Doug Sampson
2018-Sep-17 19:00 UTC
[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
Hello- I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the upgrade, users cannot access the HOME folder share but they can access other shares just fine. I am using the RID backend on this member server that connects to Windows-based domain controllers. I apologize for the lengthy smb4.conf but here it is: #======================= Global Settings ====================================[global] # This would be your AD Domain (kerberos realm) realm = DAWNSIGN.COM security = ADS encrypt passwords = yes workgroup = EXAMPLE server string = hosts allow = 192.168.xxx. 192.168.xxx. 127. name resolve order = lmhosts bcast socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE # Uncomment this if you want 139 open, but why would you? We're doing SMB over # TCP only. No NetBIOS here smb ports = 445 disable netbios = Yes # ver 4.1 - RID backend idmap config EXAMPLE:range = 50001-60000 idmap config EXAMPLE:default = yes idmap config EXAMPLE:backend = rid idmap config *:range = 1000-50000 idmap config *:backend = tdb winbind separator = - winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind cache time = 10 winbind offline logon = yes winbind refresh tickets = yes kerberos method = secrets and keytab dedicated keytab file = /usr/local/etc/krb5.keytab winbind nss info = rfc2307 winbind scan trusted domains = yes # ver 4.1 client ldap sasl wrapping = seal directory name cache size = 0 # workaround to constant error messages in log.192.168.xxx.175 # prevent winbindd from changing machine password # https://lists.samba.org/archive/samba/2016-September/203338.html machine password timeout = 0 ################# ### Member Server ################# # Browser settings preferred master = no local master = no domain master = no #= Disable Printing/Cups ============load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # Change this to where you want the samba log log file = /var/log/samba4/log.%m # Debug goes from 1 to 10 * 10 way too much info for me to understand ;) #debug level = 10 log level = 2 #log level = 0 # Settings to enhance performance: strict locking = no read raw = yes write raw = yes #oplocks = yes max xmit = 65535 deadtime = 15 getwd cache = yes max connections = 65535 max open files = 65535 use sendfile = true aio read size = 16384 # Use asynchronous I/O for reads bigger than 16KB request size aio write size = 16384 # Use asynchronous I/O for writes bigger than 16KB request size #aio write behind = true min receivefile size = 16384 strict sync = no sync always = no # End of performance section #assuming you installed bash - change as needed template shell = /bin/bash guest account = nobody admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins" # ZFS stuff read only = no inherit permissions = Yes # allow ZFS to handle inheritance inherit acls = No inherit owner = Yes force unknown acl user = No store dos attributes = yes map read only = no map acl inherit = yes vfs objects = zfsacl acl_xattr audit netatalk nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes #============================ Share Definitions =============================# Share - man smb.conf for details [public] comment = test share # this share resides on an UFS filesystem! path = /zdata/public public = yes writable = yes printable = no write list = @"EXAMPLE-domain admins" [apps] comment = Folder for applications path = /zdata/apps valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [clients] comment = Folder for Internet client software for domain admins' use path = /zdata/clients valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [downloads] comment = Folder for downloads for domain admins' use path = /zdata/downloads valid users = @"EXAMPLE-domain admins" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [groups] comment = Departmental folders path = /zdata/groups valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain admins" writable = yes printable = no force create mode = 0770 force directory mode = 0770 hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No # vfs objects = zfsacl, shadow_copy2, full_audit vfs objects = zfsacl, shadow_copy2 shadow: snapdir = .zfs/snapshot shadow: format = %Y-%m-%dT%H:%M:%S shadow: snapdirseverywhere = yes shadow: sort = desc shadow: localtime = no # full_audit:prefix = %u|%I # full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv # full_audit:failure = none # full_audit:facility = LOCAL7 # full_audit:priority = ALERT [mac_software] comment = repository for all Mac OSX-related software path = /zdata/mac_software valid users = @EXAMPLE-production @"EXAMPLE-domain admins" @EXAMPLE-marketing writable = yes printable = no force create mode = 0770 force directory mode = 0770 hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [ops] comment = Folder for the old OPS files path = /zdata/ops valid users = @EXAMPLE-sales @"EXAMPLE-domain admins" writeable = yes printable =no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [payroll] comment = Folder for sensitive payroll functions path = /zdata/payroll valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins" browseable = yes writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [perform] comment = Folder for purchase orders using Perform software path = /zdata/apps/PERFORM valid users = @EXAMPLE-finance @"EXAMPLE-domain admins" writeable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [pye] comment = Folder for year-end financial backups path = /zdata/pye valid users = @EXAMPLE-finance @"EXAMPLE-domain admins" writeable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [reports] comment = Folder for CRW reports path = /zdata/reports valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [shared] comment = Folder for intra-company sharing path = /zdata/shared valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [star] comment = Folder for old Starship shipping data path = /zdata/star valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [tm] comment = Folder for old TeleMagic data path = /zdata/tm valid users = @"EXAMPLE-domain admins" # read list = @"EXAMPLE-domain users" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [x-groups] comment = Old Groups Folder for intra-company sharing path = /zdata/x-groups valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable = yes printable = no hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions = Yes inherit owner = Yes map archive = No vfs objects = zfsacl [profiles] comment = Users profiles # path = /zdata/profiles/%U path = /zdata/profiles # guest ok = no browseable = no read only = no force create mode = 0600 force directory mode = 0700 create mask = 0600 directory mask = 0700 valid users = EXAMPLE-%U @"EXAMPLE-domain admins" store dos attributes = Yes # commenting this out for v4.8 # profile acls = yes csc policy = disable # inherit permissions = Yes # inherit owner = Yes # delete veto files = Yes # veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ # hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ # map archive = No vfs objects = zfsacl force user = EXAMPLE-%U # uncomment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \\server\username [home] comment = Home directories for AD users path = /zdata/home # browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. read only = no # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only "username" can connect to \\server\username # This might need tweaking when using external authentication schemes ## valid users = EXAMPLE-%U @"EXAMPLE-domain admins" valid users = EXAMPLE-%U @"EXAMPLE-domain admins" # inherit permissions = Yes # inherit owner = Yes delete veto files = Yes veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/$RECYCLE.BIN/ # map archive = No # map readonly = no vfs objects = zfsacl, shadow_copy2, full_audit full_audit:prefix = %u|%I full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv full_audit:failure = none full_audit:facility = LOCAL7 full_audit:priority = ALERT shadow: snapdir = .zfs/snapshot shadow: format = %Y-%m-%dT%H:%M:%S shadow: snapdirseverywhere = yes shadow: sort = desc shadow: localtime = no I have several other SMB servers there were upgraded to 4.8 and I am able to enumerate users and groups on all of these servers except this one. I cannot enumerate groups and I am mystified as to why I cannot. Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work. Is the vfs object full_audit still supported by 4.8? ~Doug
Rowland Penny
2018-Sep-17 19:49 UTC
[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
On Mon, 17 Sep 2018 19:00:38 +0000 Doug Sampson via samba <samba at lists.samba.org> wrote:> Hello- > > I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the > upgrade, users cannot access the HOME folder share but they can > access other shares just fine. > > I am using the RID backend on this member server that connects to > Windows-based domain controllers. I apologize for the lengthy > smb4.conf but here it is: > > > #======================= Global Settings > ===================================== [global] > # This would be your AD Domain (kerberos realm) > realm = DAWNSIGN.COM > security = ADS > encrypt passwords = yes > workgroup = EXAMPLE > server string = > hosts allow = 192.168.xxx. 192.168.xxx. 127. > name resolve order = lmhosts bcast > > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > > # Uncomment this if you want 139 open, but why would you? We're doing > SMB over # TCP only. No NetBIOS here > smb ports = 445 > disable netbios = Yes > > # ver 4.1 - RID backend > idmap config EXAMPLE:range = 50001-60000 > idmap config EXAMPLE:default = yes > idmap config EXAMPLE:backend = rid > idmap config *:range = 1000-50000 > idmap config *:backend = tdb > > winbind separator = - > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind cache time = 10 > winbind offline logon = yes > winbind refresh tickets = yes > kerberos method = secrets and keytab > dedicated keytab file = /usr/local/etc/krb5.keytab > > winbind nss info = rfc2307 > winbind scan trusted domains = yes > > # ver 4.1 > client ldap sasl wrapping = seal > directory name cache size = 0 > > # workaround to constant error messages in log.192.168.xxx.175 > # prevent winbindd from changing machine password > # https://lists.samba.org/archive/samba/2016-September/203338.html > machine password timeout = 0 > > ################# > ### Member Server > ################# > # Browser settings > preferred master = no > local master = no > domain master = no > > #= Disable Printing/Cups ============> load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # Change this to where you want the samba log > log file = /var/log/samba4/log.%m > # Debug goes from 1 to 10 * 10 way too much info for me to > understand ;) #debug level = 10 > log level = 2 > #log level = 0 > > > # Settings to enhance performance: > strict locking = no > read raw = yes > write raw = yes > #oplocks = yes > max xmit = 65535 > deadtime = 15 > getwd cache = yes > max connections = 65535 > max open files = 65535 > > use sendfile = true > aio read size = 16384 > # Use asynchronous I/O for reads bigger than 16KB request size > aio write size = 16384 > # Use asynchronous I/O for writes bigger than 16KB request size > #aio write behind = true > min receivefile size = 16384 > strict sync = no > sync always = no > # End of performance section > > #assuming you installed bash - change as needed > template shell = /bin/bash > guest account = nobody > > admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins" > > # ZFS stuff > read only = no > inherit permissions = Yes > # allow ZFS to handle inheritance > inherit acls = No > inherit owner = Yes > force unknown acl user = No > store dos attributes = yes > map read only = no > map acl inherit = yes > > vfs objects = zfsacl acl_xattr audit netatalk > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = yes > > #============================ Share Definitions > ============================== # Share - man smb.conf for details > > [public] > comment = test share > # this share resides on an UFS filesystem! > path = /zdata/public > public = yes > writable = yes > printable = no > write list = @"EXAMPLE-domain admins" > > [apps] > comment = Folder for applications > path = /zdata/apps > valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [clients] > comment = Folder for Internet client software for domain admins' > use path = /zdata/clients > valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain users" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [downloads] > comment = Folder for downloads for domain admins' use > path = /zdata/downloads > valid users = @"EXAMPLE-domain admins" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [groups] > comment = Departmental folders > path = /zdata/groups > valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain admins" > writable = yes > printable = no > force create mode = 0770 > force directory mode = 0770 > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > # vfs objects = zfsacl, shadow_copy2, full_audit > vfs objects = zfsacl, shadow_copy2 > shadow: snapdir = .zfs/snapshot > shadow: format = %Y-%m-%dT%H:%M:%S > shadow: snapdirseverywhere = yes > shadow: sort = desc > shadow: localtime = no > # full_audit:prefix = %u|%I > # full_audit:success = chflags chmod chmod_acl chown mkdir rename > rmdir unlink write pwrite pwrite_send pwrite_recv # > full_audit:failure = none # full_audit:facility = LOCAL7 > # full_audit:priority = ALERT > > [mac_software] > comment = repository for all Mac OSX-related software > path = /zdata/mac_software > valid users = @EXAMPLE-production @"EXAMPLE-domain admins" > @EXAMPLE-marketing writable = yes > printable = no > force create mode = 0770 > force directory mode = 0770 > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [ops] > comment = Folder for the old OPS files > path = /zdata/ops > valid users = @EXAMPLE-sales @"EXAMPLE-domain admins" > writeable = yes > printable =no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [payroll] > comment = Folder for sensitive payroll functions > path = /zdata/payroll > valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins" > browseable = yes > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [perform] > comment = Folder for purchase orders using Perform software > path = /zdata/apps/PERFORM > valid users = @EXAMPLE-finance @"EXAMPLE-domain admins" > writeable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [pye] > comment = Folder for year-end financial backups > path = /zdata/pye > valid users = @EXAMPLE-finance @"EXAMPLE-domain admins" > writeable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [reports] > comment = Folder for CRW reports > path = /zdata/reports > valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [shared] > comment = Folder for intra-company sharing > path = /zdata/shared > valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [star] > comment = Folder for old Starship shipping data > path = /zdata/star > valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [tm] > comment = Folder for old TeleMagic data > path = /zdata/tm > valid users = @"EXAMPLE-domain admins" > # read list = @"EXAMPLE-domain users" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [x-groups] > comment = Old Groups Folder for intra-company sharing > path = /zdata/x-groups > valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain admins" > writable = yes > printable = no > hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > delete veto files = Yes veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit > permissions = Yes inherit owner = Yes > map archive = No > vfs objects = zfsacl > > [profiles] > comment = Users profiles > # path = /zdata/profiles/%U > path = /zdata/profiles > # guest ok = no > browseable = no > read only = no > force create mode = 0600 > force directory mode = 0700 > create mask = 0600 > directory mask = 0700 > valid users = EXAMPLE-%U @"EXAMPLE-domain admins" > store dos attributes = Yes > # commenting this out for v4.8 > # profile acls = yes > csc policy = disable > # inherit permissions = Yes > # inherit owner = Yes > # delete veto files = Yes > # veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ # hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/ > # map archive = No vfs objects = zfsacl > force user = EXAMPLE-%U > > > # uncomment the following (and tweak the other settings below to suit) > # to enable the default home directory shares. This will share each > # user's home directory as \\server\username > > [home] > comment = Home directories for AD users > path = /zdata/home > # browseable = no > # By default, the home directories are exported read-only. Change the > # next parameter to 'no' if you want to be able to write to them. > read only = no > # File creation mask is set to 0700 for security reasons. If you want > to # create files with group=rw permissions, set next parameter to > 0775. create mask = 0700 > # Directory creation mask is set to 0700 for security reasons. If you > want to # create dirs. with group=rw permissions, set next parameter > to 0775. directory mask = 0700 > # By default, \\server\username shares can be connected to by anyone > # with access to the samba server. Un-comment the following parameter > # to make sure that only "username" can connect to \\server\username > # This might need tweaking when using external authentication schemes > ## valid users = EXAMPLE-%U @"EXAMPLE-domain admins" > valid users = EXAMPLE-%U @"EXAMPLE-domain admins" > # inherit permissions = Yes > # inherit owner = Yes > delete veto files = Yes > veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ hide files > = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary > Items/$RECYCLE.BIN/ # map archive = No # map readonly = no > vfs objects = zfsacl, shadow_copy2, full_audit > full_audit:prefix = %u|%I > full_audit:success = chflags chmod chmod_acl chown mkdir rename > rmdir unlink write pwrite pwrite_send pwrite_recv full_audit:failure > = none full_audit:facility = LOCAL7 > full_audit:priority = ALERT > shadow: snapdir = .zfs/snapshot > shadow: format = %Y-%m-%dT%H:%M:%S > shadow: snapdirseverywhere = yes > shadow: sort = desc > shadow: localtime = no > > > > I have several other SMB servers there were upgraded to 4.8 and I am > able to enumerate users and groups on all of these servers except > this one. I cannot enumerate groups and I am mystified as to why I > cannot.Why do you feel you need to enumerate groups ? What do you get from enumerating groups ? I take it that 'getent group agroup' works Having said all that, there have been changes that may be causing your problem, a user needs to be logged in before full group membership is shown.> > Also is the variable DSP-%U still supported? I have tried > "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.It wouldn't ;-) The 'U' is short for Username and Domain Users isn't a user. You could try '%G'> > Is the vfs object full_audit still supported by 4.8?Yes Rowland
Doug Sampson
2018-Sep-17 20:50 UTC
[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
> Hello- > > I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the > upgrade, users cannot access the HOME folder share but they can access > other shares just fine. > > I am using the RID backend on this member server that connects to Windows- > based domain controllers. I apologize for the lengthy smb4.conf but here > it is: >[ ...snip... ]> # uncomment the following (and tweak the other settings below to suit) > # to enable the default home directory shares. This will share each > # user's home directory as \\server\username > > [home] > comment = Home directories for AD users > path = /zdata/home > # browseable = no > # By default, the home directories are exported read-only. Change the > # next parameter to 'no' if you want to be able to write to them. > read only = no > # File creation mask is set to 0700 for security reasons. If you want to > # create files with group=rw permissions, set next parameter to 0775. > create mask = 0700 > # Directory creation mask is set to 0700 for security reasons. If you want > to > # create dirs. with group=rw permissions, set next parameter to 0775. > directory mask = 0700 > # By default, \\server\username shares can be connected to by anyone > # with access to the samba server. Un-comment the following parameter > # to make sure that only "username" can connect to \\server\username > # This might need tweaking when using external authentication schemes > ## valid users = EXAMPLE-%U @"EXAMPLE-domain admins" > valid users = EXAMPLE-%U @"EXAMPLE-domain admins" > # inherit permissions = Yes > # inherit owner = Yes > delete veto files = Yes > veto files = /lost+found/Network Trash > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ > hide files > /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary > Items/$RECYCLE.BIN/ > # map archive = No > # map readonly = no > vfs objects = zfsacl, shadow_copy2, full_audit > full_audit:prefix = %u|%I > full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir > unlink write pwrite pwrite_send pwrite_recv > full_audit:failure = none > full_audit:facility = LOCAL7 > full_audit:priority = ALERT > shadow: snapdir = .zfs/snapshot > shadow: format = %Y-%m-%dT%H:%M:%S > shadow: snapdirseverywhere = yes > shadow: sort = desc > shadow: localtime = no > > > > I have several other SMB servers there were upgraded to 4.8 and I am able > to enumerate users and groups on all of these servers except this one. I > cannot enumerate groups and I am mystified as to why I cannot. > > Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain > Users" in place of EXAMPLE-%U. It doesn't work. > > Is the vfs object full_audit still supported by 4.8? >I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users are able to access their home folders. Since each user's home folders have had user security restrictions applied at the file level, I am comfortable with the level of security here. But why the change??? I looked at both 4.7 and 4.8 release notes and did not see anything related to this. Has this been deprecated? ~Doug
Rowland Penny
2018-Sep-17 21:08 UTC
[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
On Mon, 17 Sep 2018 20:50:13 +0000 Doug Sampson via samba <samba at lists.samba.org> wrote:> > Hello- > > > > I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the > > upgrade, users cannot access the HOME folder share but they can > > access other shares just fine. > > > > I am using the RID backend on this member server that connects to > > Windows- based domain controllers. I apologize for the lengthy > > smb4.conf but here it is: > > > > [ ...snip... ] > > > # uncomment the following (and tweak the other settings below to > > suit) # to enable the default home directory shares. This will > > share each # user's home directory as \\server\username > > > > [home] > > comment = Home directories for AD users > > path = /zdata/home > > # browseable = no > > # By default, the home directories are exported read-only. Change > > the # next parameter to 'no' if you want to be able to write to > > them. read only = no > > # File creation mask is set to 0700 for security reasons. If you > > want to # create files with group=rw permissions, set next > > parameter to 0775. create mask = 0700 > > # Directory creation mask is set to 0700 for security reasons. If > > you want to > > # create dirs. with group=rw permissions, set next parameter to > > 0775. directory mask = 0700 > > # By default, \\server\username shares can be connected to by anyone > > # with access to the samba server. Un-comment the following > > parameter # to make sure that only "username" can connect to > > \\server\username # This might need tweaking when using external > > authentication schemes ## valid users = EXAMPLE-%U > > @"EXAMPLE-domain admins" valid users = EXAMPLE-%U @"EXAMPLE-domain > > admins" # inherit permissions = Yes > > # inherit owner = Yes > > delete veto files = Yes > > veto files = /lost+found/Network Trash > > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ > > hide files > > /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary > > Items/$RECYCLE.BIN/ > > # map archive = No > > # map readonly = no > > vfs objects = zfsacl, shadow_copy2, full_audit > > full_audit:prefix = %u|%I > > full_audit:success = chflags chmod chmod_acl chown mkdir rename > > rmdir unlink write pwrite pwrite_send pwrite_recv > > full_audit:failure = none > > full_audit:facility = LOCAL7 > > full_audit:priority = ALERT > > shadow: snapdir = .zfs/snapshot > > shadow: format = %Y-%m-%dT%H:%M:%S > > shadow: snapdirseverywhere = yes > > shadow: sort = desc > > shadow: localtime = no > > > > > > > > I have several other SMB servers there were upgraded to 4.8 and I > > am able to enumerate users and groups on all of these servers > > except this one. I cannot enumerate groups and I am mystified as to > > why I cannot. > > > > Also is the variable DSP-%U still supported? I have tried > > "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work. > > > > Is the vfs object full_audit still supported by 4.8? > > > > I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users > are able to access their home folders. Since each user's home folders > have had user security restrictions applied at the file level, I am > comfortable with the level of security here. > > But why the change??? I looked at both 4.7 and 4.8 release notes and > did not see anything related to this. Has this been deprecated? > > ~Doug >%U is still valid and if you read 'man smb.conf' you will find this: %U session username (the username that the client wanted, not necessarily the same as the one they got). You could try '%u': %u username of the current service, if any. Rowland