Hai,
Ok, i expected a bit different outputs.
On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
This is what i expected.
getfacl /home/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---
Now how am i getting that if im shareing : /home/samba/sysvol
I've also shared : /home/samba before the setup.
Ive set the above rights first on /home/samba
And then i've set the rights on /home/samba/sysvol
Before you do that.
wget
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
That generated a file called : default-rights-sysvol.acl
With this as content:
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
And if you use sysvol/netlogon only for windows computers, which you do.
Set these : ( change the path to your setup. )
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No
acl_xattr:ignore system acls = yes
It's, in my opinion, the best way to make your sysvol work without problems.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Corrado Ravinetto via samba
> Verzonden: dinsdag 6 november 2018 14:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classicupgrade
>
> great :-)
>
> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
> > This is one time settings.
> > En yes, for each policy you need to klik on these once. (
> in the gpo policy objects in GPO editor )
> ok
> > Can you post smb.conf
> [global]
> netbios name = DC1
> realm = LXCERRUTI.COM
> server role = active directory domain controller
> workgroup = LXCERRUTI
> idmap_ldb:use rfc2307 = yes
> log level = 1
>
> [netlogon]
> path =
> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> >
> > getfacl PATH_TO_SYSVOL
> i'm not sure these are the original, i do many changes ....
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> >
> > getent the_Folder_ONE_below-PATH_TO_SYSVOL
> >
> > Explorer crashes, if 9 out of 10 x a wrong right on the
> folder below the point your sharing.
> > Per example.
> >
> > getfacl /home
> > getfacl /home/samba
> > getfacl /home/samba/share/
> > getfacl /home/samba/share/data
> >
> > Can you post these all also but replace the example path to
> your setup.
> my dc is not a file server, no home or share in this server
> only netlogon and sysvol
>
> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
>
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Corrado Ravinetto via samba
> >> Verzonden: dinsdag 6 november 2018 13:44
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] classicupgrade
> >>
> >> hello
> >> i read this post, but when i check property tab, explorer
> crash and i
> >> cannot changing anything.
> >> My question is: for each new policy i must change this default ???
> >> Cannot I change create mask on smb.conf for sysvol share ???
> >>
> >> thanks at all
> >>
> >> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
> >>> Hai,
> >>>
> >>> I suggest, start reading here, it explains all.
> >>>
https://lists.samba.org/archive/samba/2018-February/213690.html
> >>>
> >>> The script in that thread is not changing anything by default.
> >>>
> >>> I suggest try it and post the output.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens
> >>>> Rowland Penny via samba
> >>>> Verzonden: dinsdag 6 november 2018 12:33
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] classicupgrade
> >>>>
> >>>> On Tue, 6 Nov 2018 12:13:31 +0100
> >>>> Corrado Ravinetto via samba <samba at
lists.samba.org> wrote:
> >>>>
> >>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha
scritto:
> >>>>>> No, your GPO's will still work.
> >>>>> ok
> >>>>> but when i created my gpo in sysvol i cannot access to
> this share
> >>>>> because:
> >>>>>
> >>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03
> >>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}
> >>>>>
> >>>>> Must i, for each new policy, adjiust right e owner
???
> >>>>>
> >>>>> mmmmmmmh
> >>>> '3000002' is coming from idmap.ldb and because
'3000002'
> >> isn't a Unix
> >>>> user, it isn't mapped to a Unix name, it could in fact
be a
> >>>> group, yes,
> >>>> groups on Windows can own folders & files.
> >>>>
> >>>> There is a wiki page that might help:
> >>>>
> >>>>
https://wiki.samba.org/index.php/Managing_local_groups_on_doma
> >>>> in_members_via_GPO_restricted_groups
> >>>>
> >>>> Further than that, I cannot help, I do not use GPO's,
I
> >> don't have any
> >>>> Windows clients ;-)
> >>>>
> >>>> Perhaps Louis might care to chime in here.
> >>>>
> >>>> Rowland
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions:
https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >> --
> >>
> >> *Corrado Ravinetto *
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
>
> --
>
> *Corrado Ravinetto *
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hello Luis i followed your email and i created this file with your link: [root at dc1 samba.PDC]# cat default-rights-sysvol.acl # file: /home/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000004:rwx user:3000000:r-x user:3000001:rwx user:3000018:r-x group::rwx group:3000004:rwx group:3000000:r-x group:3000001:rwx group:3000018:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000004:rwx default:user:3000000:r-x default:user:3000001:rwx default:user:3000018:r-x default:group::--- default:group:3000004:rwx default:group:3000000:r-x default:group:3000001:rwx default:group:3000018:r-x default:mask::rwx default:other::--- i applied this with setfacl i restarded samba; from windows , with gpo, when create a new gpo : access denied Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:> Hai, > > > Ok, i expected a bit different outputs. > On my DC, i use /home/samba/sysvol and /home/samba/netlogon. > This is what i expected. > > getfacl /home/samba/ > > getfacl: Removing leading '/' from absolute path names > # file: home/samba/ > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:NT\040AUTHORITY\134system:rwx > group:NT\040AUTHORITY\134authenticated\040users:r-x > mask::rwx > other::r-x > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:NT\040AUTHORITY\134system:rwx > default:group:NT\040AUTHORITY\134authenticated\040users:r-x > default:mask::rwx > default:other::--- > > Now how am i getting that if im shareing : /home/samba/sysvol > I've also shared : /home/samba before the setup. > Ive set the above rights first on /home/samba > And then i've set the rights on /home/samba/sysvol > > Before you do that. > wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh > > That generated a file called : default-rights-sysvol.acl > With this as content: > # file: sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:BUILTIN\134server\040operators:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:BUILTIN\134server\040operators:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > And if you use sysvol/netlogon only for windows computers, which you do. > > Set these : ( change the path to your setup. ) > [sysvol] > path = /home/samba/sysvol > read only = No > acl_xattr:ignore system acls = yes > > [netlogon] > path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts > read only = No > acl_xattr:ignore system acls = yes > > It's, in my opinion, the best way to make your sysvol work without problems. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Corrado Ravinetto via samba >> Verzonden: dinsdag 6 november 2018 14:35 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] classicupgrade >> >> great :-) >> >> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: >>> This is one time settings. >>> En yes, for each policy you need to klik on these once. ( >> in the gpo policy objects in GPO editor ) >> ok >>> Can you post smb.conf >> [global] >> netbios name = DC1 >> realm = LXCERRUTI.COM >> server role = active directory domain controller >> workgroup = LXCERRUTI >> idmap_ldb:use rfc2307 = yes >> log level = 1 >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >>> getfacl PATH_TO_SYSVOL >> i'm not sure these are the original, i do many changes .... >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:3000000:rwx >> user:3000003:r-x >> group::rwx >> group:3000000:rwx >> group:3000001:rwx >> group:3000003:r-x >> mask::rwx >> other::rwx >> default:user::rwx >> default:user:root:rwx >> default:user:3000000:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:3000000:rwx >> default:group:3000001:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> >>> getent the_Folder_ONE_below-PATH_TO_SYSVOL >>> >>> Explorer crashes, if 9 out of 10 x a wrong right on the >> folder below the point your sharing. >>> Per example. >>> >>> getfacl /home >>> getfacl /home/samba >>> getfacl /home/samba/share/ >>> getfacl /home/samba/share/data >>> >>> Can you post these all also but replace the example path to >> your setup. >> my dc is not a file server, no home or share in this server >> only netlogon and sysvol >> >> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:3000000:rwx >> user:3000001:rwx >> user:3000003:r-x >> group::rwx >> group:3000000:rwx >> group:3000001:rwx >> group:3000003:r-x >> mask::rwx >> other::rwx >> default:user::rwx >> default:user:root:rwx >> default:user:3000000:rwx >> default:user:3000001:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:3000000:rwx >> default:group:3000001:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> >> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Corrado Ravinetto via samba >>>> Verzonden: dinsdag 6 november 2018 13:44 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] classicupgrade >>>> >>>> hello >>>> i read this post, but when i check property tab, explorer >> crash and i >>>> cannot changing anything. >>>> My question is: for each new policy i must change this default ??? >>>> Cannot I change create mask on smb.conf for sysvol share ??? >>>> >>>> thanks at all >>>> >>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>>>> Hai, >>>>> >>>>> I suggest, start reading here, it explains all. >>>>> https://lists.samba.org/archive/samba/2018-February/213690.html >>>>> >>>>> The script in that thread is not changing anything by default. >>>>> >>>>> I suggest try it and post the output. >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>> Rowland Penny via samba >>>>>> Verzonden: dinsdag 6 november 2018 12:33 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>> >>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>>>> >>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>>>> No, your GPO's will still work. >>>>>>> ok >>>>>>> but when i created my gpo in sysvol i cannot access to >> this share >>>>>>> because: >>>>>>> >>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>>>> >>>>>>> Must i, for each new policy, adjiust right e owner ??? >>>>>>> >>>>>>> mmmmmmmh >>>>>> '3000002' is coming from idmap.ldb and because '3000002' >>>> isn't a Unix >>>>>> user, it isn't mapped to a Unix name, it could in fact be a >>>>>> group, yes, >>>>>> groups on Windows can own folders & files. >>>>>> >>>>>> There is a wiki page that might help: >>>>>> >>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>>>> in_members_via_GPO_restricted_groups >>>>>> >>>>>> Further than that, I cannot help, I do not use GPO's, I >>>> don't have any >>>>>> Windows clients ;-) >>>>>> >>>>>> Perhaps Louis might care to chime in here. >>>>>> >>>>>> Rowland >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL >> and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>> -- >>>> >>>> *Corrado Ravinetto * >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> >> *Corrado Ravinetto * >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary
Ok, next,>From a windows pc connect to the server with computer manager, and now setup the share and folder rights.As in shown in the link posted ( https://lists.samba.org/archive/samba/2018-February/213690.html ) m leaving the office. So a reply wil probley tomorrow. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Corrado Ravinetto via samba > Verzonden: dinsdag 6 november 2018 16:57 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] classicupgrade > > Hello Luis > i followed your email and i created this file with your link: > > [root at dc1 samba.PDC]# cat default-rights-sysvol.acl > # file: /home/samba/sysvol > # owner: root > # group: root > user::rwx > user:root:rwx > user:3000004:rwx > user:3000000:r-x > user:3000001:rwx > user:3000018:r-x > group::rwx > group:3000004:rwx > group:3000000:r-x > group:3000001:rwx > group:3000018:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000004:rwx > default:user:3000000:r-x > default:user:3000001:rwx > default:user:3000018:r-x > default:group::--- > default:group:3000004:rwx > default:group:3000000:r-x > default:group:3000001:rwx > default:group:3000018:r-x > default:mask::rwx > default:other::--- > > > i applied this with setfacl > i restarded samba; from windows , with gpo, when create a new gpo : > access denied > > Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto: > > Hai, > > > > > > Ok, i expected a bit different outputs. > > On my DC, i use /home/samba/sysvol and /home/samba/netlogon. > > This is what i expected. > > > > getfacl /home/samba/ > > > > getfacl: Removing leading '/' from absolute path names > > # file: home/samba/ > > # owner: root > > # group: BUILTIN\134administrators > > user::rwx > > user:root:rwx > > group::rwx > > group:BUILTIN\134administrators:rwx > > group:BUILTIN\134server\040operators:r-x > > group:NT\040AUTHORITY\134system:rwx > > group:NT\040AUTHORITY\134authenticated\040users:r-x > > mask::rwx > > other::r-x > > default:user::rwx > > default:user:root:rwx > > default:group::--- > > default:group:BUILTIN\134administrators:rwx > > default:group:BUILTIN\134server\040operators:r-x > > default:group:NT\040AUTHORITY\134system:rwx > > default:group:NT\040AUTHORITY\134authenticated\040users:r-x > > default:mask::rwx > > default:other::--- > > > > Now how am i getting that if im shareing : /home/samba/sysvol > > I've also shared : /home/samba before the setup. > > Ive set the above rights first on /home/samba > > And then i've set the rights on /home/samba/sysvol > > > > Before you do that. > > wget > https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh> > > > That generated a file called : default-rights-sysvol.acl > > With this as content: > > # file: sysvol > > # owner: root > > # group: BUILTIN\134administrators > > user::rwx > > user:root:rwx > > user:BUILTIN\134administrators:rwx > > user:BUILTIN\134server\040operators:r-x > > user:3000002:rwx > > user:3000003:r-x > > group::rwx > > group:BUILTIN\134administrators:rwx > > group:BUILTIN\134server\040operators:r-x > > group:3000002:rwx > > group:3000003:r-x > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:BUILTIN\134administrators:rwx > > default:user:BUILTIN\134server\040operators:r-x > > default:user:3000002:rwx > > default:user:3000003:r-x > > default:group::--- > > default:group:BUILTIN\134administrators:rwx > > default:group:BUILTIN\134server\040operators:r-x > > default:group:3000002:rwx > > default:group:3000003:r-x > > default:mask::rwx > > default:other::--- > > > > And if you use sysvol/netlogon only for windows computers, > which you do. > > > > Set these : ( change the path to your setup. ) > > [sysvol] > > path = /home/samba/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > > [netlogon] > > path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts > > read only = No > > acl_xattr:ignore system acls = yes > > > > It's, in my opinion, the best way to make your sysvol work > without problems. > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Corrado Ravinetto via samba > >> Verzonden: dinsdag 6 november 2018 14:35 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] classicupgrade > >> > >> great :-) > >> > >> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: > >>> This is one time settings. > >>> En yes, for each policy you need to klik on these once. ( > >> in the gpo policy objects in GPO editor ) > >> ok > >>> Can you post smb.conf > >> [global] > >> netbios name = DC1 > >> realm = LXCERRUTI.COM > >> server role = active directory domain controller > >> workgroup = LXCERRUTI > >> idmap_ldb:use rfc2307 = yes > >> log level = 1 > >> > >> [netlogon] > >> path > >> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts > >> read only = No > >> > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> > >>> getfacl PATH_TO_SYSVOL > >> i'm not sure these are the original, i do many changes .... > >> > >> # file: usr/local/samba/var/locks/sysvol > >> # owner: root > >> # group: root > >> user::rwx > >> user:root:rwx > >> user:3000000:rwx > >> user:3000003:r-x > >> group::rwx > >> group:3000000:rwx > >> group:3000001:rwx > >> group:3000003:r-x > >> mask::rwx > >> other::rwx > >> default:user::rwx > >> default:user:root:rwx > >> default:user:3000000:rwx > >> default:user:3000003:r-x > >> default:group::--- > >> default:group:3000000:rwx > >> default:group:3000001:rwx > >> default:group:3000003:r-x > >> default:mask::rwx > >> default:other::--- > >> > >>> getent the_Folder_ONE_below-PATH_TO_SYSVOL > >>> > >>> Explorer crashes, if 9 out of 10 x a wrong right on the > >> folder below the point your sharing. > >>> Per example. > >>> > >>> getfacl /home > >>> getfacl /home/samba > >>> getfacl /home/samba/share/ > >>> getfacl /home/samba/share/data > >>> > >>> Can you post these all also but replace the example path to > >> your setup. > >> my dc is not a file server, no home or share in this server > >> only netlogon and sysvol > >> > >> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts > >> # owner: root > >> # group: root > >> user::rwx > >> user:root:rwx > >> user:3000000:rwx > >> user:3000001:rwx > >> user:3000003:r-x > >> group::rwx > >> group:3000000:rwx > >> group:3000001:rwx > >> group:3000003:r-x > >> mask::rwx > >> other::rwx > >> default:user::rwx > >> default:user:root:rwx > >> default:user:3000000:rwx > >> default:user:3000001:rwx > >> default:user:3000003:r-x > >> default:group::--- > >> default:group:3000000:rwx > >> default:group:3000001:rwx > >> default:group:3000003:r-x > >> default:mask::rwx > >> default:other::--- > >> > >> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >>>> Corrado Ravinetto via samba > >>>> Verzonden: dinsdag 6 november 2018 13:44 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] classicupgrade > >>>> > >>>> hello > >>>> i read this post, but when i check property tab, explorer > >> crash and i > >>>> cannot changing anything. > >>>> My question is: for each new policy i must change this > default ??? > >>>> Cannot I change create mask on smb.conf for sysvol share ??? > >>>> > >>>> thanks at all > >>>> > >>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: > >>>>> Hai, > >>>>> > >>>>> I suggest, start reading here, it explains all. > >>>>> https://lists.samba.org/archive/samba/2018-February/213690.html > >>>>> > >>>>> The script in that thread is not changing anything by default. > >>>>> > >>>>> I suggest try it and post the output. > >>>>> > >>>>> > >>>>> Greetz, > >>>>> > >>>>> Louis > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >>>>>> Rowland Penny via samba > >>>>>> Verzonden: dinsdag 6 november 2018 12:33 > >>>>>> Aan: samba at lists.samba.org > >>>>>> Onderwerp: Re: [Samba] classicupgrade > >>>>>> > >>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 > >>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: > >>>>>> > >>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: > >>>>>>>> No, your GPO's will still work. > >>>>>>> ok > >>>>>>> but when i created my gpo in sysvol i cannot access to > >> this share > >>>>>>> because: > >>>>>>> > >>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 > >>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} > >>>>>>> > >>>>>>> Must i, for each new policy, adjiust right e owner ??? > >>>>>>> > >>>>>>> mmmmmmmh > >>>>>> '3000002' is coming from idmap.ldb and because '3000002' > >>>> isn't a Unix > >>>>>> user, it isn't mapped to a Unix name, it could in fact be a > >>>>>> group, yes, > >>>>>> groups on Windows can own folders & files. > >>>>>> > >>>>>> There is a wiki page that might help: > >>>>>> > >>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma > >>>>>> in_members_via_GPO_restricted_groups > >>>>>> > >>>>>> Further than that, I cannot help, I do not use GPO's, I > >>>> don't have any > >>>>>> Windows clients ;-) > >>>>>> > >>>>>> Perhaps Louis might care to chime in here. > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL > >> and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> > >>>>>> > >>>> -- > >>>> > >>>> *Corrado Ravinetto * > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >> -- > >> > >> *Corrado Ravinetto * > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > -- > > *Corrado Ravinetto * > Sistemi informativi > corrado.ravinetto at lanificiocerruti.com > <mailto:corrado.ravinetto at lanificiocerruti.com> > T: +39 015 3591283 > Lanificio F.lli CERRUTI > *Lanificio F.lli Cerruti S.p.A. * > Via Cernaia 40, 13900 - Biella (BI) Italy > www.lanificiocerruti.com <http://www.lanificiocerruti.com/> > > Twitter <https://twitter.com/Lan_Cerruti> Facebook > <https://www.facebook.com/LanificioCerruti> Instagram > <https://www.instagram.com/lanificiocerruti/> > > Rispetta l'ambiente, non stampare questa mail se non necessario > Respect the environment, don't print unless necessary > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hello Luis tomorrow i'm not in office, reply to you thursday One question : who is owner and whats rights for dir /home /home/samba /home/samba/sysvol because, from windows client, user into domain admins, when i change in security tab, explorer always crash bye Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto:> Ok, next, > > From a windows pc connect to the server with computer manager, and now setup the share and folder rights. > As in shown in the link posted ( https://lists.samba.org/archive/samba/2018-February/213690.html ) > > m leaving the office. So a reply wil probley tomorrow. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Corrado Ravinetto via samba >> Verzonden: dinsdag 6 november 2018 16:57 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] classicupgrade >> >> Hello Luis >> i followed your email and i created this file with your link: >> >> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl >> # file: /home/samba/sysvol >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:3000004:rwx >> user:3000000:r-x >> user:3000001:rwx >> user:3000018:r-x >> group::rwx >> group:3000004:rwx >> group:3000000:r-x >> group:3000001:rwx >> group:3000018:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:3000004:rwx >> default:user:3000000:r-x >> default:user:3000001:rwx >> default:user:3000018:r-x >> default:group::--- >> default:group:3000004:rwx >> default:group:3000000:r-x >> default:group:3000001:rwx >> default:group:3000018:r-x >> default:mask::rwx >> default:other::--- >> >> >> i applied this with setfacl >> i restarded samba; from windows , with gpo, when create a new gpo : >> access denied >> >> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto: >>> Hai, >>> >>> >>> Ok, i expected a bit different outputs. >>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon. >>> This is what i expected. >>> >>> getfacl /home/samba/ >>> >>> getfacl: Removing leading '/' from absolute path names >>> # file: home/samba/ >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:NT\040AUTHORITY\134system:rwx >>> group:NT\040AUTHORITY\134authenticated\040users:r-x >>> mask::rwx >>> other::r-x >>> default:user::rwx >>> default:user:root:rwx >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:NT\040AUTHORITY\134system:rwx >>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> Now how am i getting that if im shareing : /home/samba/sysvol >>> I've also shared : /home/samba before the setup. >>> Ive set the above rights first on /home/samba >>> And then i've set the rights on /home/samba/sysvol >>> >>> Before you do that. >>> wget >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > heck-set-sysvol.sh >>> That generated a file called : default-rights-sysvol.acl >>> With this as content: >>> # file: sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134server\040operators:r-x >>> user:3000002:rwx >>> user:3000003:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134server\040operators:r-x >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> And if you use sysvol/netlogon only for windows computers, >> which you do. >>> Set these : ( change the path to your setup. ) >>> [sysvol] >>> path = /home/samba/sysvol >>> read only = No >>> acl_xattr:ignore system acls = yes >>> >>> [netlogon] >>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>> read only = No >>> acl_xattr:ignore system acls = yes >>> >>> It's, in my opinion, the best way to make your sysvol work >> without problems. >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Corrado Ravinetto via samba >>>> Verzonden: dinsdag 6 november 2018 14:35 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] classicupgrade >>>> >>>> great :-) >>>> >>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: >>>>> This is one time settings. >>>>> En yes, for each policy you need to klik on these once. ( >>>> in the gpo policy objects in GPO editor ) >>>> ok >>>>> Can you post smb.conf >>>> [global] >>>> netbios name = DC1 >>>> realm = LXCERRUTI.COM >>>> server role = active directory domain controller >>>> workgroup = LXCERRUTI >>>> idmap_ldb:use rfc2307 = yes >>>> log level = 1 >>>> >>>> [netlogon] >>>> path >>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>>> getfacl PATH_TO_SYSVOL >>>> i'm not sure these are the original, i do many changes .... >>>> >>>> # file: usr/local/samba/var/locks/sysvol >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:3000000:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:3000000:rwx >>>> group:3000001:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000000:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:3000000:rwx >>>> default:group:3000001:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL >>>>> >>>>> Explorer crashes, if 9 out of 10 x a wrong right on the >>>> folder below the point your sharing. >>>>> Per example. >>>>> >>>>> getfacl /home >>>>> getfacl /home/samba >>>>> getfacl /home/samba/share/ >>>>> getfacl /home/samba/share/data >>>>> >>>>> Can you post these all also but replace the example path to >>>> your setup. >>>> my dc is not a file server, no home or share in this server >>>> only netlogon and sysvol >>>> >>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:3000000:rwx >>>> user:3000001:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:3000000:rwx >>>> group:3000001:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000000:rwx >>>> default:user:3000001:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:3000000:rwx >>>> default:group:3000001:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>> Corrado Ravinetto via samba >>>>>> Verzonden: dinsdag 6 november 2018 13:44 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>> >>>>>> hello >>>>>> i read this post, but when i check property tab, explorer >>>> crash and i >>>>>> cannot changing anything. >>>>>> My question is: for each new policy i must change this >> default ??? >>>>>> Cannot I change create mask on smb.conf for sysvol share ??? >>>>>> >>>>>> thanks at all >>>>>> >>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>>>>>> Hai, >>>>>>> >>>>>>> I suggest, start reading here, it explains all. >>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html >>>>>>> >>>>>>> The script in that thread is not changing anything by default. >>>>>>> >>>>>>> I suggest try it and post the output. >>>>>>> >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>>> Rowland Penny via samba >>>>>>>> Verzonden: dinsdag 6 november 2018 12:33 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>>> >>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>>>>>> >>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>>>>>> No, your GPO's will still work. >>>>>>>>> ok >>>>>>>>> but when i created my gpo in sysvol i cannot access to >>>> this share >>>>>>>>> because: >>>>>>>>> >>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>>>>>> >>>>>>>>> Must i, for each new policy, adjiust right e owner ??? >>>>>>>>> >>>>>>>>> mmmmmmmh >>>>>>>> '3000002' is coming from idmap.ldb and because '3000002' >>>>>> isn't a Unix >>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a >>>>>>>> group, yes, >>>>>>>> groups on Windows can own folders & files. >>>>>>>> >>>>>>>> There is a wiki page that might help: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>>>>>> in_members_via_GPO_restricted_groups >>>>>>>> >>>>>>>> Further than that, I cannot help, I do not use GPO's, I >>>>>> don't have any >>>>>>>> Windows clients ;-) >>>>>>>> >>>>>>>> Perhaps Louis might care to chime in here. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL >>>> and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> >>>>>> *Corrado Ravinetto * >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL >> and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>> -- >>>> >>>> *Corrado Ravinetto * >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> >> *Corrado Ravinetto * >> Sistemi informativi >> corrado.ravinetto at lanificiocerruti.com >> <mailto:corrado.ravinetto at lanificiocerruti.com> >> T: +39 015 3591283 >> Lanificio F.lli CERRUTI >> *Lanificio F.lli Cerruti S.p.A. * >> Via Cernaia 40, 13900 - Biella (BI) Italy >> www.lanificiocerruti.com <http://www.lanificiocerruti.com/> >> >> Twitter <https://twitter.com/Lan_Cerruti> Facebook >> <https://www.facebook.com/LanificioCerruti> Instagram >> <https://www.instagram.com/lanificiocerruti/> >> >> Rispetta l'ambiente, non stampare questa mail se non necessario >> Respect the environment, don't print unless necessary >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary