Hello Luis tomorrow i'm not in office, reply to you thursday One question : who is owner and whats rights for dir /home /home/samba /home/samba/sysvol because, from windows client, user into domain admins, when i change in security tab, explorer always crash bye Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto:> Ok, next, > > From a windows pc connect to the server with computer manager, and now setup the share and folder rights. > As in shown in the link posted ( https://lists.samba.org/archive/samba/2018-February/213690.html ) > > m leaving the office. So a reply wil probley tomorrow. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Corrado Ravinetto via samba >> Verzonden: dinsdag 6 november 2018 16:57 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] classicupgrade >> >> Hello Luis >> i followed your email and i created this file with your link: >> >> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl >> # file: /home/samba/sysvol >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:3000004:rwx >> user:3000000:r-x >> user:3000001:rwx >> user:3000018:r-x >> group::rwx >> group:3000004:rwx >> group:3000000:r-x >> group:3000001:rwx >> group:3000018:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:3000004:rwx >> default:user:3000000:r-x >> default:user:3000001:rwx >> default:user:3000018:r-x >> default:group::--- >> default:group:3000004:rwx >> default:group:3000000:r-x >> default:group:3000001:rwx >> default:group:3000018:r-x >> default:mask::rwx >> default:other::--- >> >> >> i applied this with setfacl >> i restarded samba; from windows , with gpo, when create a new gpo : >> access denied >> >> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto: >>> Hai, >>> >>> >>> Ok, i expected a bit different outputs. >>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon. >>> This is what i expected. >>> >>> getfacl /home/samba/ >>> >>> getfacl: Removing leading '/' from absolute path names >>> # file: home/samba/ >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:NT\040AUTHORITY\134system:rwx >>> group:NT\040AUTHORITY\134authenticated\040users:r-x >>> mask::rwx >>> other::r-x >>> default:user::rwx >>> default:user:root:rwx >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:NT\040AUTHORITY\134system:rwx >>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> Now how am i getting that if im shareing : /home/samba/sysvol >>> I've also shared : /home/samba before the setup. >>> Ive set the above rights first on /home/samba >>> And then i've set the rights on /home/samba/sysvol >>> >>> Before you do that. >>> wget >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > heck-set-sysvol.sh >>> That generated a file called : default-rights-sysvol.acl >>> With this as content: >>> # file: sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134server\040operators:r-x >>> user:3000002:rwx >>> user:3000003:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134server\040operators:r-x >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> And if you use sysvol/netlogon only for windows computers, >> which you do. >>> Set these : ( change the path to your setup. ) >>> [sysvol] >>> path = /home/samba/sysvol >>> read only = No >>> acl_xattr:ignore system acls = yes >>> >>> [netlogon] >>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>> read only = No >>> acl_xattr:ignore system acls = yes >>> >>> It's, in my opinion, the best way to make your sysvol work >> without problems. >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Corrado Ravinetto via samba >>>> Verzonden: dinsdag 6 november 2018 14:35 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] classicupgrade >>>> >>>> great :-) >>>> >>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: >>>>> This is one time settings. >>>>> En yes, for each policy you need to klik on these once. ( >>>> in the gpo policy objects in GPO editor ) >>>> ok >>>>> Can you post smb.conf >>>> [global] >>>> netbios name = DC1 >>>> realm = LXCERRUTI.COM >>>> server role = active directory domain controller >>>> workgroup = LXCERRUTI >>>> idmap_ldb:use rfc2307 = yes >>>> log level = 1 >>>> >>>> [netlogon] >>>> path >>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>>> getfacl PATH_TO_SYSVOL >>>> i'm not sure these are the original, i do many changes .... >>>> >>>> # file: usr/local/samba/var/locks/sysvol >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:3000000:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:3000000:rwx >>>> group:3000001:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000000:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:3000000:rwx >>>> default:group:3000001:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL >>>>> >>>>> Explorer crashes, if 9 out of 10 x a wrong right on the >>>> folder below the point your sharing. >>>>> Per example. >>>>> >>>>> getfacl /home >>>>> getfacl /home/samba >>>>> getfacl /home/samba/share/ >>>>> getfacl /home/samba/share/data >>>>> >>>>> Can you post these all also but replace the example path to >>>> your setup. >>>> my dc is not a file server, no home or share in this server >>>> only netlogon and sysvol >>>> >>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:3000000:rwx >>>> user:3000001:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:3000000:rwx >>>> group:3000001:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000000:rwx >>>> default:user:3000001:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:3000000:rwx >>>> default:group:3000001:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>> Corrado Ravinetto via samba >>>>>> Verzonden: dinsdag 6 november 2018 13:44 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>> >>>>>> hello >>>>>> i read this post, but when i check property tab, explorer >>>> crash and i >>>>>> cannot changing anything. >>>>>> My question is: for each new policy i must change this >> default ??? >>>>>> Cannot I change create mask on smb.conf for sysvol share ??? >>>>>> >>>>>> thanks at all >>>>>> >>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>>>>>> Hai, >>>>>>> >>>>>>> I suggest, start reading here, it explains all. >>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html >>>>>>> >>>>>>> The script in that thread is not changing anything by default. >>>>>>> >>>>>>> I suggest try it and post the output. >>>>>>> >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>>> Rowland Penny via samba >>>>>>>> Verzonden: dinsdag 6 november 2018 12:33 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>>> >>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>>>>>> >>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>>>>>> No, your GPO's will still work. >>>>>>>>> ok >>>>>>>>> but when i created my gpo in sysvol i cannot access to >>>> this share >>>>>>>>> because: >>>>>>>>> >>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>>>>>> >>>>>>>>> Must i, for each new policy, adjiust right e owner ??? >>>>>>>>> >>>>>>>>> mmmmmmmh >>>>>>>> '3000002' is coming from idmap.ldb and because '3000002' >>>>>> isn't a Unix >>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a >>>>>>>> group, yes, >>>>>>>> groups on Windows can own folders & files. >>>>>>>> >>>>>>>> There is a wiki page that might help: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>>>>>> in_members_via_GPO_restricted_groups >>>>>>>> >>>>>>>> Further than that, I cannot help, I do not use GPO's, I >>>>>> don't have any >>>>>>>> Windows clients ;-) >>>>>>>> >>>>>>>> Perhaps Louis might care to chime in here. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL >>>> and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> >>>>>> *Corrado Ravinetto * >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL >> and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>> -- >>>> >>>> *Corrado Ravinetto * >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> >> *Corrado Ravinetto * >> Sistemi informativi >> corrado.ravinetto at lanificiocerruti.com >> <mailto:corrado.ravinetto at lanificiocerruti.com> >> T: +39 015 3591283 >> Lanificio F.lli CERRUTI >> *Lanificio F.lli Cerruti S.p.A. * >> Via Cernaia 40, 13900 - Biella (BI) Italy >> www.lanificiocerruti.com <http://www.lanificiocerruti.com/> >> >> Twitter <https://twitter.com/Lan_Cerruti> Facebook >> <https://www.facebook.com/LanificioCerruti> Instagram >> <https://www.instagram.com/lanificiocerruti/> >> >> Rispetta l'ambiente, non stampare questa mail se non necessario >> Respect the environment, don't print unless necessary >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary
Hello Luis i'm in office, today i try to create a new gpo from windows client, but i cannot for access denied, then i elevated log level to 3 and i logged this : [2018/11/08 11:03:48.083966, 3] ../source3/smbd/msdfs.c:1063(get_referred_path) get_referred_path: |SysVol| in dfs path \dc1.lxcerruti.com\SysVol is not a dfs root. [2018/11/08 11:03:48.084043, 3] ../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 [2018/11/08 11:03:48.084866, 3] ../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_PATH_NOT_FOUND] || at ../source3/smbd/smb2_create.c:296 [2018/11/08 11:03:48.085532, 3] ../source3/smbd/msdfs.c:1063(get_referred_path) get_referred_path: |SysVol| in dfs path \dc1.lxcerruti.com\SysVol is not a dfs root. Il 06/11/2018 17:36, Corrado Ravinetto via samba ha scritto:> Hello Luis > tomorrow i'm not in office, reply to you thursday > One question : who is owner and whats rights for dir > /home > /home/samba > /home/samba/sysvol > > because, from windows client, user into domain admins, when i change > in security tab, explorer always crash > > bye > > Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto: >> Ok, next, >> >> From a windows pc connect to the server with computer manager, and >> now setup the share and folder rights. >> As in shown in the link posted ( >> https://lists.samba.org/archive/samba/2018-February/213690.html ) >> >> m leaving the office. So a reply wil probley tomorrow. >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Corrado Ravinetto via samba >>> Verzonden: dinsdag 6 november 2018 16:57 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] classicupgrade >>> >>> Hello Luis >>> i followed your email and i created this file with your link: >>> >>> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl >>> # file: /home/samba/sysvol >>> # owner: root >>> # group: root >>> user::rwx >>> user:root:rwx >>> user:3000004:rwx >>> user:3000000:r-x >>> user:3000001:rwx >>> user:3000018:r-x >>> group::rwx >>> group:3000004:rwx >>> group:3000000:r-x >>> group:3000001:rwx >>> group:3000018:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:3000004:rwx >>> default:user:3000000:r-x >>> default:user:3000001:rwx >>> default:user:3000018:r-x >>> default:group::--- >>> default:group:3000004:rwx >>> default:group:3000000:r-x >>> default:group:3000001:rwx >>> default:group:3000018:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> >>> i applied this with setfacl >>> i restarded samba; from windows , with gpo, when create a new gpo : >>> access denied >>> >>> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto: >>>> Hai, >>>> >>>> >>>> Ok, i expected a bit different outputs. >>>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon. >>>> This is what i expected. >>>> >>>> getfacl /home/samba/ >>>> >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: home/samba/ >>>> # owner: root >>>> # group: BUILTIN\134administrators >>>> user::rwx >>>> user:root:rwx >>>> group::rwx >>>> group:BUILTIN\134administrators:rwx >>>> group:BUILTIN\134server\040operators:r-x >>>> group:NT\040AUTHORITY\134system:rwx >>>> group:NT\040AUTHORITY\134authenticated\040users:r-x >>>> mask::rwx >>>> other::r-x >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:group::--- >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:BUILTIN\134server\040operators:r-x >>>> default:group:NT\040AUTHORITY\134system:rwx >>>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> Now how am i getting that if im shareing : /home/samba/sysvol >>>> I've also shared : /home/samba before the setup. >>>> Ive set the above rights first on /home/samba >>>> And then i've set the rights on /home/samba/sysvol >>>> >>>> Before you do that. >>>> wget >>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c >> heck-set-sysvol.sh >>>> That generated a file called : default-rights-sysvol.acl >>>> With this as content: >>>> # file: sysvol >>>> # owner: root >>>> # group: BUILTIN\134administrators >>>> user::rwx >>>> user:root:rwx >>>> user:BUILTIN\134administrators:rwx >>>> user:BUILTIN\134server\040operators:r-x >>>> user:3000002:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:BUILTIN\134administrators:rwx >>>> group:BUILTIN\134server\040operators:r-x >>>> group:3000002:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:BUILTIN\134administrators:rwx >>>> default:user:BUILTIN\134server\040operators:r-x >>>> default:user:3000002:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:BUILTIN\134server\040operators:r-x >>>> default:group:3000002:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> And if you use sysvol/netlogon only for windows computers, >>> which you do. >>>> Set these : ( change the path to your setup. ) >>>> [sysvol] >>>> path = /home/samba/sysvol >>>> read only = No >>>> acl_xattr:ignore system acls = yes >>>> >>>> [netlogon] >>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>>> read only = No >>>> acl_xattr:ignore system acls = yes >>>> >>>> It's, in my opinion, the best way to make your sysvol work >>> without problems. >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>> Corrado Ravinetto via samba >>>>> Verzonden: dinsdag 6 november 2018 14:35 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] classicupgrade >>>>> >>>>> great :-) >>>>> >>>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: >>>>>> This is one time settings. >>>>>> En yes, for each policy you need to klik on these once. ( >>>>> in the gpo policy objects in GPO editor ) >>>>> ok >>>>>> Can you post smb.conf >>>>> [global] >>>>> netbios name = DC1 >>>>> realm = LXCERRUTI.COM >>>>> server role = active directory domain controller >>>>> workgroup = LXCERRUTI >>>>> idmap_ldb:use rfc2307 = yes >>>>> log level = 1 >>>>> >>>>> [netlogon] >>>>> path >>>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>>> read only = No >>>>> >>>>> [sysvol] >>>>> path = /usr/local/samba/var/locks/sysvol >>>>> read only = No >>>>> >>>>>> getfacl PATH_TO_SYSVOL >>>>> i'm not sure these are the original, i do many changes .... >>>>> >>>>> # file: usr/local/samba/var/locks/sysvol >>>>> # owner: root >>>>> # group: root >>>>> user::rwx >>>>> user:root:rwx >>>>> user:3000000:rwx >>>>> user:3000003:r-x >>>>> group::rwx >>>>> group:3000000:rwx >>>>> group:3000001:rwx >>>>> group:3000003:r-x >>>>> mask::rwx >>>>> other::rwx >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:3000000:rwx >>>>> default:user:3000003:r-x >>>>> default:group::--- >>>>> default:group:3000000:rwx >>>>> default:group:3000001:rwx >>>>> default:group:3000003:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL >>>>>> >>>>>> Explorer crashes, if 9 out of 10 x a wrong right on the >>>>> folder below the point your sharing. >>>>>> Per example. >>>>>> >>>>>> getfacl /home >>>>>> getfacl /home/samba >>>>>> getfacl /home/samba/share/ >>>>>> getfacl /home/samba/share/data >>>>>> >>>>>> Can you post these all also but replace the example path to >>>>> your setup. >>>>> my dc is not a file server, no home or share in this server >>>>> only netlogon and sysvol >>>>> >>>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>>> # owner: root >>>>> # group: root >>>>> user::rwx >>>>> user:root:rwx >>>>> user:3000000:rwx >>>>> user:3000001:rwx >>>>> user:3000003:r-x >>>>> group::rwx >>>>> group:3000000:rwx >>>>> group:3000001:rwx >>>>> group:3000003:r-x >>>>> mask::rwx >>>>> other::rwx >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:3000000:rwx >>>>> default:user:3000001:rwx >>>>> default:user:3000003:r-x >>>>> default:group::--- >>>>> default:group:3000000:rwx >>>>> default:group:3000001:rwx >>>>> default:group:3000003:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>> >>>>>> Greetz, >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>> Corrado Ravinetto via samba >>>>>>> Verzonden: dinsdag 6 november 2018 13:44 >>>>>>> Aan: samba at lists.samba.org >>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>> >>>>>>> hello >>>>>>> i read this post, but when i check property tab, explorer >>>>> crash and i >>>>>>> cannot changing anything. >>>>>>> My question is: for each new policy i must change this >>> default ??? >>>>>>> Cannot I change create mask on smb.conf for sysvol share ??? >>>>>>> >>>>>>> thanks at all >>>>>>> >>>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>>>>>>> Hai, >>>>>>>> >>>>>>>> I suggest, start reading here, it explains all. >>>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html >>>>>>>> >>>>>>>> The script in that thread is not changing anything by default. >>>>>>>> >>>>>>>> I suggest try it and post the output. >>>>>>>> >>>>>>>> >>>>>>>> Greetz, >>>>>>>> >>>>>>>> Louis >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>>>> Rowland Penny via samba >>>>>>>>> Verzonden: dinsdag 6 november 2018 12:33 >>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>>>> >>>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>>>>>>> >>>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>>>>>>> No, your GPO's will still work. >>>>>>>>>> ok >>>>>>>>>> but when i created my gpo in sysvol i cannot access to >>>>> this share >>>>>>>>>> because: >>>>>>>>>> >>>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>>>>>>> >>>>>>>>>> Must i, for each new policy, adjiust right e owner ??? >>>>>>>>>> >>>>>>>>>> mmmmmmmh >>>>>>>>> '3000002' is coming from idmap.ldb and because '3000002' >>>>>>> isn't a Unix >>>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a >>>>>>>>> group, yes, >>>>>>>>> groups on Windows can own folders & files. >>>>>>>>> >>>>>>>>> There is a wiki page that might help: >>>>>>>>> >>>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>>>>>>> in_members_via_GPO_restricted_groups >>>>>>>>> >>>>>>>>> Further than that, I cannot help, I do not use GPO's, I >>>>>>> don't have any >>>>>>>>> Windows clients ;-) >>>>>>>>> >>>>>>>>> Perhaps Louis might care to chime in here. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL >>>>> and read the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Corrado Ravinetto * >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL >>> and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> >>>>> -- >>>>> >>>>> *Corrado Ravinetto * >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>> -- >>> >>> *Corrado Ravinetto * >>> Sistemi informativi >>> corrado.ravinetto at lanificiocerruti.com >>> <mailto:corrado.ravinetto at lanificiocerruti.com> >>> T: +39 015 3591283 >>> Lanificio F.lli CERRUTI >>> *Lanificio F.lli Cerruti S.p.A. * >>> Via Cernaia 40, 13900 - Biella (BI) Italy >>> www.lanificiocerruti.com <http://www.lanificiocerruti.com/> >>> >>> Twitter <https://twitter.com/Lan_Cerruti> Facebook >>> <https://www.facebook.com/LanificioCerruti> Instagram >>> <https://www.instagram.com/lanificiocerruti/> >>> >>> Rispetta l'ambiente, non stampare questa mail se non necessario >>> Respect the environment, don't print unless necessary >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >-- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary
hello> One question : who is owner and whats rights for dir> /homedrwxr-xr-x. 5 root root 49 6 nov 16.21 home> /home/sambadrwxr-xr-x. 3 root root 20 6 nov 16.21 samba> /home/samba/sysvoldrwxrwx---+ 4 root root 52 8 nov 12.47 sysvol> > because, from windows client, user into domain admins, when i change > in security tab, explorer always crash > > bye > > Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto: >> Ok, next, >> >> From a windows pc connect to the server with computer manager, and >> now setup the share and folder rights. >> As in shown in the link posted ( >> https://lists.samba.org/archive/samba/2018-February/213690.html ) >> >> m leaving the office. So a reply wil probley tomorrow. >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Corrado Ravinetto via samba >>> Verzonden: dinsdag 6 november 2018 16:57 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] classicupgrade >>> >>> Hello Luis >>> i followed your email and i created this file with your link: >>> >>> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl >>> # file: /home/samba/sysvol >>> # owner: root >>> # group: root >>> user::rwx >>> user:root:rwx >>> user:3000004:rwx >>> user:3000000:r-x >>> user:3000001:rwx >>> user:3000018:r-x >>> group::rwx >>> group:3000004:rwx >>> group:3000000:r-x >>> group:3000001:rwx >>> group:3000018:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:3000004:rwx >>> default:user:3000000:r-x >>> default:user:3000001:rwx >>> default:user:3000018:r-x >>> default:group::--- >>> default:group:3000004:rwx >>> default:group:3000000:r-x >>> default:group:3000001:rwx >>> default:group:3000018:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> >>> i applied this with setfacl >>> i restarded samba; from windows , with gpo, when create a new gpo : >>> access denied >>> >>> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto: >>>> Hai, >>>> >>>> >>>> Ok, i expected a bit different outputs. >>>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon. >>>> This is what i expected. >>>> >>>> getfacl /home/samba/ >>>> >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: home/samba/ >>>> # owner: root >>>> # group: BUILTIN\134administrators >>>> user::rwx >>>> user:root:rwx >>>> group::rwx >>>> group:BUILTIN\134administrators:rwx >>>> group:BUILTIN\134server\040operators:r-x >>>> group:NT\040AUTHORITY\134system:rwx >>>> group:NT\040AUTHORITY\134authenticated\040users:r-x >>>> mask::rwx >>>> other::r-x >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:group::--- >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:BUILTIN\134server\040operators:r-x >>>> default:group:NT\040AUTHORITY\134system:rwx >>>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> Now how am i getting that if im shareing : /home/samba/sysvol >>>> I've also shared : /home/samba before the setup. >>>> Ive set the above rights first on /home/samba >>>> And then i've set the rights on /home/samba/sysvol >>>> >>>> Before you do that. >>>> wget >>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c >> heck-set-sysvol.sh >>>> That generated a file called : default-rights-sysvol.acl >>>> With this as content: >>>> # file: sysvol >>>> # owner: root >>>> # group: BUILTIN\134administrators >>>> user::rwx >>>> user:root:rwx >>>> user:BUILTIN\134administrators:rwx >>>> user:BUILTIN\134server\040operators:r-x >>>> user:3000002:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:BUILTIN\134administrators:rwx >>>> group:BUILTIN\134server\040operators:r-x >>>> group:3000002:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:BUILTIN\134administrators:rwx >>>> default:user:BUILTIN\134server\040operators:r-x >>>> default:user:3000002:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:BUILTIN\134server\040operators:r-x >>>> default:group:3000002:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> And if you use sysvol/netlogon only for windows computers, >>> which you do. >>>> Set these : ( change the path to your setup. ) >>>> [sysvol] >>>> path = /home/samba/sysvol >>>> read only = No >>>> acl_xattr:ignore system acls = yes >>>> >>>> [netlogon] >>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>>> read only = No >>>> acl_xattr:ignore system acls = yes >>>> >>>> It's, in my opinion, the best way to make your sysvol work >>> without problems. >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>> Corrado Ravinetto via samba >>>>> Verzonden: dinsdag 6 november 2018 14:35 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] classicupgrade >>>>> >>>>> great :-) >>>>> >>>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: >>>>>> This is one time settings. >>>>>> En yes, for each policy you need to klik on these once. ( >>>>> in the gpo policy objects in GPO editor ) >>>>> ok >>>>>> Can you post smb.conf >>>>> [global] >>>>> netbios name = DC1 >>>>> realm = LXCERRUTI.COM >>>>> server role = active directory domain controller >>>>> workgroup = LXCERRUTI >>>>> idmap_ldb:use rfc2307 = yes >>>>> log level = 1 >>>>> >>>>> [netlogon] >>>>> path >>>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>>> read only = No >>>>> >>>>> [sysvol] >>>>> path = /usr/local/samba/var/locks/sysvol >>>>> read only = No >>>>> >>>>>> getfacl PATH_TO_SYSVOL >>>>> i'm not sure these are the original, i do many changes .... >>>>> >>>>> # file: usr/local/samba/var/locks/sysvol >>>>> # owner: root >>>>> # group: root >>>>> user::rwx >>>>> user:root:rwx >>>>> user:3000000:rwx >>>>> user:3000003:r-x >>>>> group::rwx >>>>> group:3000000:rwx >>>>> group:3000001:rwx >>>>> group:3000003:r-x >>>>> mask::rwx >>>>> other::rwx >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:3000000:rwx >>>>> default:user:3000003:r-x >>>>> default:group::--- >>>>> default:group:3000000:rwx >>>>> default:group:3000001:rwx >>>>> default:group:3000003:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL >>>>>> >>>>>> Explorer crashes, if 9 out of 10 x a wrong right on the >>>>> folder below the point your sharing. >>>>>> Per example. >>>>>> >>>>>> getfacl /home >>>>>> getfacl /home/samba >>>>>> getfacl /home/samba/share/ >>>>>> getfacl /home/samba/share/data >>>>>> >>>>>> Can you post these all also but replace the example path to >>>>> your setup. >>>>> my dc is not a file server, no home or share in this server >>>>> only netlogon and sysvol >>>>> >>>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>>> # owner: root >>>>> # group: root >>>>> user::rwx >>>>> user:root:rwx >>>>> user:3000000:rwx >>>>> user:3000001:rwx >>>>> user:3000003:r-x >>>>> group::rwx >>>>> group:3000000:rwx >>>>> group:3000001:rwx >>>>> group:3000003:r-x >>>>> mask::rwx >>>>> other::rwx >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:3000000:rwx >>>>> default:user:3000001:rwx >>>>> default:user:3000003:r-x >>>>> default:group::--- >>>>> default:group:3000000:rwx >>>>> default:group:3000001:rwx >>>>> default:group:3000003:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>> >>>>>> Greetz, >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>> Corrado Ravinetto via samba >>>>>>> Verzonden: dinsdag 6 november 2018 13:44 >>>>>>> Aan: samba at lists.samba.org >>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>> >>>>>>> hello >>>>>>> i read this post, but when i check property tab, explorer >>>>> crash and i >>>>>>> cannot changing anything. >>>>>>> My question is: for each new policy i must change this >>> default ??? >>>>>>> Cannot I change create mask on smb.conf for sysvol share ??? >>>>>>> >>>>>>> thanks at all >>>>>>> >>>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>>>>>>> Hai, >>>>>>>> >>>>>>>> I suggest, start reading here, it explains all. >>>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html >>>>>>>> >>>>>>>> The script in that thread is not changing anything by default. >>>>>>>> >>>>>>>> I suggest try it and post the output. >>>>>>>> >>>>>>>> >>>>>>>> Greetz, >>>>>>>> >>>>>>>> Louis >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>>>> Rowland Penny via samba >>>>>>>>> Verzonden: dinsdag 6 november 2018 12:33 >>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>>>> >>>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>>>>>>> >>>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>>>>>>> No, your GPO's will still work. >>>>>>>>>> ok >>>>>>>>>> but when i created my gpo in sysvol i cannot access to >>>>> this share >>>>>>>>>> because: >>>>>>>>>> >>>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>>>>>>> >>>>>>>>>> Must i, for each new policy, adjiust right e owner ??? >>>>>>>>>> >>>>>>>>>> mmmmmmmh >>>>>>>>> '3000002' is coming from idmap.ldb and because '3000002' >>>>>>> isn't a Unix >>>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a >>>>>>>>> group, yes, >>>>>>>>> groups on Windows can own folders & files. >>>>>>>>> >>>>>>>>> There is a wiki page that might help: >>>>>>>>> >>>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>>>>>>> in_members_via_GPO_restricted_groups >>>>>>>>> >>>>>>>>> Further than that, I cannot help, I do not use GPO's, I >>>>>>> don't have any >>>>>>>>> Windows clients ;-) >>>>>>>>> >>>>>>>>> Perhaps Louis might care to chime in here. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL >>>>> and read the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Corrado Ravinetto * >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL >>> and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> >>>>> -- >>>>> >>>>> *Corrado Ravinetto * >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>> -- >>> >>> *Corrado Ravinetto * >>> Sistemi informativi >>> corrado.ravinetto at lanificiocerruti.com >>> <mailto:corrado.ravinetto at lanificiocerruti.com> >>> T: +39 015 3591283 >>> Lanificio F.lli CERRUTI >>> *Lanificio F.lli Cerruti S.p.A. * >>> Via Cernaia 40, 13900 - Biella (BI) Italy >>> www.lanificiocerruti.com <http://www.lanificiocerruti.com/> >>> >>> Twitter <https://twitter.com/Lan_Cerruti> Facebook >>> <https://www.facebook.com/LanificioCerruti> Instagram >>> <https://www.instagram.com/lanificiocerruti/> >>> >>> Rispetta l'ambiente, non stampare questa mail se non necessario >>> Respect the environment, don't print unless necessary >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >-- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary
SORRY i have add a user to domain admins and used this to create gpo. Now i used administrator and gpo are created corrected: how can i elevate my user to domain admins ??? tnx Il 08/11/2018 14:05, Corrado Ravinetto via samba ha scritto:> hello >> One question : who is owner and whats rights for dir > >> /home > drwxr-xr-x. 5 root root 49 6 nov 16.21 home >> /home/samba > drwxr-xr-x. 3 root root 20 6 nov 16.21 samba >> /home/samba/sysvol > drwxrwx---+ 4 root root 52 8 nov 12.47 sysvol >> >> because, from windows client, user into domain admins, when i change >> in security tab, explorer always crash >> >> bye >> >> Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto: >>> Ok, next, >>> >>> From a windows pc connect to the server with computer manager, and >>> now setup the share and folder rights. >>> As in shown in the link posted ( >>> https://lists.samba.org/archive/samba/2018-February/213690.html ) >>> >>> m leaving the office. So a reply wil probley tomorrow. >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Corrado Ravinetto via samba >>>> Verzonden: dinsdag 6 november 2018 16:57 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] classicupgrade >>>> >>>> Hello Luis >>>> i followed your email and i created this file with your link: >>>> >>>> [root at dc1 samba.PDC]# cat default-rights-sysvol.acl >>>> # file: /home/samba/sysvol >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:3000004:rwx >>>> user:3000000:r-x >>>> user:3000001:rwx >>>> user:3000018:r-x >>>> group::rwx >>>> group:3000004:rwx >>>> group:3000000:r-x >>>> group:3000001:rwx >>>> group:3000018:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000004:rwx >>>> default:user:3000000:r-x >>>> default:user:3000001:rwx >>>> default:user:3000018:r-x >>>> default:group::--- >>>> default:group:3000004:rwx >>>> default:group:3000000:r-x >>>> default:group:3000001:rwx >>>> default:group:3000018:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> >>>> i applied this with setfacl >>>> i restarded samba; from windows , with gpo, when create a new gpo : >>>> access denied >>>> >>>> Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto: >>>>> Hai, >>>>> >>>>> >>>>> Ok, i expected a bit different outputs. >>>>> On my DC, i use /home/samba/sysvol and /home/samba/netlogon. >>>>> This is what i expected. >>>>> >>>>> getfacl /home/samba/ >>>>> >>>>> getfacl: Removing leading '/' from absolute path names >>>>> # file: home/samba/ >>>>> # owner: root >>>>> # group: BUILTIN\134administrators >>>>> user::rwx >>>>> user:root:rwx >>>>> group::rwx >>>>> group:BUILTIN\134administrators:rwx >>>>> group:BUILTIN\134server\040operators:r-x >>>>> group:NT\040AUTHORITY\134system:rwx >>>>> group:NT\040AUTHORITY\134authenticated\040users:r-x >>>>> mask::rwx >>>>> other::r-x >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:group::--- >>>>> default:group:BUILTIN\134administrators:rwx >>>>> default:group:BUILTIN\134server\040operators:r-x >>>>> default:group:NT\040AUTHORITY\134system:rwx >>>>> default:group:NT\040AUTHORITY\134authenticated\040users:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>> Now how am i getting that if im shareing : /home/samba/sysvol >>>>> I've also shared : /home/samba before the setup. >>>>> Ive set the above rights first on /home/samba >>>>> And then i've set the rights on /home/samba/sysvol >>>>> >>>>> Before you do that. >>>>> wget >>>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c >>> heck-set-sysvol.sh >>>>> That generated a file called : default-rights-sysvol.acl >>>>> With this as content: >>>>> # file: sysvol >>>>> # owner: root >>>>> # group: BUILTIN\134administrators >>>>> user::rwx >>>>> user:root:rwx >>>>> user:BUILTIN\134administrators:rwx >>>>> user:BUILTIN\134server\040operators:r-x >>>>> user:3000002:rwx >>>>> user:3000003:r-x >>>>> group::rwx >>>>> group:BUILTIN\134administrators:rwx >>>>> group:BUILTIN\134server\040operators:r-x >>>>> group:3000002:rwx >>>>> group:3000003:r-x >>>>> mask::rwx >>>>> other::--- >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:BUILTIN\134administrators:rwx >>>>> default:user:BUILTIN\134server\040operators:r-x >>>>> default:user:3000002:rwx >>>>> default:user:3000003:r-x >>>>> default:group::--- >>>>> default:group:BUILTIN\134administrators:rwx >>>>> default:group:BUILTIN\134server\040operators:r-x >>>>> default:group:3000002:rwx >>>>> default:group:3000003:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>> And if you use sysvol/netlogon only for windows computers, >>>> which you do. >>>>> Set these : ( change the path to your setup. ) >>>>> [sysvol] >>>>> path = /home/samba/sysvol >>>>> read only = No >>>>> acl_xattr:ignore system acls = yes >>>>> >>>>> [netlogon] >>>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>>>> read only = No >>>>> acl_xattr:ignore system acls = yes >>>>> >>>>> It's, in my opinion, the best way to make your sysvol work >>>> without problems. >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>> Corrado Ravinetto via samba >>>>>> Verzonden: dinsdag 6 november 2018 14:35 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>> >>>>>> great :-) >>>>>> >>>>>> Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto: >>>>>>> This is one time settings. >>>>>>> En yes, for each policy you need to klik on these once. ( >>>>>> in the gpo policy objects in GPO editor ) >>>>>> ok >>>>>>> Can you post smb.conf >>>>>> [global] >>>>>> netbios name = DC1 >>>>>> realm = LXCERRUTI.COM >>>>>> server role = active directory domain controller >>>>>> workgroup = LXCERRUTI >>>>>> idmap_ldb:use rfc2307 = yes >>>>>> log level = 1 >>>>>> >>>>>> [netlogon] >>>>>> path >>>>>> /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>>>> read only = No >>>>>> >>>>>> [sysvol] >>>>>> path = /usr/local/samba/var/locks/sysvol >>>>>> read only = No >>>>>> >>>>>>> getfacl PATH_TO_SYSVOL >>>>>> i'm not sure these are the original, i do many changes .... >>>>>> >>>>>> # file: usr/local/samba/var/locks/sysvol >>>>>> # owner: root >>>>>> # group: root >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:3000000:rwx >>>>>> user:3000003:r-x >>>>>> group::rwx >>>>>> group:3000000:rwx >>>>>> group:3000001:rwx >>>>>> group:3000003:r-x >>>>>> mask::rwx >>>>>> other::rwx >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:3000000:rwx >>>>>> default:user:3000003:r-x >>>>>> default:group::--- >>>>>> default:group:3000000:rwx >>>>>> default:group:3000001:rwx >>>>>> default:group:3000003:r-x >>>>>> default:mask::rwx >>>>>> default:other::--- >>>>>> >>>>>>> getent the_Folder_ONE_below-PATH_TO_SYSVOL >>>>>>> >>>>>>> Explorer crashes, if 9 out of 10 x a wrong right on the >>>>>> folder below the point your sharing. >>>>>>> Per example. >>>>>>> >>>>>>> getfacl /home >>>>>>> getfacl /home/samba >>>>>>> getfacl /home/samba/share/ >>>>>>> getfacl /home/samba/share/data >>>>>>> >>>>>>> Can you post these all also but replace the example path to >>>>>> your setup. >>>>>> my dc is not a file server, no home or share in this server >>>>>> only netlogon and sysvol >>>>>> >>>>>> # file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts >>>>>> # owner: root >>>>>> # group: root >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:3000000:rwx >>>>>> user:3000001:rwx >>>>>> user:3000003:r-x >>>>>> group::rwx >>>>>> group:3000000:rwx >>>>>> group:3000001:rwx >>>>>> group:3000003:r-x >>>>>> mask::rwx >>>>>> other::rwx >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:3000000:rwx >>>>>> default:user:3000001:rwx >>>>>> default:user:3000003:r-x >>>>>> default:group::--- >>>>>> default:group:3000000:rwx >>>>>> default:group:3000001:rwx >>>>>> default:group:3000003:r-x >>>>>> default:mask::rwx >>>>>> default:other::--- >>>>>> >>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>>> Corrado Ravinetto via samba >>>>>>>> Verzonden: dinsdag 6 november 2018 13:44 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>>> >>>>>>>> hello >>>>>>>> i read this post, but when i check property tab, explorer >>>>>> crash and i >>>>>>>> cannot changing anything. >>>>>>>> My question is: for each new policy i must change this >>>> default ??? >>>>>>>> Cannot I change create mask on smb.conf for sysvol share ??? >>>>>>>> >>>>>>>> thanks at all >>>>>>>> >>>>>>>> Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto: >>>>>>>>> Hai, >>>>>>>>> >>>>>>>>> I suggest, start reading here, it explains all. >>>>>>>>> https://lists.samba.org/archive/samba/2018-February/213690.html >>>>>>>>> >>>>>>>>> The script in that thread is not changing anything by default. >>>>>>>>> >>>>>>>>> I suggest try it and post the output. >>>>>>>>> >>>>>>>>> >>>>>>>>> Greetz, >>>>>>>>> >>>>>>>>> Louis >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>>>>>>>> Rowland Penny via samba >>>>>>>>>> Verzonden: dinsdag 6 november 2018 12:33 >>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>> Onderwerp: Re: [Samba] classicupgrade >>>>>>>>>> >>>>>>>>>> On Tue, 6 Nov 2018 12:13:31 +0100 >>>>>>>>>> Corrado Ravinetto via samba <samba at lists.samba.org> wrote: >>>>>>>>>> >>>>>>>>>>> Il 06/11/2018 11:48, Rowland Penny via samba ha scritto: >>>>>>>>>>>> No, your GPO's will still work. >>>>>>>>>>> ok >>>>>>>>>>> but when i created my gpo in sysvol i cannot access to >>>>>> this share >>>>>>>>>>> because: >>>>>>>>>>> >>>>>>>>>>> drwxrwx---+ 4 3000002 3000002 48 6 nov 12.03 >>>>>>>>>>> {CE2EBBA2-28FE-45D7-94EC-CD7357F38D73} >>>>>>>>>>> >>>>>>>>>>> Must i, for each new policy, adjiust right e owner ??? >>>>>>>>>>> >>>>>>>>>>> mmmmmmmh >>>>>>>>>> '3000002' is coming from idmap.ldb and because '3000002' >>>>>>>> isn't a Unix >>>>>>>>>> user, it isn't mapped to a Unix name, it could in fact be a >>>>>>>>>> group, yes, >>>>>>>>>> groups on Windows can own folders & files. >>>>>>>>>> >>>>>>>>>> There is a wiki page that might help: >>>>>>>>>> >>>>>>>>>> https://wiki.samba.org/index.php/Managing_local_groups_on_doma >>>>>>>>>> in_members_via_GPO_restricted_groups >>>>>>>>>> >>>>>>>>>> Further than that, I cannot help, I do not use GPO's, I >>>>>>>> don't have any >>>>>>>>>> Windows clients ;-) >>>>>>>>>> >>>>>>>>>> Perhaps Louis might care to chime in here. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL >>>>>> and read the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>> >>>>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Corrado Ravinetto * >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL >>>> and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> >>>>>> *Corrado Ravinetto * >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>> -- >>>> >>>> *Corrado Ravinetto * >>>> Sistemi informativi >>>> corrado.ravinetto at lanificiocerruti.com >>>> <mailto:corrado.ravinetto at lanificiocerruti.com> >>>> T: +39 015 3591283 >>>> Lanificio F.lli CERRUTI >>>> *Lanificio F.lli Cerruti S.p.A. * >>>> Via Cernaia 40, 13900 - Biella (BI) Italy >>>> www.lanificiocerruti.com <http://www.lanificiocerruti.com/> >>>> >>>> Twitter <https://twitter.com/Lan_Cerruti> Facebook >>>> <https://www.facebook.com/LanificioCerruti> Instagram >>>> <https://www.instagram.com/lanificiocerruti/> >>>> >>>> Rispetta l'ambiente, non stampare questa mail se non necessario >>>> Respect the environment, don't print unless necessary >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >> >-- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary