samba - Sep 2020 - Acls

What I am aware of I didn?t mess with the bidmap config. But I don?t really
understand what it is, and where I use it for. I am really new to samba. All I
know is that I have something regarding this in my config. And that it has
something to do with users and groups.

Thanks a lot btw for all the help. Without it I would be stuck on things like
this for weeks
Philip
> On 4 Sep 2020, at 18:57, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 04/09/2020 17:28, Philip Offermans via samba wrote:
>> Hi I have some problems with setting permissions on my share. I think
it has to do that I didn?t configure this
>> 
>> If you use the winbind 'ad' backend on Unix domain members and
you add a gidNumber attribute to the Domain Admins group in AD, you will break
the mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in  idmap.ldb,
this is to allow the group to own files in Sysvol on a Samba AD DC. It is
suggested you create a new AD group (Unix Admins for instance), give this group
a gidNumber attribute and add it to the Administrators group and then, on Unix,
use the group wherever you would normally use Domain Admins.
>> 
>> I am using a raspberry pi. And don?t know how to set this up.
> 
> Is this on the DC or the Unix domain member ?
> 
> If the Unix domain member, I don't that is your problem, you have
'idmap config <win domain>:range = 3000000-4000000' in your
smb.conf and the ID numbers on a DC (which is where I think you got 3000000
from) are neither uidNumber or gidNumber attributes, they are xidNumber
attributes and are only used on a DC. So have you added any uidNumber or
gidNumber attributes to AD ?
> 
>> 
>> Philip
>> 
>> p.s. can an admin block Emma the hooker?. She is sending spam. It?s
anoying
> 
> I am very sure that 'Emma' isn't a registered Samba mailing
list user and I am certain that she is not sending emails through our email
servers, so we have no way to block her ;-)
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 04/09/2020 18:02, Philip Offermans wrote:
> What I am aware of I didn?t mess with the bidmap config. But I don?t really
understand what it is, and where I use it for. I am really new to samba. All I
know is that I have something regarding this in my config. And that it has
something to do with users and groups.
>
> Thanks a lot btw for all the help. Without it I would be stuck on things
like this for weeks
> Philip
I think that means that you have not added any uidNumber or gidNumber to AD.

There is an easy way to find out.

Logon to the Unix domain member, run 'getent group 'domain admins'
in a
terminal, I do not think it will output.

If it doesn't, open smb.conf in an editor and find these lines:

 ? idmap config *:backend = tdb
 ? idmap config *:range = 70001-80000
 ? idmap config <win domain>:backend = ad
 ? idmap config <win domain>:schema_mode = rfc2307
 ? idmap config <win domain>:range = 3000000-4000000

and make them look like this:

 ? idmap config *:backend = tdb
 ? idmap config *:range = 3000-7999
 ? idmap config <win domain>:backend = rid
 ? #idmap config <win domain>:schema_mode = rfc2307
 ? idmap config <win domain>:range = 10000-40000

restart Samba and run the getent command again, I think you will get 
output and the groups ID will be '10513'

That is provided '<win domain>' == 'ROMPEN'

Rowland

I got an output. But I changed it. But still the same problem. But is there a
place with more info about this. From my understanding, am I linking windows
rights with the unix rights. But I don?t really understand what I am doing. I
just copy the winbind settings, and don?t really bother. But maybe when I
understand what I am doing, I can fix the problem myself.

Btw the problem is, to my understanding, is a right problem. I think that I have
rights in windows, but that I don?t have right in unix. To my understanding
winbind is kinda a translator that translate windows to unix. So I have to
manage the right on windows and on linux. And winbind is just a transporter. But
maybe I am wrong.

Philip
> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
>   idmap config *:backend = tdb
>   idmap config *:range = 3000-7999
>   idmap config <win domain>:backend = rid
>   #idmap config <win domain>:schema_mode = rfc2307
>   idmap config <win domain>:range = 10000-40000

The output is:
getent group 'domain admins? 

Copying without  understanding what it does is not smart I know. But sometimes
you will understand it later. And atm I am using a test setup.

Here are is all the info you need:

Main AD:
Collected config  --- 2020-09-05-18:16 -----------

Hostname: gaia
DNS Domain: rompen.local
FQDN: gaia.rompen.local
ipaddress: 192.168.88.2 

-----------

Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: 
Server:		192.168.88.2
Address:	192.168.88.2#53

_kerberos._tcp.rompen.local	service = 0 100 88 gaia.rompen.local.
Samba is running as an AD DC

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------


This computer is running Debian 10.4 armv7l

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether b8:27:eb:7f:ad:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.2/24 brd 192.168.88.255 scope global dynamic noprefixroute
eth0
       valid_lft 568sec preferred_lft 493sec
    inet6 fe80::bbbd:eb9b:bce9:b088/64 scope link 
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
    link/ether b8:27:eb:2a:f8:cd brd ff:ff:ff:ff:ff:ff

-----------
       Checking file: /etc/hosts

127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.1.1	gaia.rompen.local	gaia

-----------

       Checking file: /etc/resolv.conf

# Generated by resolvconf
search rompen.local
nameserver 192.168.88.2

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = ROMPEN.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files
group:          files
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

# Global parameters
[global]
	dns forwarder = 8.8.8.8
	netbios name = GAIA
	realm = ROMPEN.LOCAL
	server role = active directory domain controller
	workgroup = ROMPEN
	idmap_ldb:use rfc2307 = yes
        wins support = yes

[netlogon]
	path = /var/lib/samba/sysvol/rompen.local/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

-----------

BIND_DLZ not detected in smb.conf

-----------

Installed packages:
ii  attr                           1:2.4.48-4                          armhf    
utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                                 all      
Configuration files for Kerberos Version 5
ii  krb5-locales                   1.17-3                              all      
internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3                              armhf    
basic programs to authenticate using MIT Kerberos
ii  libacl1:armhf                  2.2.53-4                            armhf    
access control list - shared library
ii  libattr1:armhf                 1:2.4.48-4                          armhf    
extended attribute handling - shared library
ii  libgssapi-krb5-2:armhf         1.17-3                              armhf    
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf                1.17-3                              armhf    
MIT Kerberos runtime libraries
ii  libkrb5support0:armhf          1.17-3                              armhf    
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:armhf           2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba nameservice integration plugins
ii  libpam-winbind:armhf           2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Windows domain authentication integration plugin
ii  libsmbclient:armhf             2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
shared library for communication with SMB/CIFS servers
ii  libwbclient0:armhf             2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba winbind client library
ii  python-samba                   2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Python bindings for Samba
ii  samba                          2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.5+dfsg-5+deb10u1+rpi1         all      
common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba common files used by both the server and the client
ii  samba-dsdb-modules:armhf       2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba Directory Services Database
ii  samba-libs:armhf               2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba core libraries
ii  samba-testsuite                2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
test suite from Samba
ii  samba-vfs-modules:armhf        2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba Virtual FileSystem plugins
ii  smbclient                      2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
service to resolve user and group information from Windows NT servers


Member server:

Collected config  --- 2020-09-05-18:15 -----------

Hostname: dna
DNS Domain: rompen.local
FQDN: dna.rompen.local
ipaddress: 192.168.88.3 

-----------

Kerberos SRV _kerberos._tcp.rompen.local record verified ok, sample output: 
Server:		192.168.88.2
Address:	192.168.88.2#53

_kerberos._tcp.rompen.local	service = 0 100 88 gaia.rompen.local.
Samba is running as a Unix domain member

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

-----------


This computer is running Debian 10.4 armv7l

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether b8:27:eb:97:db:d8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.3/24 brd 192.168.88.255 scope global dynamic noprefixroute
eth0
       valid_lft 562sec preferred_lft 487sec
    inet6 fe80::e85c:b84c:8f64:eb20/64 scope link 
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
    link/ether b8:27:eb:c2:8e:8d brd ff:ff:ff:ff:ff:ff

-----------
       Checking file: /etc/hosts

192.168.88.3	dna.rompen.local	dna
127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

# Generated by resolvconf
domain rompen.local
nameserver 192.168.88.2

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = ROMPEN.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files winbind
group:          files winbind
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

[global]
  netbios name = DNA
  workgroup = ROMPEN
  security = ADS
  realm = ROMPEN.LOCAL
  encrypt passwords = yes
  
  acl allow execute always = yes

  idmap config *:backend = tdb
  idmap config *:range = 3000-7999
  idmap config ROMPEN:backend = rid
  #idmap config ROMPEN:schema_mode = rfc2307
  idmap config ROMPEN:range = 10000-40000

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  winbind use default domain = yes

  winbind enum users = yes
  winbind enum groups = yes

  username map = /etc/samba/user.map
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes 

  username map = /etc/samba/user.map
  
  admin users = administrator
[share]
   path = /nas
   read only = no
   inherit acls = yes

[users]
   path = /usr/home
   comment = a comment         
   browseable = yes         
   read only = no         
   inherit acls = yes         
   inherit permissions = yes         
   create mask = 700         
   directory mask = 700         
   valid users = @"ROMPEN+Domain Users"   <-- define your ADS
groups
   admin users = @"ROMPEN+Domain Admins"  <-- define your ads
groups with admin rights

-----------

Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
       Checking file: /etc/idmapd.conf

[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

-----------


Installed packages:
ii  acl                            2.2.53-4                            armhf    
access control list - utilities
ii  attr                           1:2.4.48-4                          armhf    
utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                                 all      
Configuration files for Kerberos Version 5
ii  krb5-user                      1.17-3                              armhf    
basic programs to authenticate using MIT Kerberos
ii  libacl1:armhf                  2.2.53-4                            armhf    
access control list - shared library
ii  libattr1:armhf                 1:2.4.48-4                          armhf    
extended attribute handling - shared library
ii  libgssapi-krb5-2:armhf         1.17-3                              armhf    
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:armhf                1.17-3                              armhf    
MIT Kerberos runtime libraries
ii  libkrb5support0:armhf          1.17-3                              armhf    
MIT Kerberos runtime libraries - Support library
ii  libnfsidmap2:armhf             0.25-5.1                            armhf    
NFS idmapping library
ii  libnss-winbind:armhf           2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba nameservice integration plugins
ii  libpam-winbind:armhf           2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Windows domain authentication integration plugin
ii  libwbclient0:armhf             2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba winbind client library
ii  nfs-common                     1:1.3.4-2.5+deb10u1                 armhf    
NFS support files common to client and server
ii  python-samba                   2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Python bindings for Samba
ii  samba                          2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.5+dfsg-5+deb10u1+rpi1         all      
common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba common files used by both the server and the client
ii  samba-dsdb-modules:armhf       2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba Directory Services Database
ii  samba-libs:armhf               2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba core libraries
ii  samba-vfs-modules:armhf        2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
Samba Virtual FileSystem plugins
ii  winbind                        2:4.9.5+dfsg-5+deb10u1+rpi1         armhf    
service to resolve user and group information from Windows NT servers

-----------


Philip


> On 4 Sep 2020, at 19:23, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> getent group 'domain admins'