samba - Jun 2020 - Recipe/advice for Samba 4.11 on Ubuntu 20.04 as member server joining Windows Server 2019 AD

In this case. 

Change the setup. 
 \\proto1\derekwashere 
To
 \\proto1\users\derekwashere

Apply the correct rights on users and for the share.
And you have your security tabback

Ps. And i would use. 

\\FQ.D.N\users\
Because it simply helps in avoiding sudden problems. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Michael Galvon via samba
> Verzonden: dinsdag 30 juni 2020 7:47
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Recipe/advice for Samba 4.11 on Ubuntu 
> 20.04 as member server joining Windows Server 2019 AD
> 
> Thank you Rowland for your rapid response!
> 
> We have made progress, and are hung up on some odd behaviour 
> (at least 
> to us) with the computer management and shares/security tab.
> 
> To be more explicit, looking at the wiki page
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
> ows_ACLs#Setting_Share_Permissions_and_ACLs
> 
> The odd behaviour seems to us that in the "Share Permissions" 
> tab,? the 
> group "Everyone" must have Read access in order for the 
> "Security" tab 
> to be able to show/adjust security access.
> 
> Is this expected behaviour?? It runs counter to 20+ years of 
> experience 
> in setting up windows sharing.
> 
> if we, for example, remove "everyone" from the share permissions
tab,
> and replace it with "Domain Admins" and "Domain Users",
both
> having full 
> control, then we see this message on the Security, tab...
>  ?Object Name: \\proto1\derekwashere
> 
> You must have Read permissions to view the properties of this object.
> 
>  ?Click advanced to continue.
> 
> clicking on advanced get us to the expected screen, but any changes 
> (e.g. Owner:? ) results in
> Unable to set new owner on derekwashere (\\proto1)
> Access is denied.
> 
> 
> Kindly advise -- we have a host of troubleshooting information should 
> you need/want it.
> 
> 
> # /etc/samba/smb.conf
> 
> [global]
>  ??? disable spoolss = Yes
>  ??? load printers = No
>  ??? log file = /var/log/samba/%m.log
>  ??? printcap name = /dev/null
>  ??? realm = HO.CLAY.BC.CA
>  ??? security = ADS
>  ??? server string = TEST server
>  ??? template homedir = /0data/smb_shares/home/%U
>  ??? template shell = /bin/bash
>  ??? username map = /etc/samba/user.map
>  ??? winbind enum users = Yes
>  ??? winbind use default domain = Yes
>  ??? workgroup = HO
>  ??? idmap config ho : range = 10000-999999
>  ??? idmap config ho : backend = rid
>  ??? idmap config * : range = 3000-7999
>  ??? idmap config * : backend = tdb
>  ??? map acl inherit = Yes
>  ??? printing = bsd
>  ??? vfs objects = acl_xattr
> 
> 
> [test03]
>  ??? path = /0data/smb_shares/test03/
>  ??? read only = No
> 
> 
> # /etc/samba/user.map
> !root = HO\Administrator HO\administrator administrator
> 
> 
> 
> Thanks in advance,
> 
> mtg
> 
> 
> 
> 
> On 2020-06-24 12:00 a.m., Rowland penny via samba wrote:
> > On 24/06/2020 02:02, Michael Galvon via samba wrote:
> >> Hi,
> >>
> >> Brand new VM's running on ESXi replacing existing Samba 3 
> NT domain.
> >> I am not quite brand new but this is my first time for 
> this combination.
> >> Would like to use Win Ad for authentication and Samba for 20 users
> >> and company shared data.
> >>
> >> Started with this how-to:
> >> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>
> >> Lost my way on Choose backend for id mapping in winbindd 
> and further 
> >> reading in mapping Unix attributes for users in ADUC.
> >> It appears we must manually edit each users properties?
> >> To my eyes, it appears the article was written to assist 
> in joining 
> >> Samba member servers to join Samba AD
> >
> > It doesn't matter if the DC is a Samba AD DC or a Windows 
> AD DC, you 
> > set the Unix domain members up the same.
> >
> > It boils down to three main winbind backends: rid, ad and 
> autorid. You 
> > only need to add anything to AD if you use the 'ad' 
> backend. The 'rid' 
> > backend calculates the Unix ID from the Windows user or 
> group RID, the 
> > 'autorid' backend does something similar, but is really meant
for
> > multiple domains.
> >
> > The only time you need to add anything to AD is if you use the
'ad'
> > backend, in which case you must add RFC2307 attributes (uidNumber, 
> > gidNumber, etc), but it does give you the same ID on all your Unix 
> > machines and the ability to set individual home directories 
> and login 
> > shells.
> >
> > Rowland
> >
> >
> >
> >
> 
> -- 
> Michael Galvon
> Red Rhino Technologies Inc.
> C - 250-888-6505
> T - 250.920.4004
> support at redrhino.ca
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Thank you Louis!
Unfortunately, I made some mistakes in my last question for which I 
apologize.
And I am sorry but I do not understand you recommendations.

Here is a more accurate view of things:

To reiterate we have a new Windows Server 2019 AD for authentication and 
new samba 4.11.6-Ubuntu member server for file sharing (\\proto1)

Looking at the wiki page 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs
It appears that in the "Share Permissions" tab,? the group
"Everyone"
must have Read access in order for the "Security" tab to be able to 
show/adjust security access.
After removing the share permissions group Everyone (changing it to 
something more secure) we are? unable to modify Security permissions. No 
users/groups have read permissions. Cannot take ownership or change perms.

For example, using the share in the smb.conf below- 
/0data/smb_shares/test05/ - located on the Samba server \\proto1
This is will be similar to the final configuration. All shares located 
under /0data/smb_shares
In Ubuntu we create the directory, adjust permissions and ownership and 
smb.conf

# mkdir test05
# chown root:HO\\domain\ admins test05
# chmod a+rwx test05

Configure in smb.conf
[test05]
 ??? path = /0data/smb_shares/test05/
 ??? read only = No

drwxrwxrwx?? 3 root domain admins? 4096 Jun 30 08:03 test05

The new share shows up and is R/W on the Windows server 2019 and a Win10 
workstation joined to domain

On the Windows server -> Computer Management -> connect to? another 
computer-> \\proto1
Shared Folders -> Shares
Share Name: test05
Folder Path:? C:\0data\smb_shares\test05\

Share Permissions set for Everyone Full Control
Security - Object Name: \\PROTO\test05

Groups or usernames:? (none have any Allowed permissions.)
Everyone
root [Unix User\root]
Creator Owner
Creator Group

Add Domain admins and domain users with full control - exit computer 
management
Add domain admins and domain users to Shared Permissions. Remove Everyone.

Security Tab:
You must have Read permissions to view the properties of this object
Unable to modify Security permissions and cannot take ownership or 
change perms.

We have tested with several shares and sequences with the same result.



# /etc/samba/smb.conf

[global]
 ??? disable spoolss = Yes
 ??? load printers = No
 ??? log file = /var/log/samba/%m.log
 ??? printcap name = /dev/null
 ??? realm = HO.CLAY.BC.CA
 ??? security = ADS
 ??? server string = TEST server
 ??? template homedir = /0data/smb_shares/home/%U
 ??? template shell = /bin/bash
 ??? username map = /etc/samba/user.map
 ??? winbind enum users = Yes
 ??? winbind use default domain = Yes
 ??? workgroup = HO
 ??? idmap config ho : range = 10000-999999
 ??? idmap config ho : backend = rid
 ??? idmap config * : range = 3000-7999
 ??? idmap config * : backend = tdb
 ??? map acl inherit = Yes
 ??? printing = bsd
 ??? vfs objects = acl_xattr


[test05]
 ??? path = /0data/smb_shares/test05/
 ??? read only = No


# /etc/samba/user.map
!root = HO\Administrator HO\administrator administrator



Thanks in advance,

mtg



On 2020-06-30 12:06 a.m., L.P.H. van Belle via samba
wrote:
> In this case.
>
> Change the setup.
>   \\proto1\derekwashere
> To
>   \\proto1\users\derekwashere
>
> Apply the correct rights on users and for the share.
> And you have your security tabback
>
> Ps. And i would use.
>
> \\FQ.D.N\users\
> Because it simply helps in avoiding sudden problems.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Michael Galvon via samba
>> Verzonden: dinsdag 30 juni 2020 7:47
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Recipe/advice for Samba 4.11 on Ubuntu
>> 20.04 as member server joining Windows Server 2019 AD
>>
>> Thank you Rowland for your rapid response!
>>
>> We have made progress, and are hung up on some odd behaviour
>> (at least
>> to us) with the computer management and shares/security tab.
>>
>> To be more explicit, looking at the wiki page
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wind
>> ows_ACLs#Setting_Share_Permissions_and_ACLs
>>
>> The odd behaviour seems to us that in the "Share Permissions"
>> tab,? the
>> group "Everyone" must have Read access in order for the
>> "Security" tab
>> to be able to show/adjust security access.
>>
>> Is this expected behaviour?? It runs counter to 20+ years of
>> experience
>> in setting up windows sharing.
>>
>> if we, for example, remove "everyone" from the share
permissions tab,
>> and replace it with "Domain Admins" and "Domain
Users", both
>> having full
>> control, then we see this message on the Security, tab...
>>   ?Object Name: \\proto1\derekwashere
>>
>> You must have Read permissions to view the properties of this object.
>>
>>   ?Click advanced to continue.
>>
>> clicking on advanced get us to the expected screen, but any changes
>> (e.g. Owner:? ) results in
>> Unable to set new owner on derekwashere (\\proto1)
>> Access is denied.
>>
>>
>> Kindly advise -- we have a host of troubleshooting information should
>> you need/want it.
>>
>>
>> # /etc/samba/smb.conf
>>
>> [global]
>>   ??? disable spoolss = Yes
>>   ??? load printers = No
>>   ??? log file = /var/log/samba/%m.log
>>   ??? printcap name = /dev/null
>>   ??? realm = HO.CLAY.BC.CA
>>   ??? security = ADS
>>   ??? server string = TEST server
>>   ??? template homedir = /0data/smb_shares/home/%U
>>   ??? template shell = /bin/bash
>>   ??? username map = /etc/samba/user.map
>>   ??? winbind enum users = Yes
>>   ??? winbind use default domain = Yes
>>   ??? workgroup = HO
>>   ??? idmap config ho : range = 10000-999999
>>   ??? idmap config ho : backend = rid
>>   ??? idmap config * : range = 3000-7999
>>   ??? idmap config * : backend = tdb
>>   ??? map acl inherit = Yes
>>   ??? printing = bsd
>>   ??? vfs objects = acl_xattr
>>
>>
>> [test03]
>>   ??? path = /0data/smb_shares/test03/
>>   ??? read only = No
>>
>>
>> # /etc/samba/user.map
>> !root = HO\Administrator HO\administrator administrator
>>
>>
>>
>> Thanks in advance,
>>
>> mtg
>>
>>
>>
>>
>> On 2020-06-24 12:00 a.m., Rowland penny via samba wrote:
>>> On 24/06/2020 02:02, Michael Galvon via samba wrote:
>>>> Hi,
>>>>
>>>> Brand new VM's running on ESXi replacing existing Samba 3
>> NT domain.
>>>> I am not quite brand new but this is my first time for
>> this combination.
>>>> Would like to use Win Ad for authentication and Samba for 20
users
>>>> and company shared data.
>>>>
>>>> Started with this how-to:
>>>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>>> Lost my way on Choose backend for id mapping in winbindd
>> and further
>>>> reading in mapping Unix attributes for users in ADUC.
>>>> It appears we must manually edit each users properties?
>>>> To my eyes, it appears the article was written to assist
>> in joining
>>>> Samba member servers to join Samba AD
>>> It doesn't matter if the DC is a Samba AD DC or a Windows
>> AD DC, you
>>> set the Unix domain members up the same.
>>>
>>> It boils down to three main winbind backends: rid, ad and
>> autorid. You
>>> only need to add anything to AD if you use the 'ad'
>> backend. The 'rid'
>>> backend calculates the Unix ID from the Windows user or
>> group RID, the
>>> 'autorid' backend does something similar, but is really
meant for
>>> multiple domains.
>>>
>>> The only time you need to add anything to AD is if you use the
'ad'
>>> backend, in which case you must add RFC2307 attributes (uidNumber,
>>> gidNumber, etc), but it does give you the same ID on all your Unix
>>> machines and the ability to set individual home directories
>> and login
>>> shells.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>> -- 
>> Michael Galvon
>> Red Rhino Technologies Inc.
>> C - 250-888-6505
>> T - 250.920.4004
>> support at redrhino.ca
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
-- 
Michael Galvon
Red Rhino Technologies Inc.
C - 250-888-6505
T - 250.920.4004
support at redrhino.ca

On 30/06/2020 16:38, Michael Galvon via samba wrote:
> Thank you Louis!
> Unfortunately, I made some mistakes in my last question for which I 
> apologize.
> And I am sorry but I do not understand you recommendations.
>
> Here is a more accurate view of things:
>
> To reiterate we have a new Windows Server 2019 AD for authentication 
> and new samba 4.11.6-Ubuntu member server for file sharing (\\proto1)
>
> Looking at the wiki page 
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs
> It appears that in the "Share Permissions" tab,? the group
"Everyone"
> must have Read access in order for the "Security" tab to be able
to
> show/adjust security access.
> After removing the share permissions group Everyone (changing it to 
> something more secure) we are? unable to modify Security permissions. 
> No users/groups have read permissions. Cannot take ownership or change 
> perms.
Stop trying to be 'more secure', put 'Everyone' back, it will
not work
unless you do, the 'security' tab disappears.

Rowland