Discussion:
[Samba] problem with sessions
(too old to reply)
Tony Peña via samba
2017-03-01 12:30:01 UTC
Permalink
Hi i got a pdc with samba 4.5.1 with ldap backend for autentication

The users can login into domain and everythings fine, after some days, the
resources of the networks in this case the shares directory, can't be
access by anyone, even them directory in common to everyone.

i found this message with the same problem

https://lists.samba.org/archive/samba/2014-March/179632.html

and i applied on the samba.conf and krb5.conf but still lossing sessions
with samba-pdc, i applied the configs on sunday, but today after 2 days the
problem persist.

i restart again the services and logout & login again and i can access to
the shares on server.

exist some parameters to avoid this issue?

exist some comunication with kerberos to windows 7 can't renegotiate that
session and expire?

I can notice, windows users are standard users they aren't administrator on
the local machine if help.

it's shoking this problem and have to restart the pc and service to access
again into directories shared by the dc.

thanks so much.


Tony
--
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-01 12:50:01 UTC
Permalink
On Wed, 1 Mar 2017 13:25:56 +0100
Post by Tony Peña via samba
Hi i got a pdc with samba 4.5.1 with ldap backend for autentication
Is it a PDC or an AD DC ?
Post by Tony Peña via samba
The users can login into domain and everythings fine, after some
days, the resources of the networks in this case the shares
directory, can't be access by anyone, even them directory in common
to everyone.
i found this message with the same problem
https://lists.samba.org/archive/samba/2014-March/179632.html
That refers to an AD DC, a PDC is something entirely different.
Post by Tony Peña via samba
and i applied on the samba.conf and krb5.conf but still lossing
sessions with samba-pdc, i applied the configs on sunday, but today
after 2 days the problem persist.
I think you need to show us your smb.conf and /etc/krb5.conf (if the
later exists, which it wont do if it is a PDC)

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-01 16:00:04 UTC
Permalink
On Wed, 1 Mar 2017 16:24:36 +0100
Hi thanks by answer quickly
yes is a ad pdc, i refers to PDC i think will be the same, now i saw
isn't. anyway, this is the smb.conf and krb5.conf
I suggest you change your smb.conf to:

[global]
workgroup = sambadc
realm = SAMBADC.LCL
netbios name = samba-dc
server string = SAMBA DC
server role = active directory domain controller
server services = -dns
ldap server require strong auth = no
idmap_ldb:use rfc2307 = yes

interfaces = lo,ens160
bind interfaces only = yes

log level = 3
log file = /var/log/samba/samba.log
max log size = 100000

include = /etc/samba/shares.conf

[netlogon]
path = /var/lib/samba/sysvol/sambadc.lcl/scripts
read only = no

[sysvol]
path = /var/lib/samba/sysvol
read only = no

and change /etc/krb5.conf to:

[libdefaults]
default_realm = SERVERDC.LCL
dns_lookup_kdc = true
dns_lookup_realm = false


I noticed you have this in smb.conf:

include = /etc/samba/shares.conf

What is in there ?

You also seem to be using Bind9 instead of the internal DNS server, how
have you set this up ?

what is in /etc/hosts and /etc/resolv.conf ?

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-01 17:40:01 UTC
Permalink
On Wed, 1 Mar 2017 17:48:47 +0100
server role = dc
server role = active directory domain controller
i'm correct ?
Nearly, but you should only have one 'server role' line and the second
line is the correct one.
----
on include shares.conf is all share directorys...i got 47 shares...
so .. i just paste here 1 as example,, the rest are equals just
changing the path
[library]
comment = Library in common
path = /home/samba/shares/Library
browseable = Yes
read only = No
force create mode = 0660
force directory mode = 0660
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir
rmdir open rename
I take it you haven't read this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

You cannot use POSIX ACLs on a Samba AD DC, so your share should be
something like this:

[library]
comment = Library in common
path = /home/samba/shares/Library
read only = No
vfs objects = full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

You also had 'browseable = yes', this the default setting, but it has
no affect on a DC, there is no browsing on a Samba AD DC.

Once you have changed the share, you will need to read this wiki page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
the filesystem is with acl,
the filesystem on thouse are: user : group : others
drwxrwx---+ 9 SERVERDC\administrator adm
4,0K mar 1 14:26 Library
You will probably need to change this to root:domain admins

Talking of which, I hope you haven't given Administrator a uidNumber.
on resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
search serverdc.lcl
You should remove the google nameservers, they should be set as
forwarders in your bind9 conf files.
the bind is ok,
I didn't ask if it was 'ok', I asked how you have set it up, I think
you need to post your bind9 conf files.
i register PC into domain and it's added into ldap
so i can ping NAME_OF_PC and pinging normally and see it using
pdbedit. this is somethings i can't understand in some how...
normally i use openldap, but int this case is samba (simulate ldap) ?
because i see samba run process to can see from my ldap client the
whole directory
Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
is stored in AD, but you need to use 'samba_dlz' to connect to it. You
also need to setup bind9 correctly.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld via samba
2017-03-01 19:30:02 UTC
Permalink
Post by Rowland Penny via samba
You also had 'browseable = yes', this the default setting, but it has
no affect on a DC, there is no browsing on a Samba AD DC.
You accidentally mixed network browsing with browsing the list of shares
on a host.

The "browseable" parameter controls if a share is visible or not when
you e. g. enter \\hostname\ and it also works on Samba AD DCs. See:
Loading Image...

Network browsing (network neighbourhood) is currently not implemented in
Samba AD DCs. The nmbd service is responsible for this job.


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Tony Peña via samba
2017-03-02 11:50:02 UTC
Permalink
Hi again.

the users work usually in this way, browsing the network to find a serverdc
using \\serverdc on explorer file. and after that them choose the correct
share and working on inside with their files need it.

someone set that share as mapped unit with letter Z or Y. but they normally
work in this way daily.

so, i can't set browseable = No because the users need to be see the shares
on the server, else them turn crazy

Ok i restart samba-ad-dc with this settings

***@server-dc:/etc/samba# cat smb.conf
[global]
workgroup = serverdc
realm = SERVERDC.LCL
netbios name = server-dc
server string = Server DC
server role = active directory domain controller
server services = -dns
server signing = auto
ldap server require strong auth = no
idmap_ldb:use rfc2307 = yes

winbind enum users = yes
winbind enum groups = yes

interfaces = lo,ens160
bind interfaces only = yes

map to guest = Bad User

log level = 3
log file = /var/log/samba/samba.log
max log size = 100000


include = /etc/samba/shares.conf

[netlogon]
path = /var/lib/samba/sysvol/serverdc.lcl/scripts
browseable = no
read only = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = no

--------

shares.conf

47 shares like

[FooBar]
comment = FooBar
path = /home/samba/shares/foobar
browseable = Yes # users need to browse the network because them
working in this way for many years.
read only = No
force create mode = 0660
force directory mode = 0660
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open
rename

-----

resolv.conf

nameserver 127.0.0.1
search serverdc.lcl

-----

krb5.conf

[libdefaults]
default_realm = SERVERDC.LCL
dns_lookup_kdc = true
dns_lookup_realm = false


-------

all bind files

***@server-dc:/etc/samba# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

--------
named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

-------------------------------
named.conf.local

// Generated by Zentyal

acl "trusted" {
localhost;
localnets;
};

acl "internal-local-nets" {
192.168.100.0/22;
};

dlz "AD DNS Zone" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

};



zone "100.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.100.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant serverdc.lcl. subdomain 100.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};

zone "0.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.0.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant serverdc.lcl. subdomain 0.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};

zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};


----------
named.conf.options

options {
sortlist {
{ 192.168.100.0/22 ;{ 192.168.100.0/22 ; };};
};
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

//query-source address * port 53;
//transfer-source * port 53;
//notify-source * port 53;


tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

auth-nxdomain no; # conform to RFC1035

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { internal-local-nets; };
};

logging { category lame-servers { null; }; };

------------
after change on smb.conf and krb5.conf with suggestions.
I can on the pc client logout and login into the domain,
can browse the \\server-dc and user Library Ok, but FooBar no (is fine in
this way for this users logged) because the ACL working with filesystem and
is ok....

but my problem from the beginning.... how can i know if i don't lose the
access into (e.g Library share) after 2/3 days ?

exist some tools/command to show if the time expire to the share access? or
with this settings is ok and not happend again?

because my big problem is that! the acl of the share are working ok. it's
just i don't know why after days lose the access and need to restart
services and logout & login again :(
Post by Rowland Penny via samba
On Wed, 1 Mar 2017 17:48:47 +0100
server role = dc
server role = active directory domain controller
i'm correct ?
Nearly, but you should only have one 'server role' line and the second
line is the correct one.
----
on include shares.conf is all share directorys...i got 47 shares...
so .. i just paste here 1 as example,, the rest are equals just
changing the path
[library]
comment = Library in common
path = /home/samba/shares/Library
browseable = Yes
read only = No
force create mode = 0660
force directory mode = 0660
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
Active_Directory_Domain_Controller#Using_the_Domain_
Controller_as_a_File_Server
You cannot use POSIX ACLs on a Samba AD DC, so your share should be
[library]
comment = Library in common
path = /home/samba/shares/Library
read only = No
vfs objects = full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
You also had 'browseable = yes', this the default setting, but it has
no affect on a DC, there is no browsing on a Samba AD DC.
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
the filesystem is with acl,
the filesystem on thouse are: user : group : others
drwxrwx---+ 9 SERVERDC\administrator adm
4,0K mar 1 14:26 Library
You will probably need to change this to root:domain admins
Talking of which, I hope you haven't given Administrator a uidNumber.
on resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
search serverdc.lcl
You should remove the google nameservers, they should be set as
forwarders in your bind9 conf files.
the bind is ok,
I didn't ask if it was 'ok', I asked how you have set it up, I think
you need to post your bind9 conf files.
i register PC into domain and it's added into ldap
so i can ping NAME_OF_PC and pinging normally and see it using
pdbedit. this is somethings i can't understand in some how...
normally i use openldap, but int this case is samba (simulate ldap) ?
because i see samba run process to can see from my ldap client the
whole directory
Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
is stored in AD, but you need to use 'samba_dlz' to connect to it. You
also need to setup bind9 correctly.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-02 13:20:02 UTC
Permalink
On Thu, 2 Mar 2017 12:40:46 +0100
Post by Tony Peña via samba
so, i can't set browseable = No because the users need to be see the
shares on the server, else them turn crazy
I never said to set it to 'no', I pointed out that what you had is the
default and as such, it doesn't need to be set.
Post by Tony Peña via samba
Ok i restart samba-ad-dc with this settings
shares.conf
47 shares like
[FooBar]
comment = FooBar
path = /home/samba/shares/foobar
browseable = Yes # users need to browse the network because
them working in this way for many years.
'YES' is the default so you don't need it
Post by Tony Peña via samba
read only = No
force create mode = 0660
force directory mode = 0660
This doesn't work on a DC, read the wiki pages I pointed you to!
Post by Tony Peña via samba
vfs objects = acl_xattr full_audit
'acl_xattr' is built into Samba when running as a DC, so it shouldn't be
set here.
Post by Tony Peña via samba
all bind files
OK, these are my bind conf files and I have been using them for the
last 5 years without problems ;-)

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {
directory "/var/cache/bind";
version "0.0.7";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.0.0/24; };
allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
forwarders { 8.8.8.8; };
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;

listen-on-v6 { none; };
listen-on port 53 { 192.168.0.2; 127.0.0.1; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

/etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";

/etc/bind/name.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Post by Tony Peña via samba
------------
after change on smb.conf and krb5.conf with suggestions.
I can on the pc client logout and login into the domain,
can browse the \\server-dc and user Library Ok, but FooBar no (is
fine in this way for this users logged) because the ACL working with
filesystem and is ok....
You are trying to use the OS permissions on a Samba AD DC, this NOT
supported.
Post by Tony Peña via samba
but my problem from the beginning.... how can i know if i don't lose
the access into (e.g Library share) after 2/3 days ?
I think your problem is down to your DNS setup, it seems to be using
flatfiles and this is NOT supported by Samba.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-02 18:50:02 UTC
Permalink
On Thu, 2 Mar 2017 18:48:47 +0100
hi Rowland,
ok a refix the other lines above but..
what means "I think your problem is down to your DNS setup, it seems
to be using
flatfiles" and this is NOT supported by Samba.
OK, you have things like this in your bind conf files:

zone "0.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.0.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant serverdc.lcl. subdomain 0.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};

This is a 'flatfile'

If this a reverse zone for the DC domain, it should be in AD and you
don't update it as you are trying to do.

If it isn't a reverse zone, then it shouldn't be in your bind conf
files.

If I run 'samba-tool dns zonelist 127.0.0.1' on the DC, I get this:

samba-tool dns zonelist 127.0.0.1 -Uadministrator
Password for [SAMDOM\administrator]:
3 zone(s) found

pszZoneName : 0.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com

pszZoneName : samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.samdom.example.com

pszZoneName : _msdcs.samdom.example.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.samdom.example.com

The reverse zone, the forward zone and the forest zone.

If you need to add the reverse zone to AD, see 'samba-tool dns
zonecreate --help'

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-03 09:20:01 UTC
Permalink
On Fri, 3 Mar 2017 08:33:24 +0100
about the reverse zone, onf bind files,
my network is setup to 192.168.100.0/22 and the PTR file for that
network exist with all pc clients wrote inside correctly.
That 0 reverse zone is because to this 192.168.100.0/22 network we
need connect it and must be joined into domain 1 PC outside of this
location, and that pc use 192.168.0.50 that's why i got on the
reverse file zone "0.168.192.in-addr.arpa"
what can i do then?
You have seen my reverse zone, just add the reverse zone to AD.
when you said: "You are trying to use the OS permissions on a Samba
AD DC, this NOT
supported."
ok i can understand that is not supported but browsing into shares.
using the account test. i can access into that file because using acl
into filesystem allowed
This is what the wiki page says:

Using the Domain Controller as a File Server

The Samba Active Directory (AD) domain controller (DC) is able to provide file shares, just like all other installation modes. However, the Samba team does not recommend using a DC as a file server because the DC smbd process has some limitations compared with the service in non-DC setups. For example, the auto-enabled acl_xattr virtual file system (VFS) object enables you to only configure shares with Windows access control lists (ACL). Running shares with POSIX ACLs on a Samba DC is not supported.

For 'not supported' read, 'this may look like it works, but it will
ultimately come back and bite you!'

I suggest you set the ACLs from a Windows machine, this will actually
give you better control.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-13 14:40:04 UTC
Permalink
On Mon, 13 Mar 2017 14:43:11 +0100
Hi Rowland,
zentyal in this case is installed as ad-dc and in his interface web i
can create the directories settings acl...
It all depends just how zentyal is setting the ACLs, if it setting the
normal Unix 'UGO' permissions, or if it is setting the permissions in
smb.conf, then this will not work correctly. It may be using
'setfacl', but even this is not the same as setting the file
permissions from Windows.
if that above say not is recommended... how it's possible this
works ?
It may be that it just appears to work, until something goes wrong...
.. any way.. thinking to left only ad and move all share
creating a new server as fileserver.
i need to send all files from actual-ad-dc to the other ones .... put
the fileserver as member domain and read acl from the ad-dc ?.
I think you are suggesting creating a Unix domain member and using this
as a fileserver, this would be a good idea.
my problem is creating a second as fileserver i can't manage the
interface on second to create a share or I do when on AD-DC setup by
interface web and replication config send to fileserver to create
that share. its possible ?.
Creating a share is easy, just follow the information on the Samba
wiki. It just a case of adding something to smb.conf, then creating the
required directory for the share and finally moving to a windows
machine and setting required permissions.
my problem occurs 1 time at week, very nears on wednesday at noon. :(
my only result for now is rebooting every day the server at 7.30am
before all clients join into clients pc.
This is strange, does something happen every Wednesday ? Is there
anything in the logs ?? perhaps raising the log level in smb.conf will
throw light on the problem.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...