samba - Nov 2018 - "missing security tab" and related ACL issues

Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:
> On Fri, 7 Sep 2018 19:09:37 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
>> But
>>
>> # net rpc rights grant "Domänen-Admins"
SeDiskOperatorPrivilege -U
>> "mydomain\administrator"
>>
>> fails
>>
>> also for "mydomain\Domänen-Admins"
> 
> Why is it 'Domanen-Admins' ? is the dash normal for the German
version
> of Windows ?
> At least it exists ;-)
> 
> Is the locale set correctly ?
tried to set the locale to a german one ... 	

# wbinfo -g
dom�nencomputer
dom�nen-benutzer
dom�nen-g�ste
dom�nen-admins

still that special char displayed

# wbinfo -g | grep -i adm
specops endpoint protection report admins
dnsadmins
schema-admins
organisations-admins
Übereinstimmungen in Binärdatei (Standardeingabe)

this does NOT contain "domänen-admins"

why that?

-

# smb.conf

[global]
unix charset = iso8859-15

security = ads
realm = MYDOMAIN.INTRA
workgroup = MYDOMAIN

netbios aliases = u1MYDOMAIN
server string = U1MYDOMAIN

winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes

template homedir = /mnt/MSA2040/smb/Homes/%D/%U

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
		uucp
obey pam restrictions = yes

interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config MYDOMAIN : range = 10000-20000
idmap config MYDOMAIN : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
nt acl support = No
force unknown acl user = Yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

# exe files

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write pwrite rename unlink \
		     chmod fchmod chown fchown ftruncate
full_audit:facility = local5
full_audit:priority = notice

# /etc/nsswitch.conf:

passwd:      compat winbind files
group:       compat winbind files
shadow:      compat files

On Tue, 11 Sep 2018 09:54:32 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 19:09:37 +0200
> > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
> 
> >> But
> >>
> >> # net rpc rights grant "Domänen-Admins"
SeDiskOperatorPrivilege -U
> >> "mydomain\administrator"
> >>
> >> fails
> >>
> >> also for "mydomain\Domänen-Admins"
> > 
> > Why is it 'Domanen-Admins' ? is the dash normal for the German
> > version of Windows ?
> > At least it exists ;-)
> > 
> > Is the locale set correctly ?
> 
> tried to set the locale to a german one ... 	
> 
> # wbinfo -g
> dom�nencomputer
> dom�nen-benutzer
> dom�nen-g�ste
> dom�nen-admins
> 
> still that special char displayed
> 
> # wbinfo -g | grep -i adm
> specops endpoint protection report admins
> dnsadmins
> schema-admins
> organisations-admins
> Übereinstimmungen in Binärdatei (Standardeingabe)
> 
> this does NOT contain "domänen-admins"
> 
> why that?
> 
> -
> 
> # smb.conf
> 
> [global]
> unix charset = iso8859-15
> 
> security = ads
> realm = MYDOMAIN.INTRA
> workgroup = MYDOMAIN
> 
> netbios aliases = u1MYDOMAIN
> server string = U1MYDOMAIN
> 
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> 
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> 
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> 		uucp
> obey pam restrictions = yes
> 
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
> 
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config MYDOMAIN : range = 10000-20000
> idmap config MYDOMAIN : backend = rid
> 
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> nt acl support = No
> force unknown acl user = Yes
> 
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> 
> load printers = no
> printcap name = /dev/null
> 
> # exe files
> 
> acl allow execute always = True
> 
> # Audit settings
> full_audit:prefix = %u|%I|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir write pwrite rename unlink \
> 		     chmod fchmod chown fchown ftruncate
> full_audit:facility = local5
> full_audit:priority = notice
> 
> # /etc/nsswitch.conf:
> 
> passwd:      compat winbind files
> group:       compat winbind files
> shadow:      compat files
> 
There doesn't seem to be anything wrong there and has I never had that
problem, I am a bit stuck now ;-)

Perhaps someone else from Germany has had this problem and would care
to post ?

Rowland

Am 11.09.18 um 10:06 schrieb Rowland Penny via samba:
> On Tue, 11 Sep 2018 09:54:32 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
>> Am 07.09.18 um 20:07 schrieb Rowland Penny via samba:
>>> On Fri, 7 Sep 2018 19:09:37 +0200
>>> "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
>>
>>>> But
>>>>
>>>> # net rpc rights grant "Domänen-Admins"
SeDiskOperatorPrivilege -U
>>>> "mydomain\administrator"
>>>>
>>>> fails
>>>>
>>>> also for "mydomain\Domänen-Admins"
>>>
>>> Why is it 'Domanen-Admins' ? is the dash normal for the
German
>>> version of Windows ?
>>> At least it exists ;-)
>>>
>>> Is the locale set correctly ?
>>
>> tried to set the locale to a german one ... 	
>>
>> # wbinfo -g
>> dom�nencomputer
>> dom�nen-benutzer
>> dom�nen-g�ste
>> dom�nen-admins
>>
>> still that special char displayed
>>
>> # wbinfo -g | grep -i adm
>> specops endpoint protection report admins
>> dnsadmins
>> schema-admins
>> organisations-admins
>> Übereinstimmungen in Binärdatei (Standardeingabe)
>>
>> this does NOT contain "domänen-admins"
>>
>> why that?
>>
>> -
>>
>> # smb.conf
>>
>> [global]
>> unix charset = iso8859-15
>>
>> security = ads
>> realm = MYDOMAIN.INTRA
>> workgroup = MYDOMAIN
>>
>> netbios aliases = u1MYDOMAIN
>> server string = U1MYDOMAIN
>>
>> winbind cache time = 10
>> winbind use default domain = yes
>> winbind refresh tickets = Yes
>>
>> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
>>
>> restrict anonymous = 2
>> domain master = no
>> local master = no
>> preferred master = no
>> invalid users = root bin daemon adm sync shutdown halt mail news \
>> 		uucp
>> obey pam restrictions = yes
>>
>> interfaces = 192.168.100.4/24 127.0.0.1
>> bind interfaces only = Yes
>>
>> idmap config * : range = 3000-7999
>> idmap config * : backend = tdb
>> idmap config MYDOMAIN : range = 10000-20000
>> idmap config MYDOMAIN : backend = rid
>>
>> # For ACL support on domain member
>> vfs objects = acl_xattr full_audit
>> map acl inherit = Yes
>> store dos attributes = Yes
>> nt acl support = No
>> force unknown acl user = Yes
>>
>> unix extensions = no
>> follow symlinks= yes
>> wide links= yes
>>
>> load printers = no
>> printcap name = /dev/null
>>
>> # exe files
>>
>> acl allow execute always = True
>>
>> # Audit settings
>> full_audit:prefix = %u|%I|%S
>> full_audit:failure = connect
>> full_audit:success = mkdir rmdir write pwrite rename unlink \
>> 		     chmod fchmod chown fchown ftruncate
>> full_audit:facility = local5
>> full_audit:priority = notice
>>
>> # /etc/nsswitch.conf:
>>
>> passwd:      compat winbind files
>> group:       compat winbind files
>> shadow:      compat files
>>
> 
> There doesn't seem to be anything wrong there and has I never had that
> problem, I am a bit stuck now ;-)
> 
> Perhaps someone else from Germany has had this problem and would care
> to post ?
I have to revive this thread, yesterday I enabled the kernel options for
ACLs there and can use ACLs on the filesystem itself.

We still saw now security tab fpr samba shares in Windows. Not as
domain-admin, not as member of a user with the needed privilege.

The security tab is there for local drives and windows-server-shares,
only samba-4.8.6-shares miss it.

I will recheck everything ...