Rowland Penny
2022-Aug-04 18:05 UTC
[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
On Thu, 2022-08-04 at 18:54 +0200, Oliver via samba wrote:> Dear all, > > some research later, I did some queries on my PDC and secondary DC.You do not have a PDC and secondary DC, you just have two DC's and one of them holds all the FSMO roles. In all other things, they should be identical.> I figure out, that the LDAP queries works and the group membership > for > LDAP is working. > > I found an error, when run samba-tool on the secondary DC. There is > a > missing secrets.ldb and sam.ldb .If you do not have secrets.ldb and sam.ldb on a DC, then you have really big problems. Have you checked if they exist or not ?> You will find it at the end of this message. > > Can you help me to fix this? > What did I wrong? > > Regards, > > Oliver > > General questionsmarks, may somebody could answer: > - getent not works on Primary DCDo you have libpam-winbind and libnss-winbind installed ? Or if you complied Samba yourself, did you create the required links ?> - wbinfo on Primary DC run with or without given Domain e.g. > "DOMAIN\\USER" & "USER"This is how it is supposed to work.> - wbinfo on secondarys DC only runs with given Domain e.g. > "DOMAIN\\USER"Hmm, that isn't correct.> - ldbsearch works only to remote host DC.'ldbsearch' should work on both DC's I do hope that '.local' is a replacement for your correct TLD I think you need to compare your first DC with your second DC, they should, apart from the hostname ipaddress etc, be identical. I would also do some reading up on AD attributes (for instance, a group will never have a primaryGroupID attribute). Rowland
Oliver
2022-Aug-09 15:15 UTC
[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
Can I do some test, if there is winbind implemented corretcly in my machine? Am 04.08.2022 um 20:05 schrieb Rowland Penny via samba:> If you do not have secrets.ldb and sam.ldb on a DC, then you have > really big problems. Have you checked if they exist or not ?Yes, they are not existing: ls -ll /usr/local/samba/private/ insgesamt 1012 drwx------ 2 root root?? 4096? 4. Aug 17:20 msg.sock -rw------- 1 root root? 32768? 3. Aug 14:27 netlogon_creds_cli.tdb -rw------- 1 root root 421888? 4. Jul 17:11 passdb.tdb -rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb> Do you have libpam-winbind and libnss-winbind installed ? > Or if you complied Samba yourself, did you create the required links ?Yes, I do following symlinks on both machines: #Debian Aarch64 ?ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/aarch64-linux-gnu/libnss_winbind.so.2 ?ln -s /lib/aarch64-linux-gnu/libnss_winbind.so.2 /lib/aarch64-linux-gnu/libnss_winbind.so ?ldconfig #Ubuntu x86_64 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so ldconfig My pre-installed packages before I compile samba are: # Debian Install Dependencies for Samaba Build from Source ?apt-get install acl attr autoconf bison build-essential \ ? debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev \ ? libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev \ ? libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl \ ? libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \ ? libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config \ ? python3-all-dev python3-dbg python-dev python3-dnspython \ ? python3-dnspython python3-markdown python3-markdown \ ? python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils libdbus-1-dev # Ubuntu ?apt-get install acl attr autoconf bison build-essential \ ? debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev \ ? libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev \ ? libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl \ ? libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \ ? libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config \ ? python3-all-dev python3-dbg python2-dev python3-dnspython \ ? python3-dnspython python3-markdown python3-markdown \ ? python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils libdbus-1-dev python3-gpg>> - wbinfo on secondarys DC only runs with given Domain e.g. >> "DOMAIN\\USER" > Hmm, that isn't correct. > >> - ldbsearch works only to remote host DC. > 'ldbsearch' should work on both DC's > > I do hope that '.local' is a replacement for your correct TLDYes, I have .home as my TLD.> > I think you need to compare your first DC with your second DC, they > should, apart from the hostname ipaddress etc, be identical.Actually they are different. May there could be a same hostname inside smb.conf before I joined the domain.> I would also do some reading up on AD attributes (for instance, a group > will never have a primaryGroupID attribute).Thanks, I wil do so. Regards, Oliver