On 10/9/18 10:41 PM, Rowland Penny via samba wrote:> On Tue, 9 Oct 2018 22:16:41 +0200 > Peter Milesson <miles at atmos.eu> wrote: > >> >> On 09.10.2018 21:25, Rowland Penny via samba wrote: >>> On Tue, 9 Oct 2018 19:44:55 +0200 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> Hi Rowland, >>>> >>>> I made a fresh install of the AD DC, a member server, and a Windows >>>> 10 PC that was never part of any domain. Authentication works, >>>> Active Directory works, DNS works, the Administrator can add, >>>> edit, and delete entries. The AD DC running CentOS 7.5, with a >>>> self compiled Samba 4.9.1. The member server using CentOS 7.5 with >>>> Samba 4.7.1 from standard distribution packages. I have also >>>> tested a self compiled Samba 4.9.1 as domain member. The >>>> configurations are identical to the ones used in production. >>>> Firewalls disabled, as is SeLinux on both Linux boxes. >>>> >>>> However, file sharing is a complete disaster. The Samba member >>>> server automatically uses ACLs when creating files and folders, >>>> which the production server doesn't. Everything positive ends >>>> here. The rest of the process using Windows Computer Manager for >>>> setting up the share parameters, is completely derailed. >>>> >>>> If the domain Administrator, Domain Admins, or any account with >>>> Administrator privileges figure anywhere, everything is completely >>>> blocked. >>> When you say blocked, do you mean you get an error message like this >>> when you click on the 'security' tab: >>> >>> You do not have permission to view to view or edit this object’s >>> permission settings. >>> >>> I set up a totally new centos 7 VM and installed Samba, but somehow >>> I missed out the user.map line and I got that error. Added the line: >>> >>> username map = /etc/samba/user.map >>> >>> created the user.map: >>> >>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator >>> administrator >>> >>> Restarted Samba and it now works. >>> >>> Unix permissions before attempting any changes from windows: >>> >>> [root at cen7member ~]# ls -lad /data/samba/profiles >>> drwxrwx--- 2 root unix admins 6 Oct 9 19:13 /data/samba/profiles >>> >>> After adding a user to the share from windows 'Security' tab: >>> >>> Edit -> Add -> Advanced -> Find Now -> select user (Rowland Penny) >>> -> OK -> OK -> standard permissions: Read & execute, List folder >>> contents, Read >>> >>> [root at cen7member ~]# ls -lad /data/samba/profiles >>> drwxrwx---+ 2 root unix admins 6 Oct 9 19:13 /data/samba/profiles >>> >>> And the extend ACLs now set: >>> [root at cen7member ~]# getfacl /data/samba/profiles >>> getfacl: Removing leading '/' from absolute path names >>> # file: data/samba/profiles >>> # owner: root >>> # group: unix\040admins >>> user::rwx >>> user:root:rwx >>> user:rowland:r-x >>> user:12122:rwx >>> group::rwx >>> group:rowland:r-x >>> group:unix\040admins:rwx >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:rowland:r-x >>> default:group::r-x >>> default:group:rowland:r-x >>> default:group:unix\040admins:r-x >>> default:mask::rwx >>> default:other::r-x >>> >>>> I'll get on my bike and take a trip in the countryside tomorrow, >>>> instead of fighting wind mills... >>> Yes, I always find walking away and returning later usually >>> works ;-) >>> >>> Rowland >>> >> Thanks a lot for your support Rowland. I've tried those steps, but no >> success. On the contrary. Just not possible to change anything. The >> security object list is displayed, but no changes are possible. >> Windows complaining about insufficient permissions. I have not forgot >> the username map in the smb.conf file, neither did I forget to set >> SeDiskOperatorPrivileges. >> >> I'll put it on the shelf for some time. At least I've got a working >> setup in the production server for now. Nothing will probably change >> there for at least a couple of years. But I've got very strong doubts >> about the current security level, with the Everyone group working as >> a stand in for Domain Admins, and a domain Administrator that's seems >> to have got privileges just north of the Guest account. > You seem to be fixated on the 'share' tab, ignore this and concentrate > on the 'security' tab (would it help if I said a better name for the > tab would 'NTFS permissions' ?). You should also be aware (From a Unix > perspective) that there are three permissions storages in play: > the standard 'ugo' > Extend ACLs as shown by getfacl > Extended attributes stored in security.NTACL on the directory or > file. > >> I'll give Samba a try under Slackware. I've set up a bunch of Samba >> servers under Slackware since around 2002, or so. But the previous >> ones were always PDCs. That path seems now closed, however, with MS >> probably scrapping the NT1 protocol in the immediate future. >> Slackware had very quirky support for LDAP, and pam integration >> impossible, making any kind of AD stuff extremely tricky. But the >> recent Samba versions have got most of the parts that were missing >> from Slackware built in. So I'll give it a try, but in a few weeks >> time. > There is a GUY who posts on here regularly who uses Slackware, he is > probably one you need here. > > However, if you are considering a different OS, how about Debian (or > Devuan), you could the use Louis's packages and get the most up to date > Samba versions. > >> Until then... >> > I will sort out my notes and send you a copy, I feel you must have a > simple mistake that is causing your problem. > > RowlandHi Rowland, I tried Debian as Samba member server as a test a few days ago. Functionally no difference to CentOS. So I just continued with CentOS for the production server. About my problems. I follow the instructions for setting up a share. This time I assigned myself as a testuser to the Domain Admins group, and after that, there is no way to get any further. In the shares list, the Domain Users, and Domain Admins groups are displayed. Switching over to the security tab, different groups and users are displayed. Yes, they are displayed, which would be considered a great step forward. But trying to change anything there it just don't work. It just complains that I have got insufficient permissons to make any changes. Any changes at all. The folder looks the following: ls -al total 12 drwxr-xr-x. 3 root root 4096 Oct 9 15:55 . drwxr-xr-x. 3 root root 4096 Oct 9 15:54 .. drwxr-xr-x. 2 root domain admins 4096 Oct 9 15:55 wandafishand getfacl wandafish # file: wandafish # owner: root # group: domain\040admins user::rwx group::r-x other::r-x Having the "wrong" users or groups in the share tab, gives a blank security tab. On the production server group Everyone with full permissions is required, otherwise the security tab does not show up. In my test environment, I assigned myself to the Domain Admins group. After that I really don't get anywhere. As I told you, I will put it on ice for a few weeks, and consider alternatives. IMHO, the choice of OS probably plays a big role here. CentOS has got far too much stuff running in the background, interfering if it considers necessary. Even with SeLinux and the firewall disabled. I need to have something with better control of the running processes. Slackware has precisely got that. I'll report back. Best regards, Peter
Am 10.10.18 um 10:27 schrieb Peter Milesson via samba:> > On 10/9/18 10:41 PM, Rowland Penny via samba wrote: >> On Tue, 9 Oct 2018 22:16:41 +0200 >> Peter Milesson <miles at atmos.eu> wrote: >> >>> >>> On 09.10.2018 21:25, Rowland Penny via samba wrote: >>>> On Tue, 9 Oct 2018 19:44:55 +0200 >>>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>>> >>>>> Hi Rowland, >>>>> >>>>> I made a fresh install of the AD DC, a member server, and a Windows >>>>> 10 PC that was never part of any domain. Authentication works, >>>>> Active Directory works, DNS works, the Administrator can add, >>>>> edit, and delete entries. The AD DC running CentOS 7.5, with a >>>>> self compiled Samba 4.9.1. The member server using CentOS 7.5 with >>>>> Samba 4.7.1 from standard distribution packages. I have also >>>>> tested a self compiled Samba 4.9.1 as domain member. The >>>>> configurations are identical to the ones used in production. >>>>> Firewalls disabled, as is SeLinux on both Linux boxes. >>>>> >>>>> However, file sharing is a complete disaster. The Samba member >>>>> server automatically uses ACLs when creating files and folders, >>>>> which the production server doesn't. Everything positive ends >>>>> here. The rest of the process using Windows Computer Manager for >>>>> setting up the share parameters, is completely derailed. >>>>> >>>>> If the domain Administrator, Domain Admins, or any account with >>>>> Administrator privileges figure anywhere, everything is completely >>>>> blocked. >>>> When you say blocked, do you mean you get an error message like this >>>> when you click on the 'security' tab: >>>> >>>> You do not have permission to view to view or edit this object’s >>>> permission settings. >>>> >>>> I set up a totally new centos 7 VM and installed Samba, but somehow >>>> I missed out the user.map line and I got that error. Added the line: >>>> >>>> username map = /etc/samba/user.map >>>> >>>> created the user.map: >>>> >>>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator >>>> administrator >>>> >>>> Restarted Samba and it now works. >>>> >>>> Unix permissions before attempting any changes from windows: >>>> >>>> [root at cen7member ~]# ls -lad /data/samba/profiles >>>> drwxrwx--- 2 root unix admins 6 Oct 9 19:13 /data/samba/profiles >>>> >>>> After adding a user to the share from windows 'Security' tab: >>>> >>>> Edit -> Add -> Advanced -> Find Now -> select user (Rowland Penny) >>>> -> OK -> OK -> standard permissions: Read & execute, List folder >>>> contents, Read >>>> >>>> [root at cen7member ~]# ls -lad /data/samba/profiles >>>> drwxrwx---+ 2 root unix admins 6 Oct 9 19:13 /data/samba/profiles >>>> >>>> And the extend ACLs now set: >>>> [root at cen7member ~]# getfacl /data/samba/profiles >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: data/samba/profiles >>>> # owner: root >>>> # group: unix\040admins >>>> user::rwx >>>> user:root:rwx >>>> user:rowland:r-x >>>> user:12122:rwx >>>> group::rwx >>>> group:rowland:r-x >>>> group:unix\040admins:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:rowland:r-x >>>> default:group::r-x >>>> default:group:rowland:r-x >>>> default:group:unix\040admins:r-x >>>> default:mask::rwx >>>> default:other::r-x >>>> >>>>> I'll get on my bike and take a trip in the countryside tomorrow, >>>>> instead of fighting wind mills... >>>> Yes, I always find walking away and returning later usually >>>> works ;-) >>>> >>>> Rowland >>>> >>> Thanks a lot for your support Rowland. I've tried those steps, but no >>> success. On the contrary. Just not possible to change anything. The >>> security object list is displayed, but no changes are possible. >>> Windows complaining about insufficient permissions. I have not forgot >>> the username map in the smb.conf file, neither did I forget to set >>> SeDiskOperatorPrivileges. >>> >>> I'll put it on the shelf for some time. At least I've got a working >>> setup in the production server for now. Nothing will probably change >>> there for at least a couple of years. But I've got very strong doubts >>> about the current security level, with the Everyone group working as >>> a stand in for Domain Admins, and a domain Administrator that's seems >>> to have got privileges just north of the Guest account. >> You seem to be fixated on the 'share' tab, ignore this and concentrate >> on the 'security' tab (would it help if I said a better name for the >> tab would 'NTFS permissions' ?). You should also be aware (From a Unix >> perspective) that there are three permissions storages in play: >> the standard 'ugo' >> Extend ACLs as shown by getfacl >> Extended attributes stored in security.NTACL on the directory or >> file. >> >>> I'll give Samba a try under Slackware. I've set up a bunch of Samba >>> servers under Slackware since around 2002, or so. But the previous >>> ones were always PDCs. That path seems now closed, however, with MS >>> probably scrapping the NT1 protocol in the immediate future. >>> Slackware had very quirky support for LDAP, and pam integration >>> impossible, making any kind of AD stuff extremely tricky. But the >>> recent Samba versions have got most of the parts that were missing >>> from Slackware built in. So I'll give it a try, but in a few weeks >>> time. >> There is a GUY who posts on here regularly who uses Slackware, he is >> probably one you need here. >> >> However, if you are considering a different OS, how about Debian (or >> Devuan), you could the use Louis's packages and get the most up to date >> Samba versions. >> >>> Until then... >>> >> I will sort out my notes and send you a copy, I feel you must have a >> simple mistake that is causing your problem. >> >> Rowland > > Hi Rowland, > > I tried Debian as Samba member server as a test a few days ago. > Functionally no difference to CentOS. So I just continued with CentOS > for the production server. > > About my problems. I follow the instructions for setting up a share. > This time I assigned myself as a testuser to the Domain Admins group, > and after that, there is no way to get any further. In the shares list, > the Domain Users, and Domain Admins groups are displayed. Switching over > to the security tab, different groups and users are displayed. Yes, they > are displayed, which would be considered a great step forward. But > trying to change anything there it just don't work. It just complains > that I have got insufficient permissons to make any changes. Any changes > at all. > > The folder looks the following: > > ls -al > total 12 > drwxr-xr-x. 3 root root 4096 Oct 9 15:55 . > drwxr-xr-x. 3 root root 4096 Oct 9 15:54 .. > drwxr-xr-x. 2 root domain admins 4096 Oct 9 15:55 wandafishand > > getfacl wandafish > # file: wandafish > # owner: root > # group: domain\040admins > user::rwx > group::r-x > other::r-x > > > Having the "wrong" users or groups in the share tab, gives a blank > security tab. On the production server group Everyone with full > permissions is required, otherwise the security tab does not show up. In > my test environment, I assigned myself to the Domain Admins group. After > that I really don't get anywhere. > > As I told you, I will put it on ice for a few weeks, and consider > alternatives. IMHO, the choice of OS probably plays a big role here. > CentOS has got far too much stuff running in the background, interfering > if it considers necessary. Even with SeLinux and the firewall disabled. > I need to have something with better control of the running processes. > Slackware has precisely got that. I'll report back.It looks like you gave Domain Admins a gid. This is considered a bad idea as the group needs to own files on the DC in Sysvol. Rowland works around this by creating a group Unix Admins and adds this group to the Domain Admins group. This way you can work on the filesystem with "unix Admins" (which has a gid) and still have the privileges of Domain Admins. In our setup (also classic upgraded) I try to avoid Administrator and Domain Admins in file security operations. Have you tried using a "normal" group giving this the rights you want on the cli and tried to set security i´on Windows with a user in that group? Regards Christian> > Best regards, > > Peter > >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
Im not saying anything but having a GID on "domain admins" works fine.
For me then since 2014..
getent group "domain admins"
domain admins:x:10001:admin,administrator
Can you post the output of
ls -ald /data/samba
What happens when you do this.
chmod 1777 /data/samba/profiles
or 3777, but that opens access for "domain users" to the users
profiles folders.
But really, if its the profiles folder its a windows only folder.
This works without any problems, set the settings you see here, then configure
the share and security from a windows pc.
And never touch it again.
[profiles]
browseable = yes
path = /data/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
ls -al /home/samba/
drwxrwx--T+ 88 root root 4096 Oct 4 13:55 profiles
file: home/samba/profiles
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---
Ps , have you check the SePrivileges, do you have the needed mappings?
My output.
kinit Administrator
net rpc rights list privileges SeDiskOperatorPrivilege -k -S $(hostname -s)
SeDiskOperatorPrivilege:
BUILTIN\Administrators
net rpc rights list privileges SeSecurityPrivilege -k -S $(hostname -s)
SeSecurityPrivilege:
BUILTIN\Administrators
net rpc rights list privileges SeTakeOwnershipPrivilege -k -S $(hostname -s)
SeTakeOwnershipPrivilege:
BUILTIN\Administrators
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Naumer via samba
> Verzonden: woensdag 10 oktober 2018 10:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain Administrator and shares problems
>
> Am 10.10.18 um 10:27 schrieb Peter Milesson via samba:
> >
> > On 10/9/18 10:41 PM, Rowland Penny via samba wrote:
> >> On Tue, 9 Oct 2018 22:16:41 +0200
> >> Peter Milesson <miles at atmos.eu> wrote:
> >>
> >>>
> >>> On 09.10.2018 21:25, Rowland Penny via samba wrote:
> >>>> On Tue, 9 Oct 2018 19:44:55 +0200
> >>>> Peter Milesson via samba <samba at lists.samba.org>
wrote:
> >>>>
> >>>>> Hi Rowland,
> >>>>>
> >>>>> I made a fresh install of the AD DC, a member server,
> and a Windows
> >>>>> 10 PC that was never part of any domain.
Authentication works,
> >>>>> Active Directory works, DNS works, the Administrator
can add,
> >>>>> edit, and delete entries. The AD DC running CentOS
7.5, with a
> >>>>> self compiled Samba 4.9.1. The member server using
> CentOS 7.5 with
> >>>>> Samba 4.7.1 from standard distribution packages. I
have also
> >>>>> tested a self compiled Samba 4.9.1 as domain member.
The
> >>>>> configurations are identical to the ones used in
production.
> >>>>> Firewalls disabled, as is SeLinux on both Linux boxes.
> >>>>>
> >>>>> However, file sharing is a complete disaster. The
Samba member
> >>>>> server automatically uses ACLs when creating files and
folders,
> >>>>> which the production server doesn't. Everything
positive ends
> >>>>> here. The rest of the process using Windows Computer
Manager for
> >>>>> setting up the share parameters, is completely
derailed.
> >>>>>
> >>>>> If the domain Administrator, Domain Admins, or any
account with
> >>>>> Administrator privileges figure anywhere, everything
is
> completely
> >>>>> blocked.
> >>>> When you say blocked, do you mean you get an error
> message like this
> >>>> when you click on the 'security' tab:
> >>>>
> >>>> You do not have permission to view to view or edit this
object?s
> >>>> permission settings.
> >>>>
> >>>> I set up a totally new centos 7 VM and installed Samba,
> but somehow
> >>>> I missed out the user.map line and I got that error.
> Added the line:
> >>>>
> >>>> username map = /etc/samba/user.map
> >>>>
> >>>> created the user.map:
> >>>>
> >>>> !root = SAMDOM\Administrator SAMDOM\administrator
Administrator
> >>>> administrator
> >>>>
> >>>> Restarted Samba and it now works.
> >>>>
> >>>> Unix permissions before attempting any changes from
windows:
> >>>>
> >>>> [root at cen7member ~]# ls -lad /data/samba/profiles
> >>>> drwxrwx--- 2 root unix admins 6 Oct 9 19:13
/data/samba/profiles
> >>>>
> >>>> After adding a user to the share from windows
'Security' tab:
> >>>>
> >>>> Edit -> Add -> Advanced -> Find Now -> select
user
> (Rowland Penny)
> >>>> -> OK -> OK -> standard permissions: Read &
execute, List folder
> >>>> contents, Read
> >>>>
> >>>> [root at cen7member ~]# ls -lad /data/samba/profiles
> >>>> drwxrwx---+ 2 root unix admins 6 Oct 9 19:13
> /data/samba/profiles
> >>>>
> >>>> And the extend ACLs now set:
> >>>> [root at cen7member ~]# getfacl /data/samba/profiles
> >>>> getfacl: Removing leading '/' from absolute path
names
> >>>> # file: data/samba/profiles
> >>>> # owner: root
> >>>> # group: unix\040admins
> >>>> user::rwx
> >>>> user:root:rwx
> >>>> user:rowland:r-x
> >>>> user:12122:rwx
> >>>> group::rwx
> >>>> group:rowland:r-x
> >>>> group:unix\040admins:rwx
> >>>> mask::rwx
> >>>> other::---
> >>>> default:user::rwx
> >>>> default:user:root:rwx
> >>>> default:user:rowland:r-x
> >>>> default:group::r-x
> >>>> default:group:rowland:r-x
> >>>> default:group:unix\040admins:r-x
> >>>> default:mask::rwx
> >>>> default:other::r-x
> >>>>
> >>>>> I'll get on my bike and take a trip in the
countryside tomorrow,
> >>>>> instead of fighting wind mills...
> >>>> Yes, I always find walking away and returning later
usually
> >>>> works ;-)
> >>>>
> >>>> Rowland
> >>>>
> >>> Thanks a lot for your support Rowland. I've tried those
> steps, but no
> >>> success. On the contrary. Just not possible to change
> anything. The
> >>> security object list is displayed, but no changes are
possible.
> >>> Windows complaining about insufficient permissions. I
> have not forgot
> >>> the username map in the smb.conf file, neither did I forget to
set
> >>> SeDiskOperatorPrivileges.
> >>>
> >>> I'll put it on the shelf for some time. At least I've
got
> a working
> >>> setup in the production server for now. Nothing will
> probably change
> >>> there for at least a couple of years. But I've got very
> strong doubts
> >>> about the current security level, with the Everyone group
> working as
> >>> a stand in for Domain Admins, and a domain Administrator
> that's seems
> >>> to have got privileges just north of the Guest account.
> >> You seem to be fixated on the 'share' tab, ignore this and
> concentrate
> >> on the 'security' tab (would it help if I said a better
> name for the
> >> tab would 'NTFS permissions' ?). You should also be aware
> (From a Unix
> >> perspective) that there are three permissions storages in play:
> >> the standard 'ugo'
> >> Extend ACLs as shown by getfacl
> >> Extended attributes stored in security.NTACL on the directory or
> >> file.
> >>
> >>> I'll give Samba a try under Slackware. I've set up a
> bunch of Samba
> >>> servers under Slackware since around 2002, or so. But the
previous
> >>> ones were always PDCs. That path seems now closed,
> however, with MS
> >>> probably scrapping the NT1 protocol in the immediate future.
> >>> Slackware had very quirky support for LDAP, and pam
integration
> >>> impossible, making any kind of AD stuff extremely tricky. But
the
> >>> recent Samba versions have got most of the parts that were
missing
> >>> from Slackware built in. So I'll give it a try, but in a
few weeks
> >>> time.
> >> There is a GUY who posts on here regularly who uses
> Slackware, he is
> >> probably one you need here.
> >>
> >> However, if you are considering a different OS, how about
> Debian (or
> >> Devuan), you could the use Louis's packages and get the
> most up to date
> >> Samba versions.
> >>
> >>> Until then...
> >>>
> >> I will sort out my notes and send you a copy, I feel you
> must have a
> >> simple mistake that is causing your problem.
> >>
> >> Rowland
> >
> > Hi Rowland,
> >
> > I tried Debian as Samba member server as a test a few days ago.
> > Functionally no difference to CentOS. So I just continued
> with CentOS
> > for the production server.
> >
> > About my problems. I follow the instructions for setting up a share.
> > This time I assigned myself as a testuser to the Domain
> Admins group,
> > and after that, there is no way to get any further. In the
> shares list,
> > the Domain Users, and Domain Admins groups are displayed.
> Switching over
> > to the security tab, different groups and users are
> displayed. Yes, they
> > are displayed, which would be considered a great step forward. But
> > trying to change anything there it just don't work. It just
> complains
> > that I have got insufficient permissons to make any
> changes. Any changes
> > at all.
> >
> > The folder looks the following:
> >
> > ls -al
> > total 12
> > drwxr-xr-x. 3 root root 4096 Oct 9 15:55 .
> > drwxr-xr-x. 3 root root 4096 Oct 9 15:54 ..
> > drwxr-xr-x. 2 root domain admins 4096 Oct 9 15:55 wandafishand
> >
> > getfacl wandafish
> > # file: wandafish
> > # owner: root
> > # group: domain\040admins
> > user::rwx
> > group::r-x
> > other::r-x
> >
> >
> > Having the "wrong" users or groups in the share tab, gives a
blank
> > security tab. On the production server group Everyone with full
> > permissions is required, otherwise the security tab does
> not show up. In
> > my test environment, I assigned myself to the Domain Admins
> group. After
> > that I really don't get anywhere.
> >
> > As I told you, I will put it on ice for a few weeks, and consider
> > alternatives. IMHO, the choice of OS probably plays a big role here.
> > CentOS has got far too much stuff running in the
> background, interfering
> > if it considers necessary. Even with SeLinux and the
> firewall disabled.
> > I need to have something with better control of the running
> processes.
> > Slackware has precisely got that. I'll report back.
>
> It looks like you gave Domain Admins a gid. This is considered a bad
> idea as the group needs to own files on the DC in Sysvol.
> Rowland works
> around this by creating a group Unix Admins and adds this group to the
> Domain Admins group. This way you can work on the filesystem
> with "unix
> Admins" (which has a gid) and still have the privileges of
> Domain Admins.
> In our setup (also classic upgraded) I try to avoid Administrator and
> Domain Admins in file security operations. Have you tried using a
> "normal" group giving this the rights you want on the cli and
tried to
> set security i´on Windows with a user in that group?
>
> Regards
>
> Christian
>
>
> >
> > Best regards,
> >
> > Peter
> >
> >
>
> --
> Dr. Christian Naumer
> Research Scientist
> Plattform-Koordinator Bioprozesstechnik
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
On 10/10/18 10:43 AM, Christian Naumer via samba wrote:> Am 10.10.18 um 10:27 schrieb Peter Milesson via samba: >> On 10/9/18 10:41 PM, Rowland Penny via samba wrote: >>> On Tue, 9 Oct 2018 22:16:41 +0200 >>> Peter Milesson <miles at atmos.eu> wrote: >>> >>>> On 09.10.2018 21:25, Rowland Penny via samba wrote: >>>>> On Tue, 9 Oct 2018 19:44:55 +0200 >>>>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi Rowland, >>>>>> >>>>>> I made a fresh install of the AD DC, a member server, and a Windows >>>>>> 10 PC that was never part of any domain. Authentication works, >>>>>> Active Directory works, DNS works, the Administrator can add, >>>>>> edit, and delete entries. The AD DC running CentOS 7.5, with a >>>>>> self compiled Samba 4.9.1. The member server using CentOS 7.5 with >>>>>> Samba 4.7.1 from standard distribution packages. I have also >>>>>> tested a self compiled Samba 4.9.1 as domain member. The >>>>>> configurations are identical to the ones used in production. >>>>>> Firewalls disabled, as is SeLinux on both Linux boxes. >>>>>> >>>>>> However, file sharing is a complete disaster. The Samba member >>>>>> server automatically uses ACLs when creating files and folders, >>>>>> which the production server doesn't. Everything positive ends >>>>>> here. The rest of the process using Windows Computer Manager for >>>>>> setting up the share parameters, is completely derailed. >>>>>> >>>>>> If the domain Administrator, Domain Admins, or any account with >>>>>> Administrator privileges figure anywhere, everything is completely >>>>>> blocked. >>>>> When you say blocked, do you mean you get an error message like this >>>>> when you click on the 'security' tab: >>>>> >>>>> You do not have permission to view to view or edit this object’s >>>>> permission settings. >>>>> >>>>> I set up a totally new centos 7 VM and installed Samba, but somehow >>>>> I missed out the user.map line and I got that error. Added the line: >>>>> >>>>> username map = /etc/samba/user.map >>>>> >>>>> created the user.map: >>>>> >>>>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator >>>>> administrator >>>>> >>>>> Restarted Samba and it now works. >>>>> >>>>> Unix permissions before attempting any changes from windows: >>>>> >>>>> [root at cen7member ~]# ls -lad /data/samba/profiles >>>>> drwxrwx--- 2 root unix admins 6 Oct 9 19:13 /data/samba/profiles >>>>> >>>>> After adding a user to the share from windows 'Security' tab: >>>>> >>>>> Edit -> Add -> Advanced -> Find Now -> select user (Rowland Penny) >>>>> -> OK -> OK -> standard permissions: Read & execute, List folder >>>>> contents, Read >>>>> >>>>> [root at cen7member ~]# ls -lad /data/samba/profiles >>>>> drwxrwx---+ 2 root unix admins 6 Oct 9 19:13 /data/samba/profiles >>>>> >>>>> And the extend ACLs now set: >>>>> [root at cen7member ~]# getfacl /data/samba/profiles >>>>> getfacl: Removing leading '/' from absolute path names >>>>> # file: data/samba/profiles >>>>> # owner: root >>>>> # group: unix\040admins >>>>> user::rwx >>>>> user:root:rwx >>>>> user:rowland:r-x >>>>> user:12122:rwx >>>>> group::rwx >>>>> group:rowland:r-x >>>>> group:unix\040admins:rwx >>>>> mask::rwx >>>>> other::--- >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:rowland:r-x >>>>> default:group::r-x >>>>> default:group:rowland:r-x >>>>> default:group:unix\040admins:r-x >>>>> default:mask::rwx >>>>> default:other::r-x >>>>> >>>>>> I'll get on my bike and take a trip in the countryside tomorrow, >>>>>> instead of fighting wind mills... >>>>> Yes, I always find walking away and returning later usually >>>>> works ;-) >>>>> >>>>> Rowland >>>>> >>>> Thanks a lot for your support Rowland. I've tried those steps, but no >>>> success. On the contrary. Just not possible to change anything. The >>>> security object list is displayed, but no changes are possible. >>>> Windows complaining about insufficient permissions. I have not forgot >>>> the username map in the smb.conf file, neither did I forget to set >>>> SeDiskOperatorPrivileges. >>>> >>>> I'll put it on the shelf for some time. At least I've got a working >>>> setup in the production server for now. Nothing will probably change >>>> there for at least a couple of years. But I've got very strong doubts >>>> about the current security level, with the Everyone group working as >>>> a stand in for Domain Admins, and a domain Administrator that's seems >>>> to have got privileges just north of the Guest account. >>> You seem to be fixated on the 'share' tab, ignore this and concentrate >>> on the 'security' tab (would it help if I said a better name for the >>> tab would 'NTFS permissions' ?). You should also be aware (From a Unix >>> perspective) that there are three permissions storages in play: >>> the standard 'ugo' >>> Extend ACLs as shown by getfacl >>> Extended attributes stored in security.NTACL on the directory or >>> file. >>> >>>> I'll give Samba a try under Slackware. I've set up a bunch of Samba >>>> servers under Slackware since around 2002, or so. But the previous >>>> ones were always PDCs. That path seems now closed, however, with MS >>>> probably scrapping the NT1 protocol in the immediate future. >>>> Slackware had very quirky support for LDAP, and pam integration >>>> impossible, making any kind of AD stuff extremely tricky. But the >>>> recent Samba versions have got most of the parts that were missing >>>> from Slackware built in. So I'll give it a try, but in a few weeks >>>> time. >>> There is a GUY who posts on here regularly who uses Slackware, he is >>> probably one you need here. >>> >>> However, if you are considering a different OS, how about Debian (or >>> Devuan), you could the use Louis's packages and get the most up to date >>> Samba versions. >>> >>>> Until then... >>>> >>> I will sort out my notes and send you a copy, I feel you must have a >>> simple mistake that is causing your problem. >>> >>> Rowland >> Hi Rowland, >> >> I tried Debian as Samba member server as a test a few days ago. >> Functionally no difference to CentOS. So I just continued with CentOS >> for the production server. >> >> About my problems. I follow the instructions for setting up a share. >> This time I assigned myself as a testuser to the Domain Admins group, >> and after that, there is no way to get any further. In the shares list, >> the Domain Users, and Domain Admins groups are displayed. Switching over >> to the security tab, different groups and users are displayed. Yes, they >> are displayed, which would be considered a great step forward. But >> trying to change anything there it just don't work. It just complains >> that I have got insufficient permissons to make any changes. Any changes >> at all. >> >> The folder looks the following: >> >> ls -al >> total 12 >> drwxr-xr-x. 3 root root 4096 Oct 9 15:55 . >> drwxr-xr-x. 3 root root 4096 Oct 9 15:54 .. >> drwxr-xr-x. 2 root domain admins 4096 Oct 9 15:55 wandafishand >> >> getfacl wandafish >> # file: wandafish >> # owner: root >> # group: domain\040admins >> user::rwx >> group::r-x >> other::r-x >> >> >> Having the "wrong" users or groups in the share tab, gives a blank >> security tab. On the production server group Everyone with full >> permissions is required, otherwise the security tab does not show up. In >> my test environment, I assigned myself to the Domain Admins group. After >> that I really don't get anywhere. >> >> As I told you, I will put it on ice for a few weeks, and consider >> alternatives. IMHO, the choice of OS probably plays a big role here. >> CentOS has got far too much stuff running in the background, interfering >> if it considers necessary. Even with SeLinux and the firewall disabled. >> I need to have something with better control of the running processes. >> Slackware has precisely got that. I'll report back. > It looks like you gave Domain Admins a gid. This is considered a bad > idea as the group needs to own files on the DC in Sysvol. Rowland works > around this by creating a group Unix Admins and adds this group to the > Domain Admins group. This way you can work on the filesystem with "unix > Admins" (which has a gid) and still have the privileges of Domain Admins. > In our setup (also classic upgraded) I try to avoid Administrator and > Domain Admins in file security operations. Have you tried using a > "normal" group giving this the rights you want on the cli and tried to > set security i´on Windows with a user in that group? > > Regards > > ChristianHi Christian, No, I did not give Domain Admins a gid. Nobody in the AD has got neither a gid, nor uid. What you describe is similar what is working on my production server. There I gave the Administrator account a uid, and a gid (both 0). Didn't solve anything. The Administrator account is completly dysfunctional. And user mapping just plain not working, or works in ways that either are not documented, or what I misinterpret. I will leave it as it is for a while, and return back later. From and administrators point of view, I'm extremely dissatisfied with the current situation. Thanks for your input. Best regards, Peter> > >> Best regards, >> >> Peter >> >>
On Wed, 10 Oct 2018 11:03:17 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Im not saying anything but having a GID on "domain admins" works > fine. For me then since 2014.. > > getent group "domain admins" > domain admins:x:10001:admin,administrator > > Can you post the output of > ls -ald /data/samba > > What happens when you do this. > chmod 1777 /data/samba/profiles > or 3777, but that opens access for "domain users" to the users > profiles folders. > > But really, if its the profiles folder its a windows only folder. > > This works without any problems, set the settings you see here, then > configure the share and security from a windows pc. And never touch > it again. > > [profiles] > browseable = yes > path = /data/samba/profiles > read only = no > acl_xattr:ignore system acl = yes > > ls -al /home/samba/ > drwxrwx--T+ 88 root root 4096 Oct 4 13:55 profiles > > file: home/samba/profiles > # owner: root > # group: root > # flags: --t > user::rwx > user:root:rwx > group::--- > group:root:--- > group:domain\040users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:mask::rwx > default:other::--- > > Ps , have you check the SePrivileges, do you have the needed > mappings? My output. > > kinit Administrator > net rpc rights list privileges SeDiskOperatorPrivilege -k -S > $(hostname -s) SeDiskOperatorPrivilege: > BUILTIN\Administrators > > net rpc rights list privileges SeSecurityPrivilege -k -S $(hostname > -s) SeSecurityPrivilege: > BUILTIN\Administrators > > net rpc rights list privileges SeTakeOwnershipPrivilege -k -S > $(hostname -s) SeTakeOwnershipPrivilege: > BUILTIN\Administrators >The problem isn't whether 'Domain Admins' has a gid or not, the OP cannot open the security tab on windows as Administrator. This is something I can only reproduce by not having a user.map in smb.conf Rowland
I suggest to the op check my settings and try it. Should work. Not showing the security tab is often an wrong right in the underlaying folder. So in case of this one, i would check this first. ls -al /data/ ls -al /data/samba ls -al /data/samba/profiles chmod 775 /data/ ! In case of a chmod 770 or 750 make sure you have a group set that is known in windows. Same for /data/samba chmod 1777 for /data/samba/profiles Then when createing/settings the profiles in windows tools, first set the UNIX UID, klik apply. Now set the profiles path, it should result in # file: home/samba/profiles/username.V6 # owner: username # group: domain\040users user::rwx user:username:rwx group::--- group:2005:rwx group:domain\040users:--- mask::rwx other::--- default:user::rwx default:user:obell:rwx default:group::--- default:group:2005:rwx default:group:domain\040users:--- default:mask::rwx default:other::--- Do note the UID 2005, that is the one that created the folder. ( user : SYSTEM ) Greetz, Louis> > > The problem isn't whether 'Domain Admins' has a gid or not, the OP > cannot open the security tab on windows as Administrator. > > This is something I can only reproduce by not having a user.map in > smb.conf > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >