barani tharan
2018-Nov-30 06:16 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
Dear Rowland Penny I follow your mentioned step still i am face the same problem I have 1 Domain Controller [sambadc] and 1 Domain member for Samba Share and backup [backupserver] 1.when try view the ACL rights is backup server i can able view the domain user name [root at backupserver Rishinox]# getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute path names # file: ADHDD/Rishinox/ # owner: administrator # group: domain\040users user::rwx user:administrator:rwx #effective:r-x group::rwx #effective:r-x group:domain\040users:r-x group:domain\040admins:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:administrator:rwx default:group::rwx default:group:domain\040users:r-x default:group:domain\040admins:rwx default:mask::rwx default:other::r-x 2. My smb.conf file in backup server [root at backupserver Rishinox]# vi /etc/samba/smb.conf [global] #--authconfig--start-line-- # Generated by authconfig on 2017/10/27 10:57:19 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = RISHI password server = sambadc.rishi.com realm = RISHI.COM security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash kerberos method = secrets only winbind use default domain = yes winbind offline logon = true vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes #--authconfig--end-line-- ; workgroup = SAMBA ; security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw [Rishinox] ---> This my Samba Share path = /ADHDD/Rishinox read only = no inherit acls = yes browseable = yes valid users = +rishi\"Domain Users" vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes 3. I can able to view the Domain user id in backupserver [root at backupserver Rishinox]# id RISHI\\administrator uid=16777216(administrator) gid=16777220(domain users) groups=16777220(domain users),16777221(group policy creator owners),16777222(denied rodc password replication group),16777223(enterprise admins),16777224(schema admins),16777225(domain admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators) 4.When try to check the domain user id, set the acl and change the owner of file i get the following error in Domain controller [root at sambadc Rishinox_Share]# chown root:"Domain Admins" /ADD_Drive/Rishinox_Share/COMMON/ chown: invalid group: ‘root:Domain Admins’ [root at sambadc Rishinox_Share]# setfacl -m "u:RISHI\Administrator:rwx" /ADD_Drive/Rishinox_Share/ setfacl: Option -m: Invalid argument near character 3 [root at sambadc Rishinox_Share]# id RISHI\\administrator id: RISHI\administrator: no such user 5.When try the view the ACL rights i get following message not shown the Domain user name, it shows the user id ? [root at sambadc Rishinox_Share]# getfacl /ADD_Drive/Rishinox_Share/ getfacl: Removing leading '/' from absolute path names # file: ADD_Drive/Rishinox_Share/ # owner: 16777216 # group: 16777220 user::rwx user:root:rwx #effective:r-x group::--- group:root:--- group:users:r-x group:3000000:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:root:rwx default:user:3000000:rwx default:group::r-x default:group:root:r-x default:group:users:r-x default:group:3000000:rwx default:mask::rwx default:other::--- 6. MY smb.conf file for Domain Controller [root at sambadc Rishinox_Share]# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = RISHI realm = RISHI.COM netbios name = SAMBADC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Rishinox] path = /ADD_Drive/Rishinox_Share read only = no 7. I am already check the Libs file link and ACL setup in Domain Controller # smbd -b | grep HAVE_LIBACL HAVE_LIBACL [root at sambadc Rishinox_Share]# net rpc rights list privileges SeDiskOperatorPrivilege -U "RISHI\administrator" [root at sambadc Rishinox_Share]# net rpc rights grant "RISHI\Domain Admins" SeDiskOperatorPrivilege -U "RISHI\administrator" [root at sambadc Rishinox_Share]# ls -ll /lib64 lrwxrwxrwx. 1 root root 9 Oct 26 2017 /lib64 -> usr/lib64 [root at sambadc Rishinox_Share]# ls -ll /lib64/libnss_winbind.so lrwxrwxrwx 1 root root 26 Nov 28 18:27 /lib64/libnss_winbind.so -> /lib64/libnss_winbind.so.2 I don't know what i am make the wrong thing in configuration Thanks & RegardsBaranitharan On Wednesday, 28 November 2018, 2:45:40 PM GMT+5:30, Rowland Penny via samba <samba at lists.samba.org> wrote: On Wed, 28 Nov 2018 08:36:47 +0000 (UTC) barani tharan via samba <samba at lists.samba.org> wrote:> > Dear Team I show below my problem when try to apply setfacl to share > directory in domain controller > > > My Problem is: > I have one Samba AD [4.1] it work fine. I create common share folderSamba 4.1.x is EOL, you really should upgrade.> in domain controller when try to apply ACL permission it show the > following message [root at sambadc ~]# setfacl -m > "u:RISHI\Administrator:rwx" /ADD_Drive/Samplesetfacl: Option -m: > Invalid argument near character 3 After that i try to find usres id > > [root at sambadc ~]# id RISHI\\administrator > id: RISHI\administrator: no such user > But when i try the below command it shows the users > [root at sambadc ~]# samba-tool user list > > AvijitGhosh > RanjitRaman > TeernaChatterjee > AnkitJaiswal > Priyaranjan > DeepJoy > NirajKishorSingh > RajKumarMaurya > Test > HimanshuSinghi > SoumyaKanjilal > AshishJaiswal > PoushaliSengupta > BanditaRoy > RohitAgarwal > TuhinSaha > Subramaniam'samba-tool user list' works in the same way as 'wbinfo -u', it goes direct to AD. If getent doesn't work, it is usually because the libnss-winbind links are not set up, see here: https://wiki.samba.org/index.php/Libnss_winbind_Links> > My Samba file smb.conf > > [root at sambadc ~]# vi /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = RISHI > realm = RISHI.COM > netbios name = SAMBADC > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/rishi.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [Rishinox] > path = /ADD_Drive/Rishinox_Share > read only = noMake the share look like the above and then read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You must use Windows ACLs on a share on a DC.> At Same time try ACL permission in Domain member server it can be > apply and show the user Id > > [root at backupserver ~]# id RISHI\\administrator > uid=16777216(administrator) gid=16777220(domain users) > groups=16777220(domain users),16777221(group policy creator > owners),16777222(denied rodc password replication > group),16777223(enterprise admins),16777224(schema > admins),16777225(domain > admins),16777217(BUILTIN\users),16777216(BUILTIN\administrators) >It looks like you are using sssd, if so, can I suggest you use winbind instead, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Nov-30 09:06 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
On Fri, 30 Nov 2018 06:16:42 +0000 (UTC) barani tharan <aru_barani at yahoo.com> wrote:> Dear Rowland Penny > I follow your mentioned step still i am face the same problem > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba > Share and backup [backupserver] > > 1.when try view the ACL rights is backup server i can able view the > domain user name [root at backupserver Rishinox]# > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute > path names # file: ADHDD/Rishinox/> [root at backupserver Rishinox]# vi /etc/samba/smb.conf > > [global]> > workgroup = RISHILets start with the obvious question, why do you think it is a good idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on the Unix domain member ? All domain members need to use the same workgroup.> password server = sambadc.rishi.com > realm = RISHI.COM > security = ads > idmap config * : range = 16777216-33554431 > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = yes > winbind offline logon = true >Why are you using that range ? Are you also using sssd on that machine ? I ask the last question because your smb.conf isn't set up correctly for winbind and you used red-hat tools to set up smb.conf Stop trying to use 'Administrator' as a user on Unix domain members, that user is a Windows user and should be mapped to the Unix user 'root' Rowland
Rowland Penny
2018-Nov-30 09:27 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
On Fri, 30 Nov 2018 09:06:34 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC) > barani tharan <aru_barani at yahoo.com> wrote: > > > Dear Rowland Penny > > I follow your mentioned step still i am face the same problem > > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba > > Share and backup [backupserver] > > > > 1.when try view the ACL rights is backup server i can able view the > > domain user name [root at backupserver Rishinox]# > > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute > > path names # file: ADHDD/Rishinox/ > > > [root at backupserver Rishinox]# vi /etc/samba/smb.conf > > > > [global] > > > > > workgroup = RISHI > > Lets start with the obvious question, why do you think it is a good > idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on the Unix > domain member ? > > All domain members need to use the same workgroup.And now I am fully awake, you can ignore the above, you are using the same workgroup OOPs Rowland> > > password server = sambadc.rishi.com > > realm = RISHI.COM > > security = ads > > idmap config * : range = 16777216-33554431 > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = yes > > winbind offline logon = true > > > > Why are you using that range ? > Are you also using sssd on that machine ? > I ask the last question because your smb.conf isn't set up correctly > for winbind and you used red-hat tools to set up smb.conf > Stop trying to use 'Administrator' as a user on Unix domain members, > that user is a Windows user and should be mapped to the Unix user > 'root' > > Rowland >
Possibly Parallel Threads
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command