search for: msa2040

...Windows ... for local C: yes, not on samba shares Yes, I followed https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and have the vfs module enabled etc - Now I consider that the kernel doesn't have the necessary flags set. I get # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported but # getfacl /mnt/MSA2040/smb/IT getfacl: Removing leading '/' from absolute path names # file: mnt/MSA2040/smb/IT # owner: ittner # group: dom�nen-benutzer user::rwx group::rwx other::r-x - From the old kernel config...

...ith help from Rowland [global] unix charset = iso8859-15 security = ads realm = somecompany.INTRA workgroup = somecompany netbios aliases = u1somecompany server string = U1somecompany winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U restrict anonymous = 2 domain master = no local master = no preferred master = no invalid users = root bin daemon adm sync shutdown halt mail news \ uucp obey pam restrictions = yes interfaces = 192.168.100.4/24 127.0.0.1 bind interfaces only = Yes idmap config * : range = 3000...

...ba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> and have the vfs module enabled etc >> >> - >> >> Now I consider that the kernel doesn't have the necessary flags set. >> >> I get >> >> # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported >> >> but >> >> # getfacl /mnt/MSA2040/smb/IT >> getfacl: Removing leading '/' from absolute path names >> # file: mnt/MSA2040/smb/IT >> # owner: ittner >> # group: d...

...gt;> observation, maybe important: > > Oh, it's more than important, guess where the Windows ACLs are stored > ;-) hmm ... ? ;) >> (share "projekte" works fine, share "QM" not) > > are they both using the same filesystem, ownership etc ? Yes. # MSA2040_SAMBA_storage /dev/sdc1 /mnt/MSA2040 ext4 noatime 0 1 both shares are subdirs of /mnt/MSA2040/smb drwxrwxrwx+ 32 root qm 4096 3. Jän 11:48 Projekte drwxr-x--- 47 root dom�nen-benutzer 4096 3. Jän 14:43 QM That mismatch of owner group comes from my desparate fiddli...

...gt; security = ads > realm = somecompany.INTRA > workgroup = somecompany > > netbios aliases = u1somecompany > server string = U1somecompany > > winbind cache time = 10 > winbind use default domain = yes > winbind refresh tickets = Yes > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > restrict anonymous = 2 > domain master = no > local master = no > preferred master = no > invalid users = root bin daemon adm sync shutdown halt mail news \ > uucp > obey pam restrictions = yes > > interfaces = 192.168.100.4/24 127.0.0.1 > bi...

...ollowed > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > and have the vfs module enabled etc > > - > > Now I consider that the kernel doesn't have the necessary flags set. > > I get > > # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT > /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported > > but > > # getfacl /mnt/MSA2040/smb/IT > getfacl: Removing leading '/' from absolute path names > # file: mnt/MSA2040/smb/IT > # owner: ittner > # group: dom�nen-benutzer > user::rwx &gt...

We are in the process of switching over shares from the old way of doing this to Windows ACLs: disable "valid users" "write list" etc and set ACLs via Windows Explorer ... And I struggle. I am asking for a way to "start ACLs from scratch". I ran "setfacl -b -R" on the dir on the samba server and did a "chown -R root:10513" to hand it to

...> > >> and have the vfs module enabled etc > >> > >> - > >> > >> Now I consider that the kernel doesn't have the necessary flags > >> set. > >> > >> I get > >> > >> # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT > >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported > >> > >> but > >> > >> # getfacl /mnt/MSA2040/smb/IT > >> getfacl: Removing leading '/' from absolute path names > >> # file: mnt/MSA2040/smb/IT > >...

...17.3 on Debian 11.6 [global] unix charset = iso8859-15 security = ads realm = COMP.INTRA workgroup = COMP dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U domain master = no local master = no preferred master = no idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config NORAS : range = 10000-20000 idmap config NORAS : backend = rid # user Administrator workaround, without it you are unable to set privileges us...

Am 26.11.19 um 17:37 schrieb Rowland penny via samba: > How about 'getent group Domain\ Users' ? no result = empty reply The "admin" there is able to access stuff and reset his ACLs already. So ... things work so far. thanks. I will consider the config Louis suggested ... but not now (my reply was rejected by some samba-ml-SMTP-server ... another problem)

...s more than important, guess where the Windows ACLs are > > stored ;-) > > hmm ... ? ;) > > >> (share "projekte" works fine, share "QM" not) > > > > are they both using the same filesystem, ownership etc ? > > Yes. > > > # MSA2040_SAMBA_storage > /dev/sdc1 /mnt/MSA2040 ext4 > noatime 0 1 > > > both shares are subdirs of /mnt/MSA2040/smb > > drwxrwxrwx+ 32 root qm 4096 3. Jän 11:48 Projekte > > > drwxr-x--- 47 root dom�nen-benutzer 4096 3. Jän 14:43 QM > >...

...ust a normal, unprivileged user e.g. my example Unix Administrator had the ID 10500. > > So I assumed the chown should be "chown -R root:10512 mytestshare" ? Exactly, the Unix admin user is 'root'. > > All the samba shares on this server are located in "/mnt/MSA2040/smb", > this dir belongs to "0 0" now according to "ls -n". > > I see some mapping in the conf: > > # grep mapp smb.conf > username map = /etc/samba/samba_usermapping > > # cat samba_usermapping > !root = DOMAIN\Administrator DOMAIN\administra...

...x machine, which is to be expected. I am a bit confused right now (maybe always): you told me "Administrator shouldn't own anything on Unix" So I assumed the chown should be "chown -R root:10512 mytestshare" ? All the samba shares on this server are located in "/mnt/MSA2040/smb", this dir belongs to "0 0" now according to "ls -n". I see some mapping in the conf: # grep mapp smb.conf username map = /etc/samba/samba_usermapping # cat samba_usermapping !root = DOMAIN\Administrator DOMAIN\administrator I can't remember if I added this and...

...s" why that? - # smb.conf [global] unix charset = iso8859-15 security = ads realm = MYDOMAIN.INTRA workgroup = MYDOMAIN netbios aliases = u1MYDOMAIN server string = U1MYDOMAIN winbind cache time = 10 winbind use default domain = yes winbind refresh tickets = Yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U restrict anonymous = 2 domain master = no local master = no preferred master = no invalid users = root bin daemon adm sync shutdown halt mail news \ uucp obey pam restrictions = yes interfaces = 192.168.100.4/24 127.0.0.1 bind interfaces only = Yes idmap config * : range = 3000...

...erver, Samba version 4.10.11-Debian [global] dedicated keytab file = /etc/krb5.keytab domain master = No kerberos method = secrets and keytab load printers = No local master = No preferred master = No printcap name = /dev/null realm = customer.INTRA security = ADS template homedir = /mnt/MSA2040/smb/Homes/%D/%U unix charset = iso8859-15 unix extensions = No username map = /etc/samba/samba_usermapping winbind cache time = 10 winbind refresh tickets = Yes winbind use default domain = Yes workgroup = customer full_audit:priority = notice full_audit:facility = local5 full_audit:succe...

...f was created. Try this smb.conf: [global] unix charset = iso8859-15 security = ads realm = CUSTOMER.INTRA workgroup = CUSTOMER netbios aliases = samba server string = U1CUSTOMER winbind cache time = 10 winbind use default domain = yes template homedir = /mnt/MSA2040/smb/Homes/%D/%U restrict anonymous = 2 domain master = no local master = no preferred master = no invalid users = root bin daemon adm sync shutdown halt mail news \ uucp obey pam restrictions = yes interfaces = 192.168.100.4/24 bind interfaces only = Yes idmap...

...ig SECRETCUSTOMER : range = 10000-20000 # depending on the samba version. You might need these. #idmap config SECRETCUSTOMER : unix_nss_info = yes #idmap config SECRETCUSTOMER : unix_primary_group = yes winbind use default domain = yes winbind nss info = template template homedir = /mnt/MSA2040/smb/Homes/%D/%U template shell = /bin/false vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes unix extensions = no follow symlinks= yes wide links= yes unix charset = iso8859-15 force unknown acl user = Yes load printers = no printcap name = /dev/null disable s...

On Wed, 30 May 2018 15:26:37 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba: > > > There are three main winbind backends, but only two are really used > > on Unix domain members, the 'ad' and the 'rid' backends. Which you > > use is really down to a simple

...se the 'ad' backend > > #idmap config SECRETCUSTOMER : unix_nss_info = yes > > #idmap config SECRETCUSTOMER : unix_primary_group = yes > > > > winbind use default domain = yes > > > > winbind nss info = template > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > template shell = /bin/false Two out of the three lines above are defaults > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > unix extensions = no > > follow symlinks= yes >...

...nix charset = iso8859-15 > > security = ads > realm = CUSTOMER.INTRA > workgroup = CUSTOMER > netbios aliases = samba > server string = U1CUSTOMER > > winbind cache time = 10 > winbind use default domain = yes > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > restrict anonymous = 2 > domain master = no > local master = no > preferred master = no > invalid users = root bin daemon adm sync shutdown halt mail news \ > uucp > obey pam restrictions = yes > > interfaces = 192.168....