Re: [Samba] Domain Admin cannot access files
On 15/08/12 23:51, Rowland Penny wrote: On 15/08/12 22:10, Gémes Géza wrote: 2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes He is not exporting the samba homes share, he is exporting a share called [home], that is why he needs the path statement. Administrator on my samba4 server is a member of: Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins So unless your shares are owned by Administrator or one of his groups or are set xx7, I do not think he should be able to get into the shares. Rowland Hi Geza, Rowland, everyone openSUSE 12.1 Samba 4.0.0beta7-GIT 9566786 DC Samba 3.6.3 file server on Vbox [homes] is not the same as [home] I do not want the restriction of [homes] with all home directories all having to be in the same folder. With s3fs, Administrator has full control over all the shares. What I'm trying to do is convert this on S4 s3fs (which works perfectly): [global] server role = domain controller workgroup = ALTEA realm = hh3.site netbios name = HH1 passdb backend = samba4 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home2 read only = No [profiles] path = /home2/profiles read only = No To something equivalent on S3 smbd. This is what I have so far: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config ALTEA:schema_mode = rfc2307 idmap config ALTEA:range = 2-4000 idmap config ALTEA:backend = ad idmap config * : backend = tdb [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes It works, but it's slow and roaming profiles sometimes work, sometimes not. And Administrator has no control over permissions. No one on m$ has control over anything in fact. Could anyone give me a full s3fs to S3 smbd translation? Is there a tool to do so? Going from smbd to s3fs is documented, but this seems to be breaking new territory. . . What am I missing in my smb.conf translation to make this as fast and as reliable as s3fs? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admin cannot access files
2012-08-16 13:48 keltezéssel, steve írta: On 15/08/12 23:51, Rowland Penny wrote: On 15/08/12 22:10, Gémes Géza wrote: 2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes He is not exporting the samba homes share, he is exporting a share called [home], that is why he needs the path statement. Administrator on my samba4 server is a member of: Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins So unless your shares are owned by Administrator or one of his groups or are set xx7, I do not think he should be able to get into the shares. Rowland Hi Geza, Rowland, everyone openSUSE 12.1 Samba 4.0.0beta7-GIT 9566786 DC Samba 3.6.3 file server on Vbox [homes] is not the same as [home] I do not want the restriction of [homes] with all home directories all having to be in the same folder. With homes you don't need to have all the shares in the same folder, instead samba (only 3 so far) does an nss lookup to find the hom directory for the user, e.g. you have two users: steve1 and steve2, with home directories /home/users/first-type/steve1 and /usr/local/testprojects/homfolders/steve2, and the [homes] share transforms it in \\servername\steve1 for the user steve1 and \\servername\steve2 for the user steve2 respectively. The key element here is being able to lookup the homedirectories for the users (preferably from the unixHomedirectory attribute) and here comes a correctly configured winbind into play. With s3fs, Administrator has full control over all the shares. What I'm trying to do is convert this on S4 s3fs (which works perfectly): [global] server role = domain controller workgroup = ALTEA realm = hh3.site netbios name = HH1 passdb backend = samba4 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home2 read only = No [profiles] path = /home2/profiles read only = No To something equivalent on S3 smbd. This is what I have so far: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config ALTEA:schema_mode = rfc2307 idmap config ALTEA:range = 2-4000 idmap config ALTEA:backend = ad idmap config * : backend = tdb [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes It works, but it's slow and roaming profiles sometimes work, sometimes not. And Administrator has no control over permissions. No one on m$ has control over
[Samba] Domain Admin cannot access files
Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admin cannot access files
2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admin cannot access files
On 15/08/12 22:10, Gémes Géza wrote: 2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes He is not exporting the samba homes share, he is exporting a share called [home], that is why he needs the path statement. Administrator on my samba4 server is a member of: Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins So unless your shares are owned by Administrator or one of his groups or are set xx7, I do not think he should be able to get into the shares. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba