Rowland Penny
2022-Aug-10 09:52 UTC
[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
On Wed, 2022-08-10 at 10:43 +0200, Oliver via samba wrote:> Am 10.08.2022 um 08:38 schrieb Rowland Penny via samba: > > Sorry to be the bearer of bad news, but if 'security = ADS' is set > > in > > smb.conf on DC2 and DC3, then they are not DC's, they are Unix > > domain > > members, how did you join them ? > > I joined both members with : > > # net ads join -U administratorIf you wanted DC's, it should have been: samba-tool domain join ${AD_DNSDOMAIN} DC -UAdministrator -- realm=${AD_KERBEROS_REALM}> > Cause of static ip in network adapter settings, I manuel created the > reverse-PTR Record in the reverse dns zone via RSAT. > > When i run testjoin, also getting error on ldb. files... > > root at member1:~# net ads testjoin -d 3 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > Processing section "[global]" > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface eth0 ip=192.168.188.24 bcast=192.168.188.255 > netmask=255.255.255.0 > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface eth0 ip=192.168.188.24 bcast=192.168.188.255 > netmask=255.255.255.0 > ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex: > could > not open file /usr/local/samba/private/secrets.ldb: Datei oder > Verzeichnis nicht gefunden > > ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb': > Datei > oder Verzeichnis nicht gefunden > ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' > with > backend 'tdb': Unable to open tdb > '/usr/local/samba/private/secrets.ldb': Datei oder Verzeichnis nicht > gefunden > Failed to create cldap tsocket_address for - NT_STATUS_ACCESS_DENIED > ads_try_connect: CLDAP request failed. > get_dc_list: preferred server list: ", *" > Successfully contacted LDAP server 192.168.188.5 > get_dc_list: preferred server list: ", *" > get_dc_list: preferred server list: ", *" > Failed to create cldap tsocket_address for - > NT_STATUS_OBJECT_NAME_COLLISION > ads_try_connect: CLDAP request failed. > Failed to create cldap tsocket_address for - > NT_STATUS_OBJECT_NAME_COLLISION > ads_try_connect: CLDAP request failed. > get_dc_list: preferred server list: ", *" > Successfully contacted LDAP server 192.168.188.5 > get_dc_list: preferred server list: ", *" > get_dc_list: preferred server list: ", *" > Successfully contacted LDAP server 192.168.188.5 > Connecting to 192.168.188.5 at port 389 > Connected to LDAP server dc1.domain.home > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Join is OK > return code = 0Your problem is that they are Unix domain members and not DC's. Do you want DC's ? If so, remove the two Unix domain members and start again. Rowland
Oliver
2022-Aug-10 10:20 UTC
[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
Am 10.08.2022 um 11:52 schrieb Rowland Penny via samba:> On Wed, 2022-08-10 at 10:43 +0200, Oliver via samba wrote: >> Am 10.08.2022 um 08:38 schrieb Rowland Penny via samba: >>> Sorry to be the bearer of bad news, but if 'security = ADS' is set >>> in >>> smb.conf on DC2 and DC3, then they are not DC's, they are Unix >>> domain >>> members, how did you join them ? >> I joined both members with : >> >> # net ads join -U administrator > If you wanted DC's, it should have been: > > samba-tool domain join ${AD_DNSDOMAIN} DC -UAdministrator -- > realm=${AD_KERBEROS_REALM} > >> Cause of static ip in network adapter settings, I manuel created the >> reverse-PTR Record in the reverse dns zone via RSAT. >> >> When i run testjoin, also getting error on ldb. files... >> >> root at member1:~# net ads testjoin -d 3 >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) >> Processing section "[global]" >> added interface lo ip=127.0.0.1 bcast=127.255.255.255 >> netmask=255.0.0.0 >> added interface eth0 ip=192.168.188.24 bcast=192.168.188.255 >> netmask=255.255.255.0 >> Registered MSG_REQ_POOL_USAGE >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >> added interface lo ip=127.0.0.1 bcast=127.255.255.255 >> netmask=255.0.0.0 >> added interface eth0 ip=192.168.188.24 bcast=192.168.188.255 >> netmask=255.255.255.0 >> ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex: >> could >> not open file /usr/local/samba/private/secrets.ldb: Datei oder >> Verzeichnis nicht gefunden >> >> ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb': >> Datei >> oder Verzeichnis nicht gefunden >> ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' >> with >> backend 'tdb': Unable to open tdb >> '/usr/local/samba/private/secrets.ldb': Datei oder Verzeichnis nicht >> gefunden >> Failed to create cldap tsocket_address for - NT_STATUS_ACCESS_DENIED >> ads_try_connect: CLDAP request failed. >> get_dc_list: preferred server list: ", *" >> Successfully contacted LDAP server 192.168.188.5 >> get_dc_list: preferred server list: ", *" >> get_dc_list: preferred server list: ", *" >> Failed to create cldap tsocket_address for - >> NT_STATUS_OBJECT_NAME_COLLISION >> ads_try_connect: CLDAP request failed. >> Failed to create cldap tsocket_address for - >> NT_STATUS_OBJECT_NAME_COLLISION >> ads_try_connect: CLDAP request failed. >> get_dc_list: preferred server list: ", *" >> Successfully contacted LDAP server 192.168.188.5 >> get_dc_list: preferred server list: ", *" >> get_dc_list: preferred server list: ", *" >> Successfully contacted LDAP server 192.168.188.5 >> Connecting to 192.168.188.5 at port 389 >> Connected to LDAP server dc1.domain.home >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'naclrpc_as_system' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> GENSEC backend 'ntlmssp_resume_ccache' registered >> GENSEC backend 'http_basic' registered >> GENSEC backend 'http_ntlm' registered >> GENSEC backend 'http_negotiate' registered >> GENSEC backend 'krb5' registered >> GENSEC backend 'fake_gssapi_krb5' registered >> Join is OK >> return code = 0 > Your problem is that they are Unix domain members and not DC's. > > Do you want DC's ? > If so, remove the two Unix domain members and start again. > > RowlandNo, I would like one for DC and two as domain members, to share files. This members has to take the user and groups for share and acl permissions setup by a windows client from the DC. The DC don't need to be a? fileserver. Oliver