samba - Jun 2017 - ACL SHARE

Hello
I have a Debian 8 with samba (Version 4.2.10-Debian) that serves as 
Fileserver.

My smb.conf

[global]
         workgroup = XXXXX
         realm = GRUPO.XXXXX.COM.BR

         security = ADS
         idmap config * : backend = rid
         idmap config * : range = 100000-999999

         client schannel = no
         allow trusted domains = yes
         winbind use default domain = yes
         winbind refresh tickets = Yes
         winbind offline logon = no
         winbind cache time = 360

         winbind enum users  = yes
         winbind enum groups = yes

         template shell = /bin/bash
         template homedir = /home/%U


         map to guest = bad user
         guest account = guest
         guest ok = yes

         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

I have sharing:

[QUALIDADELEITE]
         path = /home/QUALIDADELEITE
         browseable = yes
         writeable = yes
         printable = no
         create mask = 0770
         force directory mode = 0770
         force create mode = 0770
         force group = +qualidadeleite
         valid users = @qualidadeleite


getfacl /home/QUALIDADELEITE
# file: home/QUALIDADELEITE
# owner: root
# group: qualidadeleite
user::rwx
group::rwx
other::---
default:user::rwx
default:group::r-x
default:group:qualidadeleite:rwx
default:mask::rwx
default:other::r-x

My doubts inside have an ok.txt file

Getfacl ok.txt
# File: ok.txt
# Owner: root
# Group: root
User :: rwx
Group :: r-x #effective: ---
Group: qualidadeleite: rwx #effective: ---
Mask :: ---
Other :: ---

The problem in this way a user of the qualidadeleite group can not do 
anything in the file, even though they have permissions via ACL, this 
only happens on shares.
Direct on the file System the ACL permission is functional.

Access to this directory occurs both direct (ssh) and via shares.

Do you know what it can be?


Regards

Hai Carlos, 

I suggest start here :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File

Which says..

# Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use an read-write-enabled back end, such as tdb.
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

And you want RID, 
https://wiki.samba.org/index.php/Idmap_config_rid 


So fix you smb.conf, restart samba. 
Run : net cache flush

Test id username
And try again. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Carlos A. P. Cunha via samba
> Verzonden: dinsdag 27 juni 2017 16:26
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] ACL SHARE
> 
> Hello
> I have a Debian 8 with samba (Version 4.2.10-Debian) that 
> serves as Fileserver.
> 
> My smb.conf
> 
> [global]
>          workgroup = XXXXX
>          realm = GRUPO.XXXXX.COM.BR
> 
>          security = ADS
>          idmap config * : backend = rid
>          idmap config * : range = 100000-999999
> 
>          client schannel = no
>          allow trusted domains = yes
>          winbind use default domain = yes
>          winbind refresh tickets = Yes
>          winbind offline logon = no
>          winbind cache time = 360
> 
>          winbind enum users  = yes
>          winbind enum groups = yes
> 
>          template shell = /bin/bash
>          template homedir = /home/%U
> 
> 
>          map to guest = bad user
>          guest account = guest
>          guest ok = yes
> 
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
> 
> I have sharing:
> 
> [QUALIDADELEITE]
>          path = /home/QUALIDADELEITE
>          browseable = yes
>          writeable = yes
>          printable = no
>          create mask = 0770
>          force directory mode = 0770
>          force create mode = 0770
>          force group = +qualidadeleite
>          valid users = @qualidadeleite
> 
> 
> getfacl /home/QUALIDADELEITE
> # file: home/QUALIDADELEITE
> # owner: root
> # group: qualidadeleite
> user::rwx
> group::rwx
> other::---
> default:user::rwx
> default:group::r-x
> default:group:qualidadeleite:rwx
> default:mask::rwx
> default:other::r-x
> 
> My doubts inside have an ok.txt file
> 
> Getfacl ok.txt
> # File: ok.txt
> # Owner: root
> # Group: root
> User :: rwx
> Group :: r-x #effective: ---
> Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: ---
> 
> The problem in this way a user of the qualidadeleite group 
> can not do anything in the file, even though they have 
> permissions via ACL, this only happens on shares.
> Direct on the file System the ACL permission is functional.
> 
> Access to this directory occurs both direct (ssh) and via shares.
> 
> Do you know what it can be?
> 
> 
> Regards
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 27 Jun 2017 16:32:22 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Carlos, 
> 
> I suggest start here :
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
> 
> Which says..
> 
> # Default ID mapping configuration for local BUILTIN accounts
>        # and groups on a domain member. The default (*) domain:
>        # - must not overlap with any domain ID mapping configuration!
>        # - must use an read-write-enabled back end, such as tdb.
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
> 
> And you want RID, 
> https://wiki.samba.org/index.php/Idmap_config_rid 
> 
> 
> So fix you smb.conf, restart samba. 
> Run : net cache flush
> 
> Test id username
> And try again. 
> 
> Greetz, 
> 
> Louis
> 
> 
What Louis said, plus, You really need to upgrade Samba, You can
get later packages from here:  http://apt.van-belle.nl/

Rowland

correct is not much different, but you need a "correct" config. 
 
now your config is simpley wrong. ( sorry ) 
 
This proves it. one question.. 
         idmap config * : backend = rid
         idmap config * : range = 100000-999999

can you write you "rid" to the samba AD.. No. 
       # - must use an read-write-enabled back end, such as tdb.

 
you need also :
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
 
but do remember ... 
For every domain, set these parameters individually. The ID ranges of the *
default domain and all other domains configured in the smb.conf file must not
overlap.  
 
Greetz, 
 
Louis
 


Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] 
Verzonden: dinsdag 27 juni 2017 17:07
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] ACL SHARE




Hello
Thank you for your attention.
My conf is not much different from the documentation, and what's different
"I believe" is not my problem.
As I mentioned the problem only occurs with access via sharing ....
Regards 

Em 27-06-2017 11:32, L.P.H. van Belle via samba escreveu:


Hai Carlos, I suggest start here :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
Which says.. # Default ID mapping configuration for local BUILTIN accounts # and
groups on a domain member. The default (*) domain: # - must not overlap with any
domain ID mapping configuration! # - must use an read-write-enabled back end,
such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999
And you want RID, https://wiki.samba.org/index.php/Idmap_config_rid So fix you
smb.conf, restart samba. Run : net cache flush Test id username And try again.
Greetz, Louis

-----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at
lists.samba.org] Namens Carlos A. P. Cunha via samba Verzonden: dinsdag 27 juni
2017 16:26 Aan: samba at lists.samba.org Onderwerp: [Samba] ACL SHARE Hello I
have a Debian 8 with samba (Version 4.2.10-Debian) that serves as Fileserver. My
smb.conf [global] workgroup = XXXXX realm = GRUPO.XXXXX.COM.BR security = ADS
idmap config * : backend = rid idmap config * : range = 100000-999999 client
schannel = no allow trusted domains = yes winbind use default domain = yes
winbind refresh tickets = Yes winbind offline logon = no winbind cache time =
360 winbind enum users = yes winbind enum groups = yes template shell =
/bin/bash template homedir = /home/%U map to guest = bad user guest account =
guest guest ok = yes vfs objects = acl_xattr map acl inherit = Yes store dos
attributes = Yes I have sharing: [QUALIDADELEITE] path = /home/QUALIDADELEITE
browseable = yes writeable = yes printable = no create mask = 0770 force
directory mode = 0770 force create mode = 0770 force group = +qualidadeleite
valid users = @qualidadeleite getfacl /home/QUALIDADELEITE # file:
home/QUALIDADELEITE # owner: root # group: qualidadeleite user::rwx group::rwx
other::--- default:user::rwx default:group::r-x default:group:qualidadeleite:rwx
default:mask::rwx default:other::r-x My doubts inside have an ok.txt file
Getfacl ok.txt # File: ok.txt # Owner: root # Group: root User :: rwx Group ::
r-x #effective: --- Group: qualidadeleite: rwx #effective: --- Mask :: --- Other
:: --- The problem in this way a user of the qualidadeleite group can not do
anything in the file, even though they have permissions via ACL, this only
happens on shares. Direct on the file System the ACL permission is functional.
Access to this directory occurs both direct (ssh) and via shares. Do you know
what it can be? Regards -- To unsubscribe from this list go to the following URL
and read the instructions: https://lists.samba.org/mailman/options/samba