samba - Dec 2019 - Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.

On 2019-12-08 15:01, Rowland penny via samba wrote:
> On 08/12/2019 18:18, Howard Fleming via samba wrote:
>> I am building a Samba4 setup to replace a Samba3 server I built for 
>> small non profit school back in 2012.
>>
>> It is running CentOS 6.x, samba version 3.6.23-52.el6_10. ?Rather 
>> than attempt to upgrade this system to Samba4, it makes more sense 
>> (to me at least) to build a new server and move the data.
> Good plan, at least you start without any bad ideas from an NT4-style 
> domain
Thanks!
>>
>> Currently I have 2 samba servers running as virtual machines under 
>> kvm. ?One is the AD server, the other is a member server that is 
>> running the file shares. ?The kvm server and the samba servers are 
>> all running Debian 10, and I am using the default Debian 10 repos for 
>> the samba packages.
>>
>> The current problem I am running into are the rights on the shares 
>> for the users. ?When I create a user via aduc, and set the home 
>> directory, it gets created as it should, but all users can see all 
>> the home directories, including contents. ?I am also running into 
>> rights issues with the shared directories also.
>
> How are the users home directories being created, are you using 
> pam_mkhomedir ?
>
> If so, this could be your problem.
Not that I am aware of, how would I check?

User directories are created by right clicking on the user id in aduc, 
properties, and setting the home directory to
\\srv\users\<username>
>
>>
>> I can join Windows 10 and 7 computers into AD with out any issues, so 
>> I am assuming I set something up wrong, either in AD or when I added 
>> the 2nd server for file services.
>
> Just a few notes on your files:
>
> I would remove example.com from the search line in the 
> /etc/resolv.conf files
>
> You do not need the template lines in the DC smb.conf, you are not
> allowing anyone to login in.
>
> I would also install the libpam-krb5 package on both machines
>
> On the Member server, you have commented out 'idmap config BREC :
> unix_nss_info = yes' which is correct for your version of Samba, but
> you have 'winbind nss info = rfc2307' which is wrong for your Samba
> version.
> You also have:
> ????????template shell = /bin/bash
> ????????template homedir = /brecdata/user/%U
>
> Which means that you are not using the RFC2307 attributes in AD, so
> you don't need 'idmap config BREC : unix_nss_info = yes' anyway
>
> You do not need to set 'browseable = yes' on the shares, it is the
default
>
> It might help if you read this:
>
> https://wiki.samba.org/index.php/User_Home_Folders
>
> Rowland
I did read the User_Home_Folders, but it is not helping me to resolve 
the issue.


Made the above changes and I am still having issues with home 
directories, but having a different issue now.

When I create a user (user1) using aduc, and once created, right click 
the user, select properties, the profile tab, and set Home folder to 
\\srv2\users\user1 (in this case), the user's home directory is created.

When I login as that user and attempt to access the above directory, I 
am asked to enter the user id and password. ?When I do, I get "Access 
denied".

Checking security on the user1 home directory, I see:

type ????Principal ????????Access ?????????Inherited from ?Applies to

Allow ??user1 ?????????????Full Control ??None ?????????????This folder, 
subfolders and files

Allow ??Administrators ????Full Control ???None ?????????????This 
folder, subfolders and files

Allow ?Domain Admins ??????Full Control ??\\srv2\users\ ??This folder, 
subfolders and files

Allow ?Domain users ???????Change permissions \\srv2\users\ This folder 
subfolders and filles

The user directory is under /brecdata/users/

getfacl brecdata gives:

# file: brecdata
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x

/brecdata/users/

root at srv2: <mailto:root at srv2:>/brecdata# getfacl users
# file: users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

/brecdata/users/user1

root at srv2: <mailto:root at srv2:>/brecdata/users# getfacl user1
# file: user1
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:domain\040admins:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

updated smb.conf on srv2:

[global]
 ????????bind interfaces only = yes
 ????????interfaces = lo enp1S0
 ????????realm = BREC.BLUERIDGEEDUCATION.ORG
 ????????workgroup = BREC
 ????????security = ADS
 ????????log level = 3
 ????????preferred master = no
 ????????domain master = no
 ????????dedicated keytab file = /etc/krb5.keytab
 ????????kerberos method = secrets and keytab
 ????????idmap config * : backend = tdb
 ????????idmap config * : range = 3000-7000
 ????????idmap config BREC : backend = ad
 ????????idmap config BREC : schema_mode = rfc2307
 ????????idmap config BREC : range = 10000-999999

 ????????winbind refresh tickets = yes
 ????????winbind offline logon = yes
 ????????winbind use default domain = yes

 ????????winbind enum users ?= yes
 ????????winbind enum groups = yes

 ????????winbind expand groups = 4

 ????????username map = /etc/samba/samba_usermapping


 ????????load printers = no
 ????????printing = bsd
 ????????printcap name = /dev/null
 ????????disable spoolss = yes
 ????????vfs objects = acl_xattr
 ????????map acl inherit = yes
 ????????store dos attributes = yes
 ????????veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
 ????????hide unreadable = yes


[users]
 ????????path = /brecdata/users/
 ????????read only = no

 ????????acl_xattr:ignore system acl = yes
 ????????acl_xattr:default acl style = windows


Any suggestions are welcome,

Howard

On 14/12/2019 20:00, Howard Fleming via samba wrote:
> On 2019-12-08 15:01, Rowland penny via samba wrote:
>> On 08/12/2019 18:18, Howard Fleming via samba wrote:
>>> I am building a Samba4 setup to replace a Samba3 server I built for
>>> small non profit school back in 2012.
>>>
>>> It is running CentOS 6.x, samba version 3.6.23-52.el6_10. ?Rather 
>>> than attempt to upgrade this system to Samba4, it makes more sense 
>>> (to me at least) to build a new server and move the data.
>> Good plan, at least you start without any bad ideas from an NT4-style 
>> domain
>
> Thanks!
>>>
>>> Currently I have 2 samba servers running as virtual machines under 
>>> kvm. ?One is the AD server, the other is a member server that is 
>>> running the file shares. ?The kvm server and the samba servers are 
>>> all running Debian 10, and I am using the default Debian 10 repos 
>>> for the samba packages.
>>>
>>> The current problem I am running into are the rights on the shares 
>>> for the users. ?When I create a user via aduc, and set the home 
>>> directory, it gets created as it should, but all users can see all 
>>> the home directories, including contents. ?I am also running into 
>>> rights issues with the shared directories also.
>>
>> How are the users home directories being created, are you using 
>> pam_mkhomedir ?
>>
>> If so, this could be your problem.
>
> Not that I am aware of, how would I check?
>
> User directories are created by right clicking on the user id in aduc, 
> properties, and setting the home directory to \\srv\users\<username>
>>
>>>
>>> I can join Windows 10 and 7 computers into AD with out any issues, 
>>> so I am assuming I set something up wrong, either in AD or when I 
>>> added the 2nd server for file services.
>>
>> Just a few notes on your files:
>>
>> I would remove example.com from the search line in the 
>> /etc/resolv.conf files
>>
>> You do not need the template lines in the DC smb.conf, you are not
>> allowing anyone to login in.
>>
>> I would also install the libpam-krb5 package on both machines
>>
>> On the Member server, you have commented out 'idmap config BREC :
>> unix_nss_info = yes' which is correct for your version of Samba,
but
>> you have 'winbind nss info = rfc2307' which is wrong for your
Samba
>> version.
>> You also have:
>> ????????template shell = /bin/bash
>> ????????template homedir = /brecdata/user/%U
>>
>> Which means that you are not using the RFC2307 attributes in AD, so
>> you don't need 'idmap config BREC : unix_nss_info = yes'
anyway
>>
>> You do not need to set 'browseable = yes' on the shares, it is
the
>> default
>>
>> It might help if you read this:
>>
>> https://wiki.samba.org/index.php/User_Home_Folders
>>
>> Rowland
>
> I did read the User_Home_Folders, but it is not helping me to resolve 
> the issue.
>
>
> Made the above changes and I am still having issues with home 
> directories, but having a different issue now.
>
> When I create a user (user1) using aduc, and once created, right click 
> the user, select properties, the profile tab, and set Home folder to 
> \\srv2\users\user1 (in this case), the user's home directory is
created.
Ah, but is it ?

Connecting via SMB to a users share on a Samba machine will not create it.

If you try to log into a Unix domain member where the users home 
directory does not already exist, then, unless you have pam_mkhomedir 
set up, you will not be able to log in. The same goes for attempting to 
connect to the users share via Samba, you will not be able to connect to 
a share that doesn't already exist, unless you use a 'root prex'
script.
>
> When I login as that user and attempt to access the above directory, I 
> am asked to enter the user id and password. ?When I do, I get "Access 
> denied".
You would get that error if the users home directory share doesn't
exist.
>
> Checking security on the user1 home directory, I see:
>
> type ????Principal ????????Access ?????????Inherited from ?Applies to
>
> Allow ??user1 ?????????????Full Control ??None ?????????????This 
> folder, subfolders and files
>
> Allow ??Administrators ????Full Control ???None ?????????????This 
> folder, subfolders and files
>
> Allow ?Domain Admins ??????Full Control ??\\srv2\users\ ??This folder, 
> subfolders and files
>
> Allow ?Domain users ???????Change permissions \\srv2\users\ This 
> folder subfolders and filles
>
> The user directory is under /brecdata/users/
Yes, but the users directory would be /brecdata/users/username

Rowland