samba - Jan 2019 - I have issue in configuring file servers with AD integration.

On Mon, 21 Jan 2019 15:21:03 +0530
venkat ramu <ramut123 at gmail.com> wrote:
> Hi Rowland,
> 
> I have created folder /srv/samba/test and
> subfolder /srv/samba/test/inherit1 (Inherit1 is inside test folder).
> below are the config. When I try to access inherit1 from widows
> getting you do not have permission to access
> \\xxx.xxx.xxx.xxx\inherit1. Could you please help me on this.
> 
> [test]
> comment = Ubuntu File Server Share
> path = /srv/samba/test
> #valid users = test_groups
> #browsable = yes
> read only = no
> create mask = 0640
> writable = yes
> inherit permissions = no
> valid users = +"SBX\Test-Group"
> 
> [inherit1]
>  writeable = yes
>  comment = inherit1
>  valid users = +"SBX\Inherit-Group", at
+"SBX\Inherit-Group"
>  path = /srv/samba/test/inherit1
>  inherit permissions = no
> 
Can you please post your entire smb.conf (without any comment lines)

Rowland

Here is the smb.conf.

[global]
    workgroup = SBX
    security = ADS
    realm = SBX.LAN

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config TESTAD : backend = rid
    idmap config TESTAD : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/TESTAD/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set
privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


[share]
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
valid users = +"SBX\Test-Group"
create mask = 0640

[test]
comment = Ubuntu File Server Share
path = /srv/samba/test
#valid users = test_groups
#browsable = yes
read only = no
create mask = 0640
writable = yes
inherit permissions = no
valid users = +"SBX\Test-Group"

[test myfolder]
comment = Ubuntu File Server Share, permission inheritance
path = /srv/samba/test/myfolder
#browsable = yes
read only = no
create mask = 0640
writable = yes
valid users = +"SBX\test_groups"



[Folder Name Webmin]
 path = /srv/samba/new-test
 writeable = yes
 comment = Folder Name Webmin
 valid users = +"SBX\Test-Group"

[new-training]
 path = /srv/samba\new-training
 valid users = +"SBX\Test-Group", at +"SBX\Test-Group"
 writeable = yes
 comment = new-training


[New Share]
 path = /srv/samba/NewShare
 comment = New Share
 writeable = yes
 valid users = +"SBX\Test-Group", at +"SBX\Test-Group"

[galaxy-test]
 valid users = +"SBX\Test-Group", at +"SBX\Test-Group"
 comment = galaxy-test
 path = /srv/samba/galaxy-test
 writeable = yes

[inherit]
 path = /srv/samba/test/inherit
 valid users = +"SBX\Inherit-Group", at +"SBX\Inherit-Group"
 invalid users = +"SBX\Test-Group"
 writeable = yes

[inherit1]
 writeable = yes
 comment = inherit1
 valid users = +"SBX\Inherit-Group", at +"SBX\Inherit-Group"
 path = /srv/samba/test/inherit1
        inherit permissions = no


Thanks,

Venkat

On Mon, 21 Jan 2019 15:53:47 +0530
venkat ramu <ramut123 at gmail.com> wrote:
> 
> [inherit]
>  path = /srv/samba/test/inherit
>  valid users = +"SBX\Inherit-Group", at
+"SBX\Inherit-Group"
>  invalid users = +"SBX\Test-Group"
>  writeable = yes
> 
> [inherit1]
>  writeable = yes
>  comment = inherit1
>  valid users = +"SBX\Inherit-Group", at
+"SBX\Inherit-Group"
>  path = /srv/samba/test/inherit1
>         inherit permissions = no
Your computer appears to be a Unix domain member and if you read
the 'invalid users' part of 'man smb.conf'

You will find that '+' means look in the Unix group database
(/etc/group) and '@' means look in the NIS database.
As your computer is a Unix domain member, neither of these will be
used and 'Inherit-Group' should exist in AD.

There is another possible problem (it could a typo), you posted this:

    workgroup = SBX

and also this:

    idmap config TESTAD : backend = rid
    idmap config TESTAD : range = 10000-999999

'TESTAD' should be 'SBX'

Can I also suggest you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

That is a much better way of doing what you require.

Rowland