> > On the file serever: > > Collected config --- 2019-07-03-10:27 ----------- > > > > Hostname: srv > > DNS Domain: a.b.hu > > FQDN: srv.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.8 > > ----------- > > Samba is running as a Unix domain member > > ----------- > > > > This computer is running Debian 10.0 x86_64 > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff > > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > > valid_lft 83319sec preferred_lft 83319sec > > inet6 fe80::a00:27ff:fec9:960/64 scope link > > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3 > > inet6 fe80::a00:27ff:fe60:dfa1/64 scope link > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > 192.168.0.8 srv.a.b.hu srv > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > search a.b.hu tm.b.hu > > nameserver 192.168.0.4 > > ----------- > > > > Checking file: /etc/samba/smb.conf > > [global] > > bind interfaces only = Yes > > dos charset = CP852 > > interfaces = lo enp0s3 > > log file = /var/log/samba/%m.log > > log level = 1 > > name resolve order = lmhosts host bcast > > realm = A.B.HU > > security = ADS > > template homedir = /home/users/%U > > template shell = /bin/bash > > unix charset = UTF8 > > username map = /etc/samba/user.map > > workgroup = A > > idmap config a : range = 10000-999999 > > idmap config a : backend = rid > > idmap config * : range = 3000-7999 > > idmap config * : backend = tdb > > admin users = admin > > create mask = 0770 > > csc policy = disable > > directory mask = 0770 > > map acl inherit = Yes > > store dos attributes = Yes > > vfs objects = acl_xattr > > > > [users] > > path = /home/users > > read only = No > > ... > > > > [wpkg] > > path = /home/samba/wpkg > > valid users = "@Domain Users" > I wouldn't recommend using 'valid users' , but then I suppose this is > what you are trying to fixOk, but this is a special share, I have problem with more imprtant shares like users.> > ----------- > > Running as Unix domain member and user.map detected. > > Contents of /etc/samba/user.map > > !root = A\Administrator > > !root = A\admin > Remove the second line, I would recommend only mapping 'Administrator' > to 'root'Later I would like to login to Windows clients with the admin user, so this is why I included that too.> > On dc1: > > Collected config --- 2019-07-03-10:46 ----------- > > > > Hostname: dc1 > > DNS Domain: a.b.hu > > FQDN: dc1.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.4 > > ----------- > > Samba is running as an AD DC > > ----------- > > > > This computer is running Debian 10.0 x86_64 > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff > > inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8 > > valid_lft 76592sec preferred_lft 76592sec > > inet6 fe80::a00:27ff:feb1:35eb/64 scope link > > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3 > > inet6 fe80::a00:27ff:febf:f975/64 scope link > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > 127.0.1.1 dc1.a.b.hu dc1 > Remove the '127.0.1.1' line and what ever requires it.Ok, I removed. Debian installer creates that line.> > 192.168.0.4 dc1.a.b.hu dc1 > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > #domain b.hu > > search a.b.hu tm.b.hu > Remove the 'tm.b.hu'We have two sites, connected with VPN, so we have two subnets. As I know, I need this to reach hosts in tm.b.hu, without the tm.b.hu postfix. I temporarily removed it, to test the result, but it didn't help.> > #nameserver 10.0.3.3 > > #nameserver 208.67.220.220 > > #nameserver 208.67.222.222 > > nameserver 192.168.0.4 > > ----------- > > > > Checking file: /etc/samba/smb.conf > > [global] > > bind interfaces only = Yes > > dns forwarder = 208.67.220.220 > > interfaces = lo enp0s3 > The above line are okay > > logon home = \\srv\users\%U > > logon path = "" > > name resolve order = lmhosts host bcast > The above are not.Ok, what do you recommend? I changed it after Rowland recommended not to use WINS.> > netbios name = DC1 > > realm = A.B.HU > > server role = active directory domain controller > > time server = Yes > All DC's are time servers, just as long they are running an NTP server, > it doesn't need setting in a DC smb.confOk.> > username map = /etc/samba/user.map > No, you do not use a user.map on a DC, Administrator is mapped in idmap.ldbOk.> > workgroup = A > > idmap_ldb:use rfc2307 = yes > > kernel oplocks = Yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/a.b.hu/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > ----------- > > You have a user.map set in your smb.conf > > This is not allowed because Samba is running as a DC > > ----------- > > BIND_DLZ not detected in smb.conf > > > > Your script says that user.map is not allowed on a dc, but I don't > > read it in the smb.conf manual. > Good point, but you do not use one a Samba AD DC, for the reason given > above ;-)> Now after all changes Rowland suggested. > > Run this : getfacl /home/usersgetfacl: Removing leading '/' from absolute path names # file: home/users # owner: root # group: A\\domain\040admins user::rwx user:root:rwx user:10512:rwx group::rwx group:A\\domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::rwx default:group:A\\domain\040admins:rwx default:mask::rwx default:other::---> > There are 5 things you need to think in. > 1) The folder rightsI havent used ACLs yet, I just followed Samba docs, and it says, I shoud set folder rights from Windows, but I cannot.> 2) The share rightsI've set it according to the Samba doc.> 3) Posix or windows ACL's? ( use Windows ACL's my advice. )Yes, that's what I wanted too.> 4) Dont forget the "Primary Group".Primary Group=default:group?> 5) If you use chmod, you must re-apply the windows ACL again on share/security (file/folder) level.So, chmod resets the permissions. Thanks, good to know it.
On 03/07/2019 14:45, Pisch Tam?s via samba wrote:>> Run this : getfacl /home/users > getfacl: Removing leading '/' from absolute path names > # file: home/users > # owner: root > # group: A\\domain\040admins > user::rwx > user:root:rwx > user:10512:rwx > group::rwx > group:A\\domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::rwx > default:group:A\\domain\040admins:rwx > default:mask::rwx > default:other::---Hmm, have you done something like running 'setfacl' on the directory ? I ask this because, if you created the directory with: mkdir /home/users changed the ownership with: chown root:'A\Domain Admins' /home/users Changed the permissions with: chmod 0770 /home/users I would have expected 'getfacl' to return getfacl: Removing leading '/' from absolute path names # file: home/users # owner: root # group: A\134domain\040admins user::rwx group::rwx other::--- Yours appears to have extra lines that would normally only be there if ACL's? had been set from Windows or with 'setfacl'. There is also this: A\\domain\040admins If you look at what I would expect, the second '\' is replaced by '134', this is the ascii code for '\' (040 is the code for a space), so why is yours different from every other getfacl output I have ever seen ? Rowland
> >> Run this : getfacl /home/users > > getfacl: Removing leading '/' from absolute path names > > # file: home/users > > # owner: root > > # group: A\\domain\040admins > > user::rwx > > user:root:rwx > > user:10512:rwx > > group::rwx > > group:A\\domain\040admins:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:group::rwx > > default:group:A\\domain\040admins:rwx > > default:mask::rwx > > default:other::--- > > Hmm, have you done something like running 'setfacl' on the directory ?No.> I ask this because, if you created the directory with: > mkdir /home/users > changed the ownership with: > chown root:'A\Domain Admins' /home/users > Changed the permissions with: > chmod 0770 /home/users > I would have expected 'getfacl' to return > getfacl: Removing leading '/' from absolute path names > # file: home/users > # owner: root > # group: A\134domain\040admins > user::rwx > group::rwx > other::--- > Yours appears to have extra lines that would normally only be there if > ACL's had been set from Windows or with 'setfacl'. > There is also this: > A\\domain\040admins > If you look at what I would expect, the second '\' is replaced by '134', > this is the ascii code for '\' (040 is the code for a space), so why is > yours different from every other getfacl output I have ever seen ?I did the followings today: setfacl -b users chmod 0770 users chown "root:A\domain users" users getfacl users # file: users # owner: root # group: A\\domain\040users user::rwx group::rwx other::--- So, the use of \\ is "automatic", I don't know other way to set it. But, after the reset, I still cannot change the directory permissions from Windows.
On 04/07/2019 08:45, Pisch Tam?s via samba wrote:>>>> Run this : getfacl /home/users >>> getfacl: Removing leading '/' from absolute path names >>> # file: home/users >>> # owner: root >>> # group: A\\domain\040admins >>> user::rwx >>> user:root:rwx >>> user:10512:rwx >>> group::rwx >>> group:A\\domain\040admins:rwx >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:group::rwx >>> default:group:A\\domain\040admins:rwx >>> default:mask::rwx >>> default:other::--- >> Hmm, have you done something like running 'setfacl' on the directory ? > No. > >> I ask this because, if you created the directory with: >> mkdir /home/users >> changed the ownership with: >> chown root:'A\Domain Admins' /home/users >> Changed the permissions with: >> chmod 0770 /home/users >> I would have expected 'getfacl' to return >> getfacl: Removing leading '/' from absolute path names >> # file: home/users >> # owner: root >> # group: A\134domain\040admins >> user::rwx >> group::rwx >> other::--- >> Yours appears to have extra lines that would normally only be there if >> ACL's had been set from Windows or with 'setfacl'. >> There is also this: >> A\\domain\040admins >> If you look at what I would expect, the second '\' is replaced by '134', >> this is the ascii code for '\' (040 is the code for a space), so why is >> yours different from every other getfacl output I have ever seen ? > I did the followings today: > setfacl -b users > chmod 0770 users > chown "root:A\domain users" users > getfacl users > # file: users > # owner: root > # group: A\\domain\040users > user::rwx > group::rwx > other::--- > So, the use of \\ is "automatic", I don't know other way to set it. > But, after the reset, I still cannot change the directory permissions > from Windows. >It looks like you may have found a bug in the 'acl' package ;-) Debian 9 (Stretch) uses acl 2.2.52-3+b1 Debian 10 (Buster) uses acl 2.2.53-4 I am still on Stretch and if I run a couple of tests, creating a couple of directories and changing ownership as you have done, I always get the same result, which is different from you. mkdir testA chmod 0770 testA chown root:"A\domain users" testA getfacl testA # file: testA # owner: root # group: A\134domain\040users user::rwx group::rwx other::--- mkdir testB chmod 0770 testB chown "root:A\domain users" testB getfacl testB # file: testB # owner: root # group: A\134domain\040users user::rwx group::rwx other::--- I am now wondering if because getfacl is returning this for you: group: A\\domain\040users When I get: group: A\134domain\040users is the problem ? Rowland
> >>>> Run this : getfacl /home/users > >>> getfacl: Removing leading '/' from absolute path names > >>> # file: home/users > >>> # owner: root > >>> # group: A\\domain\040admins > >>> user::rwx > >>> user:root:rwx > >>> user:10512:rwx > >>> group::rwx > >>> group:A\\domain\040admins:rwx > >>> mask::rwx > >>> other::--- > >>> default:user::rwx > >>> default:user:root:rwx > >>> default:group::rwx > >>> default:group:A\\domain\040admins:rwx > >>> default:mask::rwx > >>> default:other::--- > >> Hmm, have you done something like running 'setfacl' on the directory ? > > No. > > > >> I ask this because, if you created the directory with: > >> mkdir /home/users > >> changed the ownership with: > >> chown root:'A\Domain Admins' /home/users > >> Changed the permissions with: > >> chmod 0770 /home/users > >> I would have expected 'getfacl' to return > >> getfacl: Removing leading '/' from absolute path names > >> # file: home/users > >> # owner: root > >> # group: A\134domain\040admins > >> user::rwx > >> group::rwx > >> other::--- > >> Yours appears to have extra lines that would normally only be there if > >> ACL's had been set from Windows or with 'setfacl'. > >> There is also this: > >> A\\domain\040admins > >> If you look at what I would expect, the second '\' is replaced by '134', > >> this is the ascii code for '\' (040 is the code for a space), so why is > >> yours different from every other getfacl output I have ever seen ? > > I did the followings today: > > setfacl -b users > > chmod 0770 users > > chown "root:A\domain users" users > > getfacl users > > # file: users > > # owner: root > > # group: A\\domain\040users > > user::rwx > > group::rwx > > other::--- > > So, the use of \\ is "automatic", I don't know other way to set it. > > But, after the reset, I still cannot change the directory permissions > > from Windows. > > > It looks like you may have found a bug in the 'acl' package ;-) > Debian 9 (Stretch) uses acl 2.2.52-3+b1 > Debian 10 (Buster) uses acl 2.2.53-4 > I am still on Stretch and if I run a couple of tests, creating a couple > of directories and changing ownership as you have done, I always get the > same result, which is different from you. > mkdir testA > chmod 0770 testA > chown root:"A\domain users" testA > getfacl testA > # file: testA > # owner: root > # group: A\134domain\040users > user::rwx > group::rwx > other::--- > mkdir testB > chmod 0770 testB > chown "root:A\domain users" testB > getfacl testB > # file: testB > # owner: root > # group: A\134domain\040users > user::rwx > group::rwx > other::--- > I am now wondering if because getfacl is returning this for you: > group: A\\domain\040users > When I get: > group: A\134domain\040users > is the problem ?ls -l ... drwxrwx--- 2 root A\domain users 4096 j?n 26 15:52 users What do you see with ls? Maybe it is good on the filesystem, just the acl package shows it incorreclty? Does Samba use acl too, and this is why I cannot see/set the permissions from Windows?