samba - Nov 2018 - Fw: AD usres are not show in Domain Controller when apply setfacl command

Dear Team I show below my problem when try to apply setfacl to share directory
in domain controller


My Problem is:
I have one Samba AD [4.1] it work fine. I create common share folder in domain
controller when try to apply ACL permission it show the following message
[root at sambadc ~]# setfacl -m "u:RISHI\Administrator:rwx"
/ADD_Drive/Samplesetfacl: Option -m: Invalid argument near character 3
After that i try to find usres id 

[root at sambadc ~]# id RISHI\\administrator
id: RISHI\administrator: no such user
But when i try the below command it shows the users
[root at sambadc ~]# samba-tool user list

AvijitGhosh
RanjitRaman
TeernaChatterjee
AnkitJaiswal
Priyaranjan
DeepJoy
NirajKishorSingh
RajKumarMaurya
Test
HimanshuSinghi
SoumyaKanjilal
AshishJaiswal
PoushaliSengupta
BanditaRoy
RohitAgarwal
TuhinSaha
Subramaniam

My Samba file smb.conf

[root at sambadc ~]# vi /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = RISHI
        realm = RISHI.COM
        netbios name = SAMBADC
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[Rishinox]                                                                      
----> This my share name
        path = /ADD_Drive/Rishinox_Share                        --->
ADD_Drive is a directory i mount 1 TB Hard Disk I show
                                                                                                                                            below 
fstab config file      
        read only = no
        inherit acls = yes
        browseable = yes
        valid users = +rishi\"Domain Users"
# vi /etc/fstab

#
# /etc/fstab
# Created by anaconda on Thu Oct 26 20:59:06 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=855b2556-69c5-40d5-8c1e-7686791de4e8 /                       ext4   
defaults        1 1
UUID=76398c37-3212-4092-b8d4-cf2a807ac07d /home                   ext4   
defaults        1 2
UUID=600ec943-139e-4bf2-9d70-51ce2bfaeeab swap                    swap   
defaults        0 0
/dev/disk/by-uuid/1ff91bed-d951-4712-8812-c6bb5760b565 /LVM auto
nosuid,nodev,nofail,x-gvfs-show 0 0

#Mount External Drive to ADD_Drive

/dev/sdb  /ADD_Drive ext4 defaults,acl 0 0


At Same time try ACL permission in Domain member server it can be apply and show
the user Id

[root at backupserver ~]# id RISHI\\administrator
uid=16777216(administrator) gid=16777220(domain users) groups=16777220(domain
users),16777221(group policy creator owners),16777222(denied rodc password
replication group),16777223(enterprise admins),16777224(schema
admins),16777225(domain
admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)


Please solve my issue 

Thanks&RegardsBaranitharan
  

|  | I’m protected online with Avast Free Antivirus. Get it here — it’s free
forever.  |

On Wed, 28 Nov 2018 08:36:47 +0000 (UTC)
barani tharan via samba <samba at lists.samba.org> wrote:
>  
> Dear Team I show below my problem when try to apply setfacl to share
> directory in domain controller
> 
> 
> My Problem is:
> I have one Samba AD [4.1] it work fine. I create common share folder
Samba 4.1.x is EOL, you really should upgrade.
> in domain controller when try to apply ACL permission it show the
> following message [root at sambadc ~]# setfacl -m
> "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m:
> Invalid argument near character 3 After that i try to find usres id 
> 
> [root at sambadc ~]# id RISHI\\administrator
> id: RISHI\administrator: no such user
> But when i try the below command it shows the users
> [root at sambadc ~]# samba-tool user list
> 
> AvijitGhosh
> RanjitRaman
> TeernaChatterjee
> AnkitJaiswal
> Priyaranjan
> DeepJoy
> NirajKishorSingh
> RajKumarMaurya
> Test
> HimanshuSinghi
> SoumyaKanjilal
> AshishJaiswal
> PoushaliSengupta
> BanditaRoy
> RohitAgarwal
> TuhinSaha
> Subramaniam
'samba-tool user list' works in the same way as 'wbinfo -u', it
goes
direct to AD.
If getent doesn't work, it is usually because the libnss-winbind links
are not set up, see here:

https://wiki.samba.org/index.php/Libnss_winbind_Links
> 
> My Samba file smb.conf
> 
> [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>         workgroup = RISHI
>         realm = RISHI.COM
>         netbios name = SAMBADC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [Rishinox]
>         path = /ADD_Drive/Rishinox_Share
>         read only = no
Make the share look like the above and then read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You must use Windows ACLs on a share on a DC.

 
> At Same time try ACL permission in Domain member server it can be
> apply and show the user Id
> 
> [root at backupserver ~]# id RISHI\\administrator
> uid=16777216(administrator) gid=16777220(domain users)
> groups=16777220(domain users),16777221(group policy creator
> owners),16777222(denied rodc password replication
> group),16777223(enterprise admins),16777224(schema
> admins),16777225(domain
> admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)
> 
It looks like you are using sssd, if so, can I suggest you use winbind
instead, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

Dear Rowland Penny
 I follow your mentioned step still i am face the same problem
I have 1 Domain Controller [sambadc] and 1 Domain member for Samba Share and
backup [backupserver]

1.when try view the ACL rights is backup server i can able view the domain user
name
[root at backupserver Rishinox]# getfacl /ADHDD/Rishinox/
getfacl: Removing leading '/' from absolute path names
# file: ADHDD/Rishinox/
# owner: administrator
# group: domain\040users
user::rwx
user:administrator:rwx          #effective:r-x
group::rwx                      #effective:r-x
group:domain\040users:r-x
group:domain\040admins:rwx      #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:administrator:rwx
default:group::rwx
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x

2. My smb.conf file in backup server

[root at backupserver Rishinox]# vi /etc/samba/smb.conf

[global]
#--authconfig--start-line--
# Generated by authconfig on 2017/10/27 10:57:19
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = RISHI
   password server = sambadc.rishi.com
   realm = RISHI.COM
   security = ads
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = yes
   winbind offline logon = true

  vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

#--authconfig--end-line--
;       workgroup = SAMBA
;       security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
       cups options = raw

[Rishinox]                                   ---> This my Samba Share
                         
   path = /ADHDD/Rishinox
   read only = no
   inherit acls = yes
   browseable = yes
   valid users = +rishi\"Domain Users"
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

3. I can able to view the Domain user id in backupserver
[root at backupserver Rishinox]# id RISHI\\administrator
uid=16777216(administrator) gid=16777220(domain users) groups=16777220(domain
users),16777221(group policy creator owners),16777222(denied rodc password
replication group),16777223(enterprise admins),16777224(schema
admins),16777225(domain
admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)


4.When try to check the domain user id, set the acl and change the owner of
file  i get the following error  in Domain controller

[root at sambadc Rishinox_Share]# chown root:"Domain Admins"
/ADD_Drive/Rishinox_Share/COMMON/     
        chown: invalid group: ‘root:Domain Admins’
[root at sambadc Rishinox_Share]# setfacl -m
"u:RISHI\Administrator:rwx" /ADD_Drive/Rishinox_Share/
setfacl: Option -m: Invalid argument near character 3
[root at sambadc Rishinox_Share]# id RISHI\\administrator
id: RISHI\administrator: no such user
5.When try the view the ACL rights i get following message not shown the Domain
user name, it shows the user id ?

[root at sambadc Rishinox_Share]# getfacl /ADD_Drive/Rishinox_Share/
getfacl: Removing leading '/' from absolute path names
# file: ADD_Drive/Rishinox_Share/
# owner: 16777216
# group: 16777220
user::rwx
user:root:rwx                   #effective:r-x
group::---
group:root:---
group:users:r-x
group:3000000:rwx               #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::r-x
default:group:root:r-x
default:group:users:r-x
default:group:3000000:rwx
default:mask::rwx
default:other::---
6.  MY smb.conf file for Domain Controller

[root at sambadc Rishinox_Share]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = RISHI
        realm = RISHI.COM
        netbios name = SAMBADC
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


[Rishinox]
        path = /ADD_Drive/Rishinox_Share
        read only = no

7. I am already check the Libs file link and ACL setup in Domain Controller

# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL

[root at sambadc Rishinox_Share]# net rpc rights list privileges 
SeDiskOperatorPrivilege -U
                                "RISHI\administrator"

[root at sambadc Rishinox_Share]# net rpc rights grant "RISHI\Domain
Admins" SeDiskOperatorPrivilege -U
                                     "RISHI\administrator"


[root at sambadc Rishinox_Share]# ls -ll /lib64
lrwxrwxrwx. 1 root root 9 Oct 26  2017 /lib64 -> usr/lib64

[root at sambadc Rishinox_Share]# ls -ll /lib64/libnss_winbind.so
lrwxrwxrwx 1 root root 26 Nov 28 18:27 /lib64/libnss_winbind.so ->
/lib64/libnss_winbind.so.2


I don't know what i am make the wrong thing in configuration


Thanks & RegardsBaranitharan
    On Wednesday, 28 November 2018, 2:45:40 PM GMT+5:30, Rowland Penny via samba
<samba at lists.samba.org> wrote:
 
 On Wed, 28 Nov 2018 08:36:47 +0000 (UTC)
barani tharan via samba <samba at lists.samba.org> wrote:
>  
> Dear Team I show below my problem when try to apply setfacl to share
> directory in domain controller
> 
> 
> My Problem is:
> I have one Samba AD [4.1] it work fine. I create common share folder
Samba 4.1.x is EOL, you really should upgrade.
> in domain controller when try to apply ACL permission it show the
> following message [root at sambadc ~]# setfacl -m
> "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m:
> Invalid argument near character 3 After that i try to find usres id 
> 
> [root at sambadc ~]# id RISHI\\administrator
> id: RISHI\administrator: no such user
> But when i try the below command it shows the users
> [root at sambadc ~]# samba-tool user list
> 
> AvijitGhosh
> RanjitRaman
> TeernaChatterjee
> AnkitJaiswal
> Priyaranjan
> DeepJoy
> NirajKishorSingh
> RajKumarMaurya
> Test
> HimanshuSinghi
> SoumyaKanjilal
> AshishJaiswal
> PoushaliSengupta
> BanditaRoy
> RohitAgarwal
> TuhinSaha
> Subramaniam
'samba-tool user list' works in the same way as 'wbinfo -u', it
goes
direct to AD.
If getent doesn't work, it is usually because the libnss-winbind links
are not set up, see here:

https://wiki.samba.org/index.php/Libnss_winbind_Links
> 
> My Samba file smb.conf
> 
> [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>         workgroup = RISHI
>         realm = RISHI.COM
>         netbios name = SAMBADC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [Rishinox]
>        path = /ADD_Drive/Rishinox_Share
>         read only = no
Make the share look like the above and then read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You must use Windows ACLs on a share on a DC.

 
> At Same time try ACL permission in Domain member server it can be
> apply and show the user Id
> 
> [root at backupserver ~]# id RISHI\\administrator
> uid=16777216(administrator) gid=16777220(domain users)
> groups=16777220(domain users),16777221(group policy creator
> owners),16777222(denied rodc password replication
> group),16777223(enterprise admins),16777224(schema
> admins),16777225(domain
> admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators)
> 
It looks like you are using sssd, if so, can I suggest you use winbind
instead, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba