Stefan G. Weichinger
2022-Oct-20 08:28 UTC
[Samba] editing samba-share ACLs etc from Windows
Am 19.10.22 um 19:07 schrieb Rowland Penny via samba:> > > On 19/10/2022 17:25, Stefan G. Weichinger via samba wrote: >> I thought 4.16.5, wanted to write 4.16.x to avoid the minor release >> and failed completely. > > Don't worry, I do similar things all the time, I know what I want to > type, but it doesn't always get through to my fingers, I think it is > called old age ;-)Ah, that could be, yes ;-)> In which case it should work, so lets start with the smb.conf and the > permissions set on the shares path.This is a smb.conf the list has seen several times already ;-) Debian 11.5, btw I quote the conf, and only the main share for a first view. And I edit the realm etc This is a grown config over years, so there are many commented lines in there already. -> # cat /etc/samba/smb.conf # This file is managed remotely, all changes will be lost [global] workgroup = BUERO realm = MYDOM.AT netbios name = SERVER security = ADS map to guest = Bad User username map = /etc/samba/smbusers dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes #winbind enum users = Yes #winbind enum groups = Yes winbind use default domain = yes winbind offline logon = yes # Use settings from AD for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /mnt/samba/Daten/%U # obsolete with 4.8.x #map untrusted to domain = Yes #winbind trusted domains only = no # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain BUERO idmap config BUERO:backend = rid idmap config BUERO:range = 10000-99999 load printers = no printing = bsd printcap name = /dev/null # turn off roaming profiles logon path = "" logon home = "" hosts allow = localhost 192.168.16. 172.32.99. log level = 1 log file = /var/log/samba/%m.log max log size = 150000 # server min protocol = SMB2 # server max protocol = SMB2 #strict sync = yes # ACLs store dos attributes = Yes map acl inherit = Yes #vfs objects = acl_xattr full_audit vfs objects = acl_xattr # Audit settings full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice # 2021-dec-30 allow domain admin in min domain uid = 0 [homes] comment = Home Directory guest ok = no read only = no valid users = %S invalid users = root, bin, daemon, adm, sync, shutdown, halt, mailnewsuucp, operator browseable = No [daten] comment = Daten path = /mnt/samba/ read only = No create mask = 0775 directory mask = 02775 force directory mode = 0775 #wide links = yes #veto oplock files = /*.DAT/*.dat/ #oplocks = False #level2 oplocks = False
On 20/10/2022 09:28, Stefan G. Weichinger via samba wrote:> This is a smb.conf the list has seen several times already ;-) > > Debian 11.5, btw > > I quote the conf, and only the main share for a first view. And I edit > the realm etc > > This is a grown config over years, so there are many commented lines in > there already. > > -> > > # cat /etc/samba/smb.conf > # This file is managed remotely, all changes will be lost > > [global] > workgroup = BUERO > realm = MYDOM.AT > netbios name = SERVER > > security = ADS > map to guest = Bad User > username map = /etc/samba/smbusers > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > #winbind enum users = Yes > #winbind enum groups = Yes > winbind use default domain = yes > > winbind offline logon = yes > > # Use settings from AD for login shell and home directory > winbind nss info = templateThat is interesting, mainly because you are using the idmap 'rid' backend, you can only use rfc2307 attributes from AD if you use the idmap 'ad' backend, so you might as well remove those two lines.> template shell = /bin/bash > template homedir = /mnt/samba/Daten/%U > > # obsolete with 4.8.x > #map untrusted to domain = Yes > #winbind trusted domains only = no > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain BUERO > idmap config BUERO:backend = rid > idmap config BUERO:range = 10000-99999 > > load printers = no > printing = bsd > printcap name = /dev/null > > # turn off roaming profiles > logon path = "" > logon home = "" > > hosts allow = localhost 192.168.16. 172.32.99. > > log level = 1 > log file = /var/log/samba/%m.log > max log size = 150000 > > # server min protocol = SMB2 > # server max protocol = SMB2 > > #strict sync = yes > > # ACLs > ????store dos attributes = Yes > ????map acl inherit = Yes > ????#vfs objects = acl_xattr full_audit > ????vfs objects = acl_xattr > > # Audit settings > full_audit:prefix = %u|%I|%m|%S > full_audit:failure = connect > full_audit:success = mkdir rmdir read pread write pwrite rename unlink > full_audit:facility = local5 > full_audit:priority = notice >You might as well comment out the audit settings, you are not using them.> # 2021-dec-30 allow domain admin in > min domain uid = 0 > > > [homes] > ????comment??????????????????????? = Home Directory > ????guest ok?????????????????????? = no > ????read only????????????????????? = no > ????valid users??????????????????? = %S > ??????? invalid users = root, bin, daemon, adm, sync, shutdown, halt, > mailnewsuucp, operator > ??????? browseable = No > > [daten] > ????comment = Daten > ????path = /mnt/samba/ > ????read only = No > ????create mask = 0775 > ????directory mask = 02775 > ????force directory mode = 0775 > ????#wide links = yes > ????#veto oplock files = /*.DAT/*.dat/ > ????#oplocks = False > ????#level2 oplocks = False >OK, where does it say to add all those extra lines to the share ? It certainly doesn't say it here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You didn't post the share permissions I asked for, is it possible you can do so ? Rowland