samba - Aug 2020 - Samba user profiles file ownership

FreeBSD-12.1p7
Samba-4.10.15

The user profiles were transferred from the existing Samba AD-DC to a new
domain running on Samba-4.10.  An ls on the original Samba (4.3.13) domain DC
shows this:

[root at SAMBA-01 ~]# ls -ld /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll  BROCKLEY-2016\domain admins  512 Aug
12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2

[root at SAMBA-01 ~]# ls -ldn /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
drwxrwx---+ 16 3000025  3000008  512 Aug 12 17:07
/var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2

On the new domain ls shows this:

ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
/var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2

But on the new domain controller ls shows this:

ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
/var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2

This is expected as the uid/gid mapping from one installation to another is not
expected to match.   However, when I log on to the new domain from a Win10
workstation this is created:

d---------+ 18 3000027  3000008  27 Aug 12 15:29
/var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6

Which leads to a few questions:

1. What configuration is required on the new DC to show uid  3000027 as
BROCKLEY\lyneak_hll or has this changed in later versions of Samba?

2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains.  But
does not display as such on the enw domain.  What configuration setting is
required to get the group to display using ls?

3. On the existing domain the gid on user profiles seems to be 20 (staff).  On
the new domain profiles are created with the gid 3000008.  However, gid 20
9staff) exists in /etc/group on both DCs.  Why the difference?  Is this due to
a configuration setting?

The smb.conf file on the new DC is:

[root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf
## Global parameters
[global]
  netbios name = SMB4-2
  disable netbios = yes
  realm = BROCKLEY.HARTE-LYNE.CA
  server role = active directory domain controller
  ## use 'samba-tool testparm -v | grep services' to list active
services
  workgroup = BROCKLEY
  idmap_ldb:use rfc2307 = yes
  vfs objects = dfs_samba4 zfsacl

  ## Temp fix for roaming profiles? oplock
#  veto oplock files = /NTUSER.DAT/
#  veto oplock files = /ntuser.ini/

  socket options = TCP_NODELAY SO_KEEPALIVE

  ## nbt causes a fatal startup error (or use disable netbios = yes)
#  server services = -nbt

  ## Eliminate ipv6 errors
  bind interfaces only = Yes
  interfaces = localhost smb4-2

  ## DNS
  dns forwarder = 216.185.71.33 216.185.71.34
  #additional dns hostnames = smb4-2.brockley.harte-lyne.ca

  ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns
  dns update command = /usr/local/sbin/samba_dnsupdate
  ## samba_dnsupdate insists on finding rndc
  rndc command = /usr/bin/true
  ## For secure dns dynamic updates use these (but secure does not work):
  # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g
  # 1 allow dns updates = secure only
  ## For insecure dynamic updates use these settings:
  nsupdate command = /usr/local/bin/samba-nsupdate
  allow dns updates = nonsecure

  ## Logging
  log level = 1
#  log file = /var/log/samba4/smbd.log.%m
  log file = /var/log/samba4/smbd.log
  max log size = 10000
  debug timestamp = yes

  # Disable printing
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes

## Shares
[sysvol]
  path = /var/db/samba4/sysvol
  read only = No

[netlogon]
  path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts
  read only = No

[PROFILES]
    comment = Users profiles
    path = /var/samba4/BROCKLEY/PROFILES/
    browseable = No
    read only = No
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable
    store dos attributes = yes
    vfs objects = dfs_samba4 zfsacl

[USERS]
    comment = Users folder redirection
    path = /var/samba4/BROCKLEY/USERS/
    browseable = No
    read only = No
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable
    store dos attributes = yes
    vfs objects = dfs_samba4 zfsacl



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

We moved profiles with this tool

https://www.forensit.com/downloads.html

It worked perfect

Am 13.08.20 um 15:54 schrieb James B. Byrne via samba:
> FreeBSD-12.1p7
> Samba-4.10.15
>
> The user profiles were transferred from the existing Samba AD-DC to a new
> domain running on Samba-4.10.  An ls on the original Samba (4.3.13) domain
DC
> shows this:
>
> [root at SAMBA-01 ~]# ls -ld
/var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
> drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll  BROCKLEY-2016\domain admins  512
Aug
> 12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
>
> [root at SAMBA-01 ~]# ls -ldn
/var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
> drwxrwx---+ 16 3000025  3000008  512 Aug 12 17:07
> /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2
>
> On the new domain ls shows this:
>
> ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
> drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
>
> But on the new domain controller ls shows this:
>
> ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
> drwxrwx---  16 3000025  3000008  25 Jul 24 17:24
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2
>
> This is expected as the uid/gid mapping from one installation to another is
not
> expected to match.   However, when I log on to the new domain from a Win10
> workstation this is created:
>
> d---------+ 18 3000027  3000008  27 Aug 12 15:29
> /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6
>
> Which leads to a few questions:
>
> 1. What configuration is required on the new DC to show uid  3000027 as
> BROCKLEY\lyneak_hll or has this changed in later versions of Samba?
>
> 2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains. 
But
> does not display as such on the enw domain.  What configuration setting is
> required to get the group to display using ls?
>
> 3. On the existing domain the gid on user profiles seems to be 20 (staff). 
On
> the new domain profiles are created with the gid 3000008.  However, gid 20
> 9staff) exists in /etc/group on both DCs.  Why the difference?  Is this due
to
> a configuration setting?
>
> The smb.conf file on the new DC is:
>
> [root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf
> ## Global parameters
> [global]
>   netbios name = SMB4-2
>   disable netbios = yes
>   realm = BROCKLEY.HARTE-LYNE.CA
>   server role = active directory domain controller
>   ## use 'samba-tool testparm -v | grep services' to list active
services
>   workgroup = BROCKLEY
>   idmap_ldb:use rfc2307 = yes
>   vfs objects = dfs_samba4 zfsacl
>
>   ## Temp fix for roaming profiles? oplock
> #  veto oplock files = /NTUSER.DAT/
> #  veto oplock files = /ntuser.ini/
>
>   socket options = TCP_NODELAY SO_KEEPALIVE
>
>   ## nbt causes a fatal startup error (or use disable netbios = yes)
> #  server services = -nbt
>
>   ## Eliminate ipv6 errors
>   bind interfaces only = Yes
>   interfaces = localhost smb4-2
>
>   ## DNS
>   dns forwarder = 216.185.71.33 216.185.71.34
>   #additional dns hostnames = smb4-2.brockley.harte-lyne.ca
>
>   ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns
>   dns update command = /usr/local/sbin/samba_dnsupdate
>   ## samba_dnsupdate insists on finding rndc
>   rndc command = /usr/bin/true
>   ## For secure dns dynamic updates use these (but secure does not work):
>   # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g
>   # 1 allow dns updates = secure only
>   ## For insecure dynamic updates use these settings:
>   nsupdate command = /usr/local/bin/samba-nsupdate
>   allow dns updates = nonsecure
>
>   ## Logging
>   log level = 1
> #  log file = /var/log/samba4/smbd.log.%m
>   log file = /var/log/samba4/smbd.log
>   max log size = 10000
>   debug timestamp = yes
>
>   # Disable printing
>   load printers = no
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
>
> ## Shares
> [sysvol]
>   path = /var/db/samba4/sysvol
>   read only = No
>
> [netlogon]
>   path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts
>   read only = No
>
> [PROFILES]
>     comment = Users profiles
>     path = /var/samba4/BROCKLEY/PROFILES/
>     browseable = No
>     read only = No
>     force create mode = 0600
>     force directory mode = 0700
>     csc policy = disable
>     store dos attributes = yes
>     vfs objects = dfs_samba4 zfsacl
>
> [USERS]
>     comment = Users folder redirection
>     path = /var/samba4/BROCKLEY/USERS/
>     browseable = No
>     read only = No
>     force create mode = 0600
>     force directory mode = 0700
>     csc policy = disable
>     store dos attributes = yes
>     vfs objects = dfs_samba4 zfsacl
>
>
>
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re.
Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html