Web lists-archives.com

Re: [Samba] classicupgrade




hello
One question : who is owner and whats rights for dir

/home
drwxr-xr-x.   5 root root   49  6 nov 16.21 home
/home/samba
drwxr-xr-x. 3 root root  20  6 nov 16.21 samba
/home/samba/sysvol
drwxrwx---+ 4 root root 52  8 nov 12.47 sysvol

because, from windows client, user into domain admins, when i change in security tab, explorer always crash

bye

Il 06/11/2018 17:16, L.P.H. van Belle via samba ha scritto:
Ok, next,

 From a windows pc connect to the server with computer manager, and now setup the share and folder rights. As in shown in the link posted ( https://lists.samba.org/archive/samba/2018-February/213690.html )

m leaving the office. So a reply wil probley tomorrow.

Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Corrado Ravinetto via samba
Verzonden: dinsdag 6 november 2018 16:57
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] classicupgrade

Hello Luis
i followed your email and i created this file with your link:

[root@dc1 samba.PDC]# cat default-rights-sysvol.acl
# file: /home/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000004:rwx
user:3000000:r-x
user:3000001:rwx
user:3000018:r-x
group::rwx
group:3000004:rwx
group:3000000:r-x
group:3000001:rwx
group:3000018:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000004:rwx
default:user:3000000:r-x
default:user:3000001:rwx
default:user:3000018:r-x
default:group::---
default:group:3000004:rwx
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000018:r-x
default:mask::rwx
default:other::---


i applied this with setfacl
i restarded samba; from windows , with gpo, when create a new gpo :
access denied

Il 06/11/2018 15:52, L.P.H. van Belle via samba ha scritto:
Hai,


Ok, i expected a bit different outputs.
On my DC, i use /home/samba/sysvol and /home/samba/netlogon.
This is what i expected.

getfacl /home/samba/

getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---

Now how am i getting that if im shareing : /home/samba/sysvol
I've also shared  :   /home/samba  before the setup.
Ive set the above rights first on /home/samba
And then i've set the rights on /home/samba/sysvol

Before you do that.
wget
https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
heck-set-sysvol.sh
That generated a file called : default-rights-sysvol.acl
With this as content:
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

And if you use sysvol/netlogon only for windows computers,
which you do.
Set these : ( change the path to your setup. )
[sysvol]
          path = /home/samba/sysvol
          read only = No
          acl_xattr:ignore system acls = yes

[netlogon]
          path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
          read only = No
          acl_xattr:ignore system acls = yes

It's, in my opinion, the best way to make your sysvol work
without problems.

Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Corrado Ravinetto via samba
Verzonden: dinsdag 6 november 2018 14:35
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] classicupgrade

great :-)

Il 06/11/2018 14:17, L.P.H. van Belle via samba ha scritto:
This is one time settings.
En yes, for each policy you need to klik on these once. (
in the gpo policy objects in GPO editor )
ok
Can you post smb.conf
[global]
           netbios name = DC1
           realm = LXCERRUTI.COM
           server role = active directory domain controller
           workgroup = LXCERRUTI
           idmap_ldb:use rfc2307 = yes
           log level = 1

[netlogon]
           path =
/usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
           read only = No

[sysvol]
           path = /usr/local/samba/var/locks/sysvol
           read only = No

getfacl PATH_TO_SYSVOL
i'm not sure these are the original, i do many changes ....

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

getent the_Folder_ONE_below-PATH_TO_SYSVOL

Explorer crashes, if 9 out of 10 x a wrong right on the
folder below the point your sharing.
Per example.

getfacl /home
getfacl /home/samba
getfacl /home/samba/share/
getfacl /home/samba/share/data

Can you post these all also but replace the example path to
your setup.
my dc is not a file server, no home or share in this server
only netlogon and sysvol

# file: usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


Greetz,

Louis





-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Corrado Ravinetto via samba
Verzonden: dinsdag 6 november 2018 13:44
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] classicupgrade

hello
i read this post, but when i check property tab, explorer
crash and i
cannot changing anything.
My question is: for each new policy i must change this
default ???
Cannot I change create mask on smb.conf for sysvol share ???

thanks at all

Il 06/11/2018 13:22, L.P.H. van Belle via samba ha scritto:
Hai,

I suggest, start reading here, it explains all.
https://lists.samba.org/archive/samba/2018-February/213690.html

The script in that thread is not changing anything by default.

I suggest try it and post the output.


Greetz,

Louis




-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Rowland Penny via samba
Verzonden: dinsdag 6 november 2018 12:33
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] classicupgrade

On Tue, 6 Nov 2018 12:13:31 +0100
Corrado Ravinetto via samba <samba@xxxxxxxxxxxxxxx> wrote:

Il 06/11/2018 11:48, Rowland Penny via samba ha scritto:
No, your GPO's will still work.
ok
but when i created my gpo in sysvol i cannot access to
this share
because:

drwxrwx---+ 4 3000002 3000002 48  6 nov 12.03
{CE2EBBA2-28FE-45D7-94EC-CD7357F38D73}

Must i, for each new policy, adjiust right e owner  ???

mmmmmmmh
'3000002' is coming from idmap.ldb and because '3000002'
isn't a Unix
user, it isn't mapped to a Unix name, it could in fact be a
group, yes,
groups on Windows can own folders & files.

There is a wiki page that might help:

https://wiki.samba.org/index.php/Managing_local_groups_on_doma
in_members_via_GPO_restricted_groups

Further than that, I cannot help, I do not use GPO's, I
don't have any
Windows clients ;-)

Perhaps Louis might care to chime in here.

Rowland

--
To unsubscribe from this list go to the following URL
and read the
instructions: https://lists.samba.org/mailman/options/samba


--

*Corrado Ravinetto *


--
To unsubscribe from this list go to the following URL
and read the
instructions: https://lists.samba.org/mailman/options/samba


--

*Corrado Ravinetto *


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--

*Corrado Ravinetto *
Sistemi informativi
corrado.ravinetto@xxxxxxxxxxxxxxxxxxxx
<mailto:corrado.ravinetto@xxxxxxxxxxxxxxxxxxxx>
T: +39 015 3591283
Lanificio F.lli CERRUTI
*Lanificio F.lli Cerruti S.p.A. *
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>

Twitter <https://twitter.com/Lan_Cerruti> Facebook
<https://www.facebook.com/LanificioCerruti> Instagram
<https://www.instagram.com/lanificiocerruti/>

Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





--

*Corrado Ravinetto *
Sistemi informativi
corrado.ravinetto@xxxxxxxxxxxxxxxxxxxx <mailto:corrado.ravinetto@xxxxxxxxxxxxxxxxxxxx>
T: +39 015 3591283
Lanificio F.lli CERRUTI
*Lanificio F.lli Cerruti S.p.A. *
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>

Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/>

Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba