Hi,>> To "Domain User" group no, I haven't. >I would give 'Domain Users' a gidNumber.Now I assign a gidNumber. I'm following this article: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs But in "Setting Share Permissions and ACLs", the acces is denied, as the log messages: [2020/02/04 15:13:38.266457, 3] ../../lib/util/access.c:371(allow_access) Allowed connection from 192.168.0.11 (192.168.0.11) [2020/02/04 15:13:38.266685, 3] ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid: SID +EMPRESA\Domain Users is not in a valid format [2020/02/04 15:13:38.268610, 1] ../../source3/smbd/service.c:359(create_connection_session_info) create_connection_session_info: user 'marcio' (from session setup) not permitted to access this share (Arquivos) [2020/02/04 15:13:38.268822, 1] ../../source3/smbd/service.c:531(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2020/02/04 15:13:38.269014, 3] ../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142 [2020/02/04 15:13:49.379329, 3] ../../source3/smbd/service.c:1131(close_cnum) 192.168.0.11 (ipv4:192.168.0.11:61504) closed connection to service IPC$ [2020/02/04 15:13:49.380788, 3] ../../source3/smbd/server_exit.c:244(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) There are some problem with the domain user account format. Here is my smb.conf: cat /usr/local/samba/etc/smb.conf [global] netbios name = FILESERVER workgroup = EMPRESA security = ADS realm = EMPRESA.COM.BR encrypt passwords = yes username map = /usr/local/samba/etc/user.map log file = /var/log/samba/%m.log #log level = 1 log level = 3 passdb:5 auth:5 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 10000-999999 idmap config EMPRESA:unix_nss_info = yes idmap config EMPRESA:unix_primary_group = yes #winbind nss info = rfc2307 winbind refresh tickets = Yes winbind separator = + winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes template shell = /bin/bash template homedir = /home/%U dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [Arquivos] comment = Compartilhamentos do Dominio path = /home/Arquivos valid users = +EMPRESA\"Domain Users" admin users = +EMPRESA\"Domain Admins" #valid users = @"EMPRESA\Domain Users" #admin users = @"EMPRESA\Domain Admins" guest ok = no writable = yes read only = no browsable = yes create mask = 0777 directory mask = 0777 I have already tried to change "valid users" parameter in several ways. Would anyone have any ideas to solve this problem? Regards, M?rcio Bacci Em seg., 3 de fev. de 2020 ?s 18:18, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 03/02/2020 19:06, Marcio Demetrio Bacci wrote: > > Hi Rowland > > > > >And does 'getent group Domain\ Admins' produce output ? > > No output. > > Then your fileserver does not know who 'Domain Admins' is, which > actually is a good thing, see here: > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege > > > > > >Have you given 'Domain Users' a gidNumber attribute containing a > > number inside '10000-999999' > > To "Domain User" group no, I haven't. > I would give 'Domain Users' a gidNumber. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 04/02/2020 17:36, Marcio Demetrio Bacci wrote:> Hi, > > >> To "Domain User" group no, I haven't. > >I would give 'Domain Users' a gidNumber. > Now I assign a gidNumber. > > I'm following this article: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > But in "Setting Share Permissions and ACLs", the acces is denied, as > the log messages: > > [2020/02/04 15:13:38.266457, ?3] ../../lib/util/access.c:371(allow_access) > ? Allowed connection from 192.168.0.11 (192.168.0.11) > [2020/02/04 15:13:38.266685, ?3] > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) > ? string_to_sid: SID +EMPRESA\Domain Users is not in a valid format > [2020/02/04 15:13:38.268610, ?1] > ../../source3/smbd/service.c:359(create_connection_session_info) > ? create_connection_session_info: user 'marcio' (from session setup) > not permitted to access this share (Arquivos) > [2020/02/04 15:13:38.268822, ?1] > ../../source3/smbd/service.c:531(make_connection_snum) > ? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > [2020/02/04 15:13:38.269014, ?3] > ../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex) > ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142 > [2020/02/04 15:13:49.379329, ?3] > ../../source3/smbd/service.c:1131(close_cnum) > ? 192.168.0.11 (ipv4:192.168.0.11:61504 <http://192.168.0.11:61504>) > closed connection to service IPC$ > [2020/02/04 15:13:49.380788, ?3] > ../../source3/smbd/server_exit.c:244(exit_server_common) > ? Server exit (NT_STATUS_CONNECTION_RESET) > > There are some problem with the domain user account format. > > Here is my smb.conf: > > cat /usr/local/samba/etc/smb.conf > [global] > ? ? netbios name = FILESERVER > ? ? workgroup = EMPRESA > ? ? security = ADS > ? ? realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR> > ? ? encrypt passwords = yes > ? ? username map = /usr/local/samba/etc/user.map > ? ? log file = /var/log/samba/%m.log > ? ? #log level = 1 > ? ? log level = 3 passdb:5 auth:5 > ? ? idmap config * : backend = tdb > ? ? idmap config * : range = 3000-7999 > ? ? idmap config EMPRESA:backend = ad > ? ? idmap config EMPRESA:schema_mode = rfc2307 > ? ? idmap config EMPRESA:range = 10000-999999 > ? ? idmap config EMPRESA:unix_nss_info = yes > ? ? idmap config EMPRESA:unix_primary_group = yes > ? ? #winbind nss info = rfc2307 > ? ? winbind refresh tickets = Yes > ? ? winbind separator = + > ? ? winbind use default domain = yes > ? ? winbind enum users = yes > ? ? winbind enum groups = yes > ? ? vfs objects = acl_xattr > ? ? map acl inherit = Yes > ? ? store dos attributes = Yes > ? ? template shell = /bin/bash > ? ? template homedir = /home/%U > ? ? dedicated keytab file = /etc/krb5.keytab > ? ? kerberos method = secrets and keytab > ? ? load printers = no > ? ? printing = bsd > ? ? printcap name = /dev/null > ? ? disable spoolss = yes > > ? ? [Arquivos] > ? ? comment = Compartilhamentos do Dominio > ? ? path = ?/home/Arquivos > ? ? valid users = +EMPRESA\"Domain Users" > ? ? admin users = +EMPRESA\"Domain Admins" > ? ? #valid users = @"EMPRESA\Domain Users" > ? ? #admin users = @"EMPRESA\Domain Admins" > ? ? guest ok = no > ? ? writable = yes > ? ? read only = no > ? ? browsable = yes > ? ? create mask = 0777 > ? ? directory mask = 0777 > > I have already tried to change "valid users" parameter in several ways. > Would anyone have any ideas to solve this problem?How about totally removing 'valid users' ? I have altered that wiki page, hopefully know it says this in an orange warning box: ||||||Do not set ANY additional share parameters, such as force user or valid users. Adding them to the share definition can prevent you from configuring or using the share. It might be more understandable. Just make the share look like this: [Arquivos] ??? comment = Compartilhamentos do Dominio ??? path =? /home/Arquivos ??? read only = no Ensure that you have created a group (Unix Admins for example), given it a gidNumber and added the group to Domain Admins. Then follow the wiki page again ;-) Rowland
Hi,>||||||Do not set ANY additional share parameters, such as force user or >valid users. Adding them to the share definition can prevent you from >configuring or using the share.OK, sorry. Now is working properly. I'm copying the Windows files to Samba4 and I'm not able to copy the NTFS security information. In the logs it states that the destination is not an NTFS system. How could I solve this problem? Regards, M?rcio Bacci Em ter., 4 de fev. de 2020 ?s 16:30, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 04/02/2020 17:36, Marcio Demetrio Bacci wrote: > > Hi, > > > > >> To "Domain User" group no, I haven't. > > >I would give 'Domain Users' a gidNumber. > > Now I assign a gidNumber. > > > > I'm following this article: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > But in "Setting Share Permissions and ACLs", the acces is denied, as > > the log messages: > > > > [2020/02/04 15:13:38.266457, 3] > ../../lib/util/access.c:371(allow_access) > > Allowed connection from 192.168.0.11 (192.168.0.11) > > [2020/02/04 15:13:38.266685, 3] > > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) > > string_to_sid: SID +EMPRESA\Domain Users is not in a valid format > > [2020/02/04 15:13:38.268610, 1] > > ../../source3/smbd/service.c:359(create_connection_session_info) > > create_connection_session_info: user 'marcio' (from session setup) > > not permitted to access this share (Arquivos) > > [2020/02/04 15:13:38.268822, 1] > > ../../source3/smbd/service.c:531(make_connection_snum) > > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > > [2020/02/04 15:13:38.269014, 3] > > ../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > > status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142 > > [2020/02/04 15:13:49.379329, 3] > > ../../source3/smbd/service.c:1131(close_cnum) > > 192.168.0.11 (ipv4:192.168.0.11:61504 <http://192.168.0.11:61504>) > > closed connection to service IPC$ > > [2020/02/04 15:13:49.380788, 3] > > ../../source3/smbd/server_exit.c:244(exit_server_common) > > Server exit (NT_STATUS_CONNECTION_RESET) > > > > There are some problem with the domain user account format. > > > > Here is my smb.conf: > > > > cat /usr/local/samba/etc/smb.conf > > [global] > > netbios name = FILESERVER > > workgroup = EMPRESA > > security = ADS > > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR> > > encrypt passwords = yes > > username map = /usr/local/samba/etc/user.map > > log file = /var/log/samba/%m.log > > #log level = 1 > > log level = 3 passdb:5 auth:5 > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config EMPRESA:backend = ad > > idmap config EMPRESA:schema_mode = rfc2307 > > idmap config EMPRESA:range = 10000-999999 > > idmap config EMPRESA:unix_nss_info = yes > > idmap config EMPRESA:unix_primary_group = yes > > #winbind nss info = rfc2307 > > winbind refresh tickets = Yes > > winbind separator = + > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > template shell = /bin/bash > > template homedir = /home/%U > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > [Arquivos] > > comment = Compartilhamentos do Dominio > > path = /home/Arquivos > > valid users = +EMPRESA\"Domain Users" > > admin users = +EMPRESA\"Domain Admins" > > #valid users = @"EMPRESA\Domain Users" > > #admin users = @"EMPRESA\Domain Admins" > > guest ok = no > > writable = yes > > read only = no > > browsable = yes > > create mask = 0777 > > directory mask = 0777 > > > > I have already tried to change "valid users" parameter in several ways. > > Would anyone have any ideas to solve this problem? > > How about totally removing 'valid users' ? > > I have altered that wiki page, hopefully know it says this in an orange > warning box: > > ||||||Do not set ANY additional share parameters, such as force user or > valid users. Adding them to the share definition can prevent you from > configuring or using the share. > > It might be more understandable. > > Just make the share look like this: > > [Arquivos] > comment = Compartilhamentos do Dominio > path = /home/Arquivos > read only = no > > Ensure that you have created a group (Unix Admins for example), given it > a gidNumber and added the group to Domain Admins. > > Then follow the wiki page again ;-) > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >