samba - Jul 2023 - Fwd: Copy ACL to samba domain member file server

Op 18-07-2023 om 23:00 schreef Steffen Dettmer via
samba:
> Hi,
>
> I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
> domain controller Windows 2012R2 to migrate to Samba, but according to
> reading I had to downgrade to Windows Server 2008 first. I saw no way
> and bought a Windows Server 2019 license. Now I would like to have at
> least a file server with ACL support.
>
> I started with a fresh container and followed the Samba Wiki
I am wondering about the word "container". As far as I know you need a
privileged container for Samba to function properly.

- Kees.
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> I was able to join and did create a share as in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> It states to use Windows to configure permissions. However, on
> Windows, I only get permission denied and "failed to enumerate objects
> in the container". I saw in some log surprising permission issues with
> tbd file and since the container has no shell access for users I
> simply tried chmod 0777 /var/lib/samba/*, but I still get the errors.
> Interestingly, the permissions seem to be set according to windows
> file properties. I can create folders and its owner matches. I can
> write into, but always get errors with ACLs.I also can delete the
> folders (from Windows).
>
> What I would like to safely (=robust, stable, reliable) have is move
> my windows files to my ZFS datasets (nas1/mp0) like:
>
> c:\>robocopy d:\stor1\f1 \\nas1\disk0\f1 /E /COPYALL /IA:RASHNTCEO
> /R:0 /W:0 /LOG+:d:\tmp\nas1.log /TEE /XD D:\stor1\f1\bak
>
> [many of:
>           Neues Verz.     362    d:\stor1\f1\tmp\
> 2023/07/18 22:33:47 FEHLER 5 (0x00000005) NTFS-Sicherheit wird in
> Zielverzeichnis kopiert \\nas1\disk0\f1\tmp\
> Zugriff verweigert
> ]
>
> (This is "NTFS security will be copied to destination directory:
> permission denied")
>
> What am I doing wrong?
>
> Any help appreciated!
>
> Steffen
>
>
> root at nas1:/var/lib/samba# grep -vE '(^$|#)' /etc/samba/smb.conf
| sed
> "s|$DOM|DOM|"
> [global]
> security = ADS
> workgroup = DOM
> realm = DOM.LOCAL
> winbind use default domain = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     logging = file
>     panic action = /usr/share/samba/panic-action %d
>     server role = standalone server
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOM : backend = rid
> idmap config DOM : range = 10000-99999
> template shell = /bin/bash
> template homedir = /home/%U
>     usershare allow guests = yes
> [homes]
>     comment = Home Directories
>     browseable = no
>     read only = yes
>     create mask = 0700
>     directory mask = 0700
>     valid users = %S
> [disk0]
>    path = /mp0/windisk0
>    read only = no
>    writeable = yes
> root at nas1:/var/lib/samba#
>
>   /etc/krb5.conf
> [libdefaults]
>          default_realm = DOM.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>          rdns = false
>          fcc-mit-ticketflags = true
>
>
> root at nas1:/var/lib/samba# wbinfo --ping-dc | sed
"s|$DOM|DOM|g"
> checking the NETLOGON for domain[DOM] dc connection to
"dc2.DOM.local" succeeded
>
> root at nas1:/var/lib/samba# ls -l /mp0/windisk0/
> total 9
> drwxrwxr-x+ 2 a-sdettmer dom?nen-benutzer 2 Jul 18 22:02 tst
> root at nas1:/var/lib/samba#
>
>
> root at nas1:/var/lib/samba# smbd -b | grep HAVE_LIBACL
>     HAVE_LIBACL
> root at nas1:/var/lib/samba# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "$DOM\administrator"
> Password for [DOM\administrator]:
> SeDiskOperatorPrivilege:
>    DOM\Dom?nen-Admins
>    BUILTIN\Administrators
> root at nas1:/var/lib/samba#
>
>
> root at nas1:/var/lib/samba# id a-sdettmer | sed "s|$DOM|DOM|g"
> uid=29603(a-sdettmer) gid=10513(dom?nen-benutzer)
>
groups=10513(dom?nen-benutzer),29603(a-sdettmer),XXXXXXXX,10526(schl?sseladministratoren),XXXXX,10512(dom?nen-admins),10520(richtlinien-ersteller-besitzer),10527(unternehmenssschl?sseladministratoren),10519(organisations-admins),10518(schema-admins),11103(dnsadmins),21108(netmon
> users),10572(abgelehnte
>
rodc-kennwortreplikationsgruppe),11001(dhcp-administratoren),10517(zertifikatherausgeber),XXXXX,3001(BUILTIN\users),3000(BUILTIN\administrators)
> root at nas1:/var/lib/samba#
>
>
>
> root at nas1:/var/lib/samba# samba-tool group listmembers
> "$DOM\Dom?nen-Admins" 2>&1| sed "s|$DOM|DOM|g"
> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
> file /var/lib/samba/private/sam.ldb: No such file or directory
>
> Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file
or directory
> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
> backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
> such file or directory
> ERROR: Failed to list members of "DOM\Dom?nen-Admins" group - (1,
> "Unable to open tdb '/var/lib/samba/private/sam.ldb': No such
file or
> directory")
> root at nas1:/var/lib/samba#
>
> (is this normal in domain member mode?)
>

On 19/07/2023 09:57, Kees van Vloten via samba wrote:
> 
> Op 18-07-2023 om 23:00 schreef Steffen Dettmer via samba:
>> Hi,
>>
>> I have a Debian 12 Container with Samba 4.17.9. Actually I wanted a
>> domain controller Windows 2012R2 to migrate to Samba, but according to
>> reading I had to downgrade to Windows Server 2008 first. I saw no way
>> and bought a Windows Server 2019 license. Now I would like to have at
>> least a file server with ACL support.
>>
>> I started with a fresh container and followed the Samba Wiki
> 
> I am wondering about the word "container". As far as I know you
need a
> privileged container for Samba to function properly.
> 
> - Kees.
> 
I wondered about that, but as Steffen went on to talk about a NAS, I 
wasn't sure whether he was conflating 'NAS' with
'container', so worked
on that he was and commented on that assumption. However, if he is using 
a 'container' (if so, what sort ?) then, yes, it should be a privileged 
container.

Rowland

Hi,

Thank so much for your quick and helpful response!
IT WORKS NOW!

On Wed, Jul 19, 2023 at 10:57?AM Kees van Vloten via samba
<samba at lists.samba.org> wrote:
> I am wondering about the word "container". As far as I know you
need a
> privileged container for Samba to function properly.
Actually I though I had a privileged container because I already knew
its needed (unless using special options), but Promox default now is
to create unprivileged containers (which is good). I checked that,
noticed the issue and fixed it. The messages I saw in the log file
were too misleading to me.

Could Samba somehow make a test at startup or even log an error if it
gets a permission denied from file system? I thought it would be a
windows issue.

Great that you pointed it out, thank you!

Steffen