I've set up a single server with a DC and fileserver. I've read through
all docs and the warnings on the wiki (VERY well done, many thanks to all the
contributors) more than once so I hope I haven't missed anything.
smb.conf:
# Global parameters
[global]
netbios name = FILESERVER
realm = WDC.DOMAIN.IT
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = WDC
netbios aliases = server
idmap_ldb:use rfc2307 = yes
#?https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
# template shell = /bin/bash
template homedir = /home/%U
#log level = 5
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/wdc.domain.it/scripts
read only = No
[SHARE1]
path = /home/CONDIVISI/SHARE1
include = /usr/local/samba/etc/cestino.conf
read only = No
As I wish to use recycle, cestino.conf contains:
vfs objects = dfs_samba4 acl_xattr recycle
recycle:repository = .cestino/%U
recycle:keeptree = yes
recycle:touch = yes
recycle:versions= yes
recycle:exclude = *.tmp *.bak ~$*
recycle:exclude_dir = /tmp /temp /cache
recycle:noversions = *.doc *.xls *.ppt
recycle:directory_mode = 770
recycle:touch_mtime = yes
Then I ran (directoy was not empty)
chown -R root:"Domain Admins" /home/CONDIVISI/SHARE1
chmod -R 0770 /home/CONDIVISI/SHARE1
and via Windows "Manage computer > Shares" I add users and group on
the "Security" tab, giving all the necessary group "Full
control". Unfortunately, despite of this, only users in the "Domain
Admins" group can access the shares.
getfacl SHARE1 returns
# file: SHARE1/
# owner: root
# group: WDC\134domain\040admins
user::rwx
user:root:rwx
user:WDC\134domain\040admins:rwx
user:WDC\134tutti:rwx
group::rwx
group:WDC\134domain\040admins:rwx
group:WDC\134tutti:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:WDC\134domain\040admins:rwx
default:user:WDC\134tutti:rwx
default:group::r-x
default:group:WDC\134domain\040admins:rwx
default:group:WDC\134tutti:rwx
default:mask::rwx
default:other::r-x
where "tutti" is a general group for everyone access.
I tested the filesystem for attr support and it's working. Acl as well. smbd
-D returns HAVE_LIBACL.
# samba-tool ntacl get BACHECA --as-sddl
O:LAG:DAD:PAI(A;OICIIO;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;S-1-5-21-2667713901-96841565-2831603132-1107)(A;OICI;0x001f01ff;;;S-1-5-21-2667713901-96841565-2831603132-1108)(A;;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)
(there's one more group I omitted in the getfacl)
# samba-tool group show tutti
dn: CN=tutti,CN=Users,DC=wdc,DC=domain,DC=it
objectClass: top
objectClass: group
cn: tutti
instanceType: 4
whenCreated: 20200430161053.0Z
uSNCreated: 4095
name: tutti
objectGUID: 01c15efe-dcde-4b1d-91d4-3e31a3e542f9
objectSid: S-1-5-21-2667713901-96841565-2831603132-1108
sAMAccountName: tutti
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=wdc,DC=domain,DC=it
member: CN=maxxer,CN=Users,DC=wdc,DC=domain,DC=it
so "tutti" group appears in the ntacl.
When trying to access with debug enabled I get:
[2020/05/09 00:02:39.284780, 5]
../../source3/auth/token_util.c:874(debug_unix_user_token)
UNIX token of user 3000049
Primary group is 100 and contains 9 supplementary groups
Group[ 0]: 3000049
Group[ 1]: 100
Group[ 2]: 3000026
Group[ 3]: 3000021
Group[ 4]: 3000014
Group[ 5]: 3000015
Group[ 6]: 3000003
Group[ 7]: 3000009
Group[ 8]: 3000017
[2020/05/09 00:02:39.284843, 4] ../../source3/smbd/vfs.c:825(vfs_ChDir)
vfs_ChDir to /home/CONDIVISI/SHARE1
[2020/05/09 00:02:39.284866, 1]
../../source3/smbd/service.c:164(chdir_current_service)
chdir_current_service: vfs_ChDir(/home/CONDIVISI/SHARE1) got permission
denied, current token: uid=3000049, gid=100, 9 groups: 3000049 100 3000026
3000021 3000014
3000015 3000003 3000009 3000017
[2020/05/09 00:02:39.284881, 3]
../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:2558
# wbinfo --gid-info=3000021
WDC\tutti:x:3000021:
What am I missing?
Thanks again
--
Lorenzo Milesi - lorenzo.milesi at yetopen.it
YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222
Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.