spindles seven
2023-Dec-17 10:38 UTC
[Samba] Samba share not quite working on Domain Controller
On December 17, 2023 6:23 AM Mark Foley wrote:> On Sat Dec 16 15:49:27 2023 Mark Foley via samba <samba at lists.samba.org> > wrote: > [deleted] > I got this fixed! Nothing like a little lotus-position medidatation and navel- > contemplation to gain enlightenment. > > Since sysvol and netlogin folders didn't crash when I selected their Properties > > Security, I reasoned there must be something about permissions or ownership afoot. > Sure enough: > > # ls -ld /var/lib/samba/sysvol/ > drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16 /var/lib/samba/sysvol/ > > Both of those directories, created by provisioning, are members of group 3000000 > which I presume is some administrative group (although 'getent group 3000000' on > the DC returns nothing, so I'm not sure). > > I could have probably just set the group for Users to 3000000, but there are some > extended attributes (designated by the '+' sign), so I cloned sysvol to > Users: > > # rmdir /redirectedFolders/Users/ > # cp -rp /var/lib/samba/sysvol/ /redirectedFolders/ > # cd /redirectedFolders/ > # mv sysvol/ Users > # cd Users/ > # rm -r hprs.locl/ > # cd ..> # ls -l > drwxrwx---+ 2 root 3000000 4096 2023-12-17 00:13 Users/ > > Voila! Same permission, complete with extended attributes.That's not the recommended way to add Extended ACL permissions to a users' share. You have copied the extended ACLs from the sysvol share to the users share and these will not be the correct permissions. For the Users share where the users' home folder eg Documents etc are redirected, the permissions required are as follows: File system permissions on the root of the users share: Principal:Access:Applies to ===================CREATOR OWNER:Full control:Subfolders and files only Domain Admins:Full control:This folder, subfolders and files Authenticated Users:Traverse Folder/Execute file,List folder/read data,Read Attributes, Create folders/append data:This folder only SYSTEM:Full Control:This folder, subfolders and files These should be set using the procedure described here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Hope that helps, Spindles7
Mark Foley
2023-Dec-17 16:50 UTC
[Samba] Samba share not quite working on Domain Controller
On Sun Dec 17 05:39:45 2023 spindles seven via samba <samba at lists.samba.org> wrote:> > On December 17, 2023 6:23 AM Mark Foley wrote: > > On Sat Dec 16 15:49:27 2023 Mark Foley via samba <samba at lists.samba.org> > > wrote: > > [deleted] > > I got this fixed! Nothing like a little lotus-position meditation and navel- > > contemplation to gain enlightenment. > > > > Since sysvol and netlogin folders didn't crash when I selected their Properties > > > Security, I reasoned there must be something about permissions or ownership afoot. > > Sure enough: > > > > # ls -ld /var/lib/samba/sysvol/ > > drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16 /var/lib/samba/sysvol/ > > > > Both of those directories, created by provisioning, are members of group 3000000 > > which I presume is some administrative group (although 'getent group 3000000' on > > the DC returns nothing, so I'm not sure). > > > > I could have probably just set the group for Users to 3000000, but there are some > > extended attributes (designated by the '+' sign), so I cloned sysvol to > > Users: > > > > # rmdir /redirectedFolders/Users/ > > # cp -rp /var/lib/samba/sysvol/ /redirectedFolders/ > > # cd /redirectedFolders/ > > # mv sysvol/ Users > > # cd Users/ > > # rm -r hprs.locl/ > > # cd ..> # ls -l > > drwxrwx---+ 2 root 3000000 4096 2023-12-17 00:13 Users/ > > > > Voila! Same permission, complete with extended attributes. > > That's not the recommended way to add Extended ACL permissions to a users' share. You have copied the extended ACLs from the sysvol share to the users share and these will not be the correct permissions. For the Users share where the users' home folder eg Documents etc are redirected, the permissions required are as follows: > > File system permissions on the root of the users share: > Principal:Access:Applies to > ===================> CREATOR OWNER:Full control:Subfolders and files only > Domain Admins:Full control:This folder, subfolders and files > Authenticated Users:Traverse Folder/Execute file,List folder/read data,Read Attributes, Create folders/append data:This folder only > SYSTEM:Full Control:This folder, subfolders and files > > These should be set using the procedure described here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > Hope that helps, > > Spindles7Spindles7, Thanks. my cloning the permissions from sysvol was temporary ... just in case, and to verify I could open Users > Properties > Security. I did set the actual Security to what you have listed using notes from my previous DC setup. I didn't put those step into my post; as I mentioned, the story wasn't finished with that message. The wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs talks about Shares generally, but doesn't specifically mention 'Redirected Folders'. Maybe that wiki is sufficient; I didn't examine in detail. One thing I'm wondering about, that wiki has instructions to "Enable Extended ACL Support on a Unix domain member" as follows: "Ideally you have a system that supports NFS4 ACLs. The following example is for systems like Linux, where you don't have those kind of ACLs. To configure shares using extended access control lists (ACL) on a Unix domain member, you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file:" I do have a "system that supports NFS4 ACLs" so I suppose that means I don't have to add the listed settings to smb.conf? The instruction say, "To configure shares using ... (ACL) on a Unix domain member, you must enable the support in the smb.conf file." I'm assuming that "MUST" admonition applies only if you don't have a system that supports NFS4 ACLs (but could the Linux system even work at all without this support?). Also, if one were to add these lines to smb.conf, would that be to the domain member, domain controller, both? My guess would be to the domain member only. Thanks --Mark