[Samba] File/dir user permissions on Samba fileserver in DC

Discussion:

(too old to reply)

Dmitry via samba

2017-03-10 13:50:01 UTC

Hi, aLL

Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ
container (ProxMox VE). Domain is also build on Samba-4.3.5 (another
VM). Fileserver's VM is mounted with acl, user_xattr options, Samba
compiled with ACL support.

There're domain users, for example, "usr1", "usr2". They're in domain
group "dg1".

There's a filepath "/somepath/dir". Access to this directory is granted
according to domain group membership. "usr1" can access "dir", another
users from "dg1" also can access "dir", create files or directories into
it. But none of "dg1" users (except "usr2" and root ofc) can't delete
any files in this folder. Windows clients says "You must have
permissions from usr2 to delete this file/directory". This is wrong.

Like "sticky bit" is set, but there's no it on file objects.

When file objects are created Samba sets next user rights:
===
:~# ls -l /somepath/dir

drwxrwx--- 2 usr2 24 4096 mar 10 11:32 /somepath/dir
===
As we can see there, no SGUD bit on folders are set (and on parent
folder too). Owner of all file objects is "usr2".
===
:~# getfacl /somepath/dir
# file: dir
# owner: usr2
# group: dg1
user::rwx
group::rwx
other::---
===

lsattr /somepath/dir also gives none bits are set.

Even if file object has 0777 rights - this doesn't help at all...

smb.conf:
===
[global]

workgroup = WG
security = ADS
realm = WG.LOCAL

netbios name = FSRV
server role = auto
encrypt passwords = yes
auth methods = winbind

log level = 0 vfs:1

idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

max log size = 1000

syslog = 1

passdb backend = tdbsam
obey pam restrictions = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix password sync = yes

load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

os level = 1
case sensitive = no
hide unreadable = yes
#hide unwriteable files = yes
log writeable files on exit = yes

deadtime = 600
ea support = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY..

#======================= Share Definitions =======================
[q]
comment = File share
browseable = yes
path = /somepath
guest ok = no
read only = no
delete readonly = yes
strict sync = yes
sync always = yes

inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
map acl inherit = yes
nt acl support = yes

map system = yes
veto files = /.snap/quota*/*.vmx/autorun.inf/

valid users = +WG\all WG\admin
admin users = +WG\it WG\admin

hide unreadable = yes
vfs objects= acl_xattr

access based share enum = yes
map acl inherit = yes
acl check permissions = yes
map system = yes
===

What I'm doing wrong?

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-10 14:10:01 UTC

Permalink

On Fri, 10 Mar 2017 16:23:18 +0300

Post by Dmitry via samba
Hi, aLL
Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ
container (ProxMox VE). Domain is also build on Samba-4.3.5 (another
VM). Fileserver's VM is mounted with acl, user_xattr options, Samba
compiled with ACL support.
What I'm doing wrong?

You say your Samba client is an AD-member aka domain member, but you
haven't set up your smb.conf correctly, you also seem to be still
thinking in Samba3 workgroup terms. Can I suggest you go and read the
Samba wiki, start here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-10 15:00:02 UTC

Permalink

On Fri, 10 Mar 2017 17:21:40 +0300

Can you say more concrete what's wrong in my smb.conf?

Post by Rowland Penny via samba
You say your Samba client is an AD-member aka domain member, but you
haven't set up your smb.conf correctly, you also seem to be still
thinking in Samba3 workgroup terms. Can I suggest you go and read
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland

If you read the samba wiki, you would find out, but if it is unclear,
please says so ;-)

But I will give you a hint, this is wrong:

idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes

The backend is wrong in the top line
You do not need the third line
The four line is only used with the 'ad' backend
The fifth line is only used on a DC

You do not have the required DOMAIN lines

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-13 10:10:02 UTC

Permalink

On Mon, 13 Mar 2017 12:01:28 +0300

Thank you for pointing me to errors. I've corrected'em (I think), so

Can I ask if you are having problems following the Samba wiki ?
You still do not seem to have set up the smb.conf correctly, if you are
having problems following the wiki, please say so and if possible give
examples. Without feedback, we do not know of any problem areas.

Having got that out of the way, I have gone through your smb.conf and
corrected it by removing default lines. I have also added some comments:

[global]
workgroup = WG
security = ADS
realm = WG.LOCAL

#netbios name = FSRV # see [1] below

log level = 0 vfs:1

#idmap config MDS:backend = ad # see [2] below

idmap config * : backend = tdb
idmap config *:range = 2000-9999
idmap config WG : backend = ad
idmap config WG : range = 10000-999999
idmap config WG : schema_mode = rfc2307 # see [3] below

winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes # see [4] below
winbind enum groups = yes # see [4] below
winbind refresh tickets = yes

max log size = 1000
syslog = 1

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
#unix password sync = yes # NO, no a thousand times NO, see [5] below

load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

hide unreadable = yes # see [6]
log writeable files on exit = yes
deadtime = 600 # see [7]
ea support = yes # see [8]
#socket options = TCP_NODELAY IPTOS_LOWDELAY # see [9]

#======================= Share Definitions =======================
[q] # see [10]
comment = File share
path = /somepath
read only = no
delete readonly = yes
strict sync = yes
sync always = yes

inherit permissions = Yes
inherit owner = Yes

veto files = /.snap/quota*/*.vmx/autorun.inf/

valid users = +WG\all WG\admin
admin users = +WG\it WG\admin

access based share enum = yes

===

[1] this is not strictly required, provided hostname resolution is
set up correctly and if it isn't, you need to fix this, not Samba

[2] you have set workgroup to 'WG'

[3] this could also be 'template'

[4] you should only set these to for testing purposes

[5] You are using AD and with this, all your users must be stored in
AD, you cannot also store them in /etc/passwd i.e, you cannot have
the user 'fred' in AD and /etc/passwd. The same goes for groups.

[6] Do you really want to do this ? See 'man smb.conf'

[7] 10 hours ?

[8] I have never needed this

[9] You shouldn't set these any more, just rely on the kernel

[10] You will probably be better off using POSIX acls and setting access
rights from Windows

You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber
attribute ? If you haven't and want to use the 'ad' backend, you will
need to do so.

Any question, please ask.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-14 17:30:02 UTC

Permalink

On Tue, 14 Mar 2017 18:50:54 +0300
Still not really right ;-)

encrypt passwords = yes # you do not need this, it is a default setting
auth methods = winbind # remove this, it is not required

winbind trusted domains only = no # you do not need this,
it is a default setting

passdb backend = tdbsam # you do not need this, it is a default setting
obey pam restrictions = yes # remove this, it is not required

Post by Dmitry via samba
os level = 1
case sensitive = no
hide unreadable = yes
log [q]
comment = File share
browseable = yes
path = /opt/q
guest ok = no
read only = no
delete readonly = yes
strict sync = yes
sync always = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
map acl inherit = yes
nt acl support = yes
map system = yes
veto files = /.snap/quota*/*.vmx/autorun.inf/
hide unreadable = yes
vfs objects= full_audit, recycle, acl_xattr
writeable files on exit = yes
access based share enum = yes
map acl inherit = yes
map system = yes

Words fail me on the above, default lines, duplicate lines, acl_xattr
is a share and in global, the other two 'vfs objects' don't have any of
the other required lines to make them actually work.
Can I suggest you use Windows ACLs (the info howto is on the SAmba
wiki) and remove all that clutter.

Post by Dmitry via samba
===

Post by Rowland Penny via samba
You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber
attribute ? If you haven't and want to use the 'ad' backend, you
will need to do so.

Using MMC from Win PC in domain, in group properties tab "UNIX
attributes" assigned gid to domain group "all" from range
500000-600000, as in domain, for user srvadmin in same tab add
"primary group name/GID"

Yes, but have you given Domain Users a gidNumber ???

Post by Dmitry via samba
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC

If you haven't given Domain Users a gidNumber and are using Samba
4.6.x, you can follow the info here:

https://wiki.samba.org/index.php/Idmap_config_ad

Post by Dmitry via samba
wbinfo -u - shows users
wbinfo -p - ping OK
wbinfo -n srvadmin - shows user SID (srvadmin - domain user)
id srvadmin says 'no such user'.

Probably because you haven't given Domain Users a gidNumber, have you
spotted the running theme here yet ?

Post by Dmitry via samba
What additional info is needed? I'll post more and more. Simply I'm
trying not to post too long messages...
Sometimes wiki has too few info about something, or too unclear what
has to be set up or done.

Unless we are told what any possible problems on the wiki are, we
cannot fix them, or you could register and fix them yourself ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-15 10:20:02 UTC

Permalink

OK, use this smb.conf. DO NOT CHANGE ANYTHING, DO NOT ADD ANYTHING.

This is based on what you have posted.
If WG isn't your workgroup, change it to your actual workgroup
If WG.LOCAL isn't your realm, change it to your actual realm
NOTE: if '.local' is your TLD, then turn off Avahi if it is running.

[global]
workgroup = WG
security = ADS
realm = WG.LOCAL

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h

log level = 10 vfs:1

idmap config * : backend = tdb
idmap config * : range = 2000-10000

idmap config WG : backend = ad
idmap config WG : schema_mode = rfc2307
idmap config WG : range = 500000-600000

winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes

# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map

# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes

max log size = 1000
syslog = 10

load printers = no
printing = bsd
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

#======================= Share Definitions =======================

[q]
comment = File share
path = /opt/q
read only = no

Create the user.map referenced above.

nano /etc/samba/user.map

!root = WG\Administrator WG\administrator Administrator administrator

Now create an LDIF on the DC, again change 'wg' and 'local' if required.
You will also probably need to change '500000' to the next free GID number in the
'500000-600000' range

nano /tmp/DU.ldif

dn: CN=Domain Users,CN=Users,DC=wg,DC=local
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: wg
-
add: msSFU30Name
msSFU30Name: Domain Users
-
add: gidNumber
gidNumber: 500000
-

Now add the gidNumber to Domain Users with:

ldbmodify -H /var/lib/samba/private/sam.ldb -U Administrator /tmp/DU.ldif

NOTE: you may have to install the ldb-tools package.

Back to the client and leave the domain:

First stop all Samba processes

net ads leave -U Administrator

Alter /etc/krb5.conf to just this:

[libdefaults]
default_realm = WG.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

Then, re-join:

net ads join -U Administrator

Post by Rowland Penny via samba
Yes, but have you given Domain Users a gidNumber ???

Samba-4.3.5 is used.
Domain group "all" was set up: in UNIX Attributes "NIS domain" set up
as "WG", Group ID set up as 550000. But when I check "Unix
Attributes" tab in group properties it gives me a window "Unvilling
to perform" (in translation from russian), but it saves changes I
make there. Same done for user: NIS Domain set to "WG", UID is set up
to 500010, Primary group name is set to "all". No errors as above,
when selecting tab "Unix Attributes" is shown.

The 'unwilling to perform error' is fairly common and can be ignored.

By setting the 'NIS DOMAIN' to 'all' , all you are doing is adding the
gidNumber for 'all' to the user, this doesn't affect the users primary
group, which windows and winbind expects to be 'Domain Users', this
means that 'Domain Users' must have a gidNumber, if 'Domain Users'
doesn't have a gidNumber, then ALL your users will be ignored by
winbind.
If you later upgrade to Samba 4.6.x, you will be able to use the 'NIS
Domain as the users Unix primary group.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

2017-03-16 10:10:02 UTC

Permalink

On Thu, 16 Mar 2017 10:13:10 +0300

Another big thanks for help!
All done as you wrote on samba filesrver. In tab "UNIX Attributes"
GID was assigned, two users: "usr1", "usr2" gets UID from same tab
and set to "Domain Users" primary group. Also these users in one
group in domain. Tried to do same for other groups like "all" - same
result. Now, on file server, 'id usr1' shows user info. Same for
"usr2". Another users, not "shared" from "UNIX attributes" tab don't
"visible" by 'id' command These users can access share, but all is
the same, as was written in first message of this topic: "usr1" can
create files/folders, also as "usr2", but "usr2" can't delete file
objects, created by "usr1", and vice versa.
I'don't uderstand next: all you wrote to did is, in general, mapping
domain credentials to linux host. To work commands like 'id',
gethostbyname() system calls and so on. Earlier (and now) winbind did
"all things" with domain "conversations" and all has to be done on
domain member to work with domain credentials, is correctly set up
NSswitch and libs for it. Then, why so complicate "things" have to be
done (modifying LDAP, adding fileds, incremets, mapping users/groups
"by hand" in RSAT, etc) is needed, If all I need is filesrver for MS
Win clients in domain and domain is running Samba too?
If there may be problems that first filesrver was set up with
idmap_rid, and now - idmap_ad is used? I did 'net cache flush'. Did
leave/join domain.

The only problem there may be, files and dirs might be owned by the
wrong users and groups.

If you are connecting a windows user to a Unix machine running
Samba, there are three ways that the user can connect.

Use the winbind 'rid' backend, this is the easiest way to map a windows
user to a Unix user as the Unix ID is calculated from the windows users
RID.

Use the winbind 'ad' backend, this involves (at a minimum) giving the
user a unique uidNumber in AD AND giving the users primary group
(usually Domain Users) a gidNumber. You will also need to set the
'idmap config DOMAIN' range in smb.conf based on the numbers you use.
Note: this has changed slightly with Samba 4.6.0, you can now use the
users gidNumber attribute for the users Unix primary group.

Add 'map to guest = Bad User' to smb.conf, with this, users unknown to
Samba will be mapped to the guest account and allowed access.

To test if a user is known to the OS, you need to run 'getent passwd
username' or 'id username'. If you don't get any output, the user is
unknown to the OS and hence Samba. Testing if a user exists with
'wbinfo -u' will not tell you if the OS is aware of the user, it just
tells you that the user exists in AD.

Hope this helps

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba