Samba file share and MS A/D NTFS permissions
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Small update:
I was able to get the NTFS perms to work as I wanted.
I kept the vfs objects line in global but add the nt acl support line[global] vfs objects = acl_xattr [fax] nt acl support = yes valid users = @"[email protected]"After setting up Samba, need to add rpc rights to allow Windows Admin to change NTFS perms on share.
net rpc rights list privileges SeDiskOperatorPrivilege -U "Domain\Admin Account"I was then able to change group permissions and all worked out well.
That may have been why I had issues with NTFS ACLs. I didn't know about the
nt acl supportline. That may have made it work.Maybe I'll try it on a test share.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work? -
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Small update:
I was able to get the NTFS perms to work as I wanted.
I kept the vfs objects line in global but add the nt acl support line[global] vfs objects = acl_xattr [fax] nt acl support = yes valid users = @"[email protected]"After setting up Samba, need to add rpc rights to allow Windows Admin to change NTFS perms on share.
net rpc rights list privileges SeDiskOperatorPrivilege -U "Domain\Admin Account"I was then able to change group permissions and all worked out well.
That may have been why I had issues with NTFS ACLs. I didn't know about the
nt acl supportline. That may have made it work.Maybe I'll try it on a test share.
Give it a shot. It works really nice. Don't for get the "net rpc" line. That is what allows you to actually change the perms in windows.
My GPO works out nice also for automatic user folder creation.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Side Note - how do you highlight your lines red with red box?
You use the key next to your #1 key, a ` at each end when using it in a sentence.
Or use three in a row a line before and after for a chunk of code.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users" -
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Side Note - how do you highlight your lines red with red box?
You use the key next to your #1 key, a ` at each end when using it in a sentence.
Or use three in a row a line before and after for a chunk of code.
I figured it out when quoting your last reply. On all my other replies I did not notice the ` in there. Thanks.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users"Hmm, not sure what the problem is because I have one running
4.16.9-300.fc28.x86_64(Fedora 28) that's fully up to date, and it's smb.conf is using the format:valid users = @"domain [email protected]" admin users = @"domain [email protected]"Where "domain admins" is a user or group.
Though, it hasn't been rebooted lately.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users"Hmm, not sure what the problem is because I have one running
4.16.9-300.fc28.x86_64(Fedora 28) that's fully up to date, and it's smb.conf is using the format:valid users = @"domain [email protected]" admin users = @"domain [email protected]"Where "domain admins" is a user or group.
Though, it hasn't been rebooted lately.
Hmmm... I'm on
4.17.3-200.fc28.X86_64Would that be a kernel issue or possible Samba or Winbind? That is the part I cannot figure out. Where the change was the issue.
I am about to update my old Fedora 4.16 to newest and see if all still works.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users"Hmm, not sure what the problem is because I have one running
4.16.9-300.fc28.x86_64(Fedora 28) that's fully up to date, and it's smb.conf is using the format:valid users = @"domain [email protected]" admin users = @"domain [email protected]"Where "domain admins" is a user or group.
Though, it hasn't been rebooted lately.
Hmmm... I'm on
4.17.3-200.fc28.X86_64Would that be a kernel issue or possible Samba or Winbind? That is the part I cannot figure out. Where the change was the issue.
I am about to update my old Fedora 4.16 to newest and see if all still works.
What versions of samba and winbind are you using?
-
Using
Samba-4.8.3-1.fc28.src.rpmandSamba-winbind-4.8.3-1.fc28.src.rpm -
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Using
Samba-4.8.3-1.fc28.src.rpmandSamba-winbind-4.8.3-1.fc28.src.rpmsame
-
What file system?
-
@obsolesce
XFS -I use your document minus Hyper-V, DHCP and automatic updates (I don't install those packages). I differ by creating a separate 5 Gib XFS partition
/myshareduring setup along with the different info in smb.conf file.
