > > on a Samba AD DC, see Setting up the Profiles Share on > the Samba File > > Server - Using Windows ACLs. > > > > This wasn't written for no reason. > > > > Rowland > Thank you Rowloand > > so my next question is > > is there a way to setup the share and windows acl only from > server command line? > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Seemingly Similar Threads
- Problems with samba and profile syncing from various windows versions
- Problems with samba and profile syncing from various windows versions
- Problems with samba and profile syncing from various windows versions
- Prevent password change from command line
- run script on domain join