[Samba] Missing security tab samba 4.1.13

[Bart Coninckx via samba]

Hi all,

 
I followed the installation instructions on https://imanudin.net/2014/11/16/how-to-install-samba4-active-directory-on-centos-7-part-1/#comment-16611 to install Samba 4.1.13. One difference is that I used the Internal DNS server as opposed to the external one. 

 
I was able to add a Windows 7 Pro workstation to the domain and I see the shares I added in smb.conf (with only the path and the read only setting to "no"), but on those shares I miss the Security tab. I added the correct privilege to the administrators group.The default shares like netlogon and sysvol do show the Security tab. 

I did see a difference when I do a getfacl for those folders as opposed to the ones I created. For the latter I do not get any ACL configuration.

 
Am I supposed to do a manual setfacl for my own shares?

One other thing is that the administration of the shares behaves unstable when I have IPv6 enabled, so that is disabled now.

 
I have been browsing the web for hours, but it doesn not seem to be a typical problem.

I hope someone has an idea,

 
cheers all!

 
 
Met Vriendelijke Groet,
Kind Regards,
Salutations,
 
 
Bart Coninckx
Bits 'n Tricks BVBA
 
Hoge Mierdse Heide 182
2360 Oud-Turnhout
tel. +32 14 480 820

gsm +32 478 88 33 08
in...@bitsandtricks.com
http://www.bitsandtricks.com
BTW: BE0817.401.875

Crelan BE46 8601 0806 3436

Voor onze Algemene Voorwaarden, zie: http://www.bitsandtricks.com/index.php/contact/algemene-voorwaarden

 
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny via samba]

On Sat, 4 Mar 2017 22:09:16 +0100
Bart Coninckx via samba <sa...@lists.samba.org> wrote:

> Hi all,
>
>  
> I followed the installation instructions
> on https://imanudin.net/2014/11/16/how-to-install-samba4-active-directory-on-centos-7-part-1/#comment-16611
> to install Samba 4.1.13. One difference is that I used the Internal
> DNS server as opposed to the external one. 

I suppose you totally missed the fact that the 4.1.x series went EOL
quite some time ago, in fact 4.6.0 should be out this month.

Why follow that particular howto ?

>
>  
> I was able to add a Windows 7 Pro workstation to the domain and I see
> the shares I added in smb.conf (with only the path and the read only
> setting to "no"), but on those shares I miss the Security tab. I
> added the correct privilege to the administrators group.The default
> shares like netlogon and sysvol do show the Security tab. 
>
> I did see a difference when I do a getfacl for those folders as
> opposed to the ones I created. For the latter I do not get any ACL
> configuration.
>
>  
> Am I supposed to do a manual setfacl for my own shares?

Yes

>
> One other thing is that the administration of the shares behaves
> unstable when I have IPv6 enabled, so that is disabled now.

Could be down to not having the reverse zone set up.

>
>  
> I have been browsing the web for hours, but it doesn not seem to be a
> typical problem.

Did you think to go to the source ????

https://wiki.samba.org/index.php/Main_Page

Specifically this page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

[Bart Coninckx via samba]

Hi Rowland,

>> Hi all,
>>
>>  
>> I followed the installation instructions
>> on https://imanudin.net/2014/11/16/how-to-install-samba4-active-directory-on-centos-7-part-1/#comment-16611
>> to install Samba 4.1.13. One difference is that I used the Internal
>> DNS server as opposed to the external one. 

>I suppose you totally missed the fact that the 4.1.x series went EOL
>quite some time ago, in fact 4.6.0 should be out this month.

>Why follow that particular howto ?

 

Well, I googled for a fair amount of them and this one had a fair amount of comments to it, which proved useful as I encountered some of the errors and was able to learn from them. Also, I was able to add my own solutions to other people's problems, which I like. In that way it becomes a community driven How To. In my experience those work out better often.

>> 
>> 
>> I was able to add a Windows 7 Pro workstation to the domain and I see
>> the shares I added in smb.conf (with only the path and the read only
>> setting to "no"), but on those shares I miss the Security tab. I
>> added the correct privilege to the administrators group.The default
>> shares like netlogon and sysvol do show the Security tab. 
>>
>> I did see a difference when I do a getfacl for those folders as
>> opposed to the ones I created. For the latter I do not get any ACL
>> configuration.
>>
>>  
>> Am I supposed to do a manual setfacl for my own shares?

>Yes

 

OK - I did not find that on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs . I suppose it should be added to that howto. 

Can I simply copy the ACLs of "netlogon" or "sysvol"?

>>
>> One other thing is that the administration of the shares behaves
>> unstable when I have IPv6 enabled, so that is disabled now.

>Could be down to not having the reverse zone set up.

 

Good point, I don't have that. I suppose I miss a pointer record for the server then.

  
>> I have been browsing the web for hours, but it doesn not seem to be a
>> typical problem.

>Did you think to go to the source ????

>https://wiki.samba.org/index.php/Main_Page

>Specifically this page:

>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

 

Ha, you are now referencing to the page I just mentioned. It does not mention setting ACLs, which should be added I suppose.

>Rowland

Cheers Rowland

[Rowland Penny via samba]

On Sat, 4 Mar 2017 23:52:54 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

> Hi Rowland,

>
> >Why follow that particular howto ?
>
>  
> Well, I googled for a fair amount of them and this one had a fair
> amount of comments to it, which proved useful as I encountered some
> of the errors and was able to learn from them. Also, I was able to
> add my own solutions to other people's problems, which I like. In
> that way it becomes a community driven How To. In my experience those
> work out better often.

What do you think the Samba wiki is ?
If you want to add to a community driven howto, register for an account
and then contribute to the Samba wiki.

> Can I simply copy the ACLs of "netlogon" or "sysvol"?
>

Probably not, you need to decide who has what access to where and set
the ACLs accordingly.

> Good point, I don't have that. I suppose I miss a pointer record for
> the server then.

Unless you have created the reverse zone, you will not have any
pointer records. Just for the record, the howto you used doesn't
mention that

>  
> Ha, you are now referencing to the page I just mentioned. It does not
> mention setting ACLs, which should be added I suppose.

Did you miss:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs

Can I suggest upgrading to the latest Samba version 4.5.5 and following
the Samba wiki, not some random webpage, that way, you are sure to get
the full and correct info. If there is something on the Samba wiki you
do not understand, ask here.

[Miguel Medalha via samba]

>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Ha, you are now referencing to the page I just mentioned. It does not mention setting ACLs, which should be added I suppose.
>

Well, I am looking at the wiki page right now and it surely mentions
setting ACLs...

I am seeing the followinf sections:
-- Setting Share Permissions and ACLs
-- Setting ACLs on a Folder
-- File System ACLs in the Back End

[Bart Coninckx via samba]

Hi,

 
>Well, I am looking at the wiki page right now and it surely mentions
>setting ACLs...

>I am seeing the followinf sections:
>- Setting Share Permissions and ACLs
>-- Setting ACLs on a Folder
>- File System ACLs in the Back End

The first two refer to doing that by means of the security tab, which I don't have.

The last one does not refer to using setfacl. So needing to have to set ACLs in order to get a Security tab is not mentioned in the How to, I'm sorry,

 
 
BC

[Bart Coninckx via samba]

>Did you miss:

>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs

 

No, this part of the wiki made me realize I have a problem. It talks about changes via the security tab. I don't have that tab. That is the whole problem.

I gather from your previous answer setfacl needs to be used to sort that out. But I miss that part in the wiki. So either something is off with my install or the instructions to set the initial permissions with setfacl to get the security tab going are missing in the wiki.

 
BC

[Rowland Penny via samba]

On Sun, 5 Mar 2017 01:12:26 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

> >Did you miss:
>
> >https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs
>
>  
> No, this part of the wiki made me realize I have a problem. It talks
> about changes via the security tab. I don't have that tab. That is
> the whole problem.
>

No that isn't your whole problem, your main problem is that you are
running a version of Samba that will not get ANY updates and is several
versions behind the most up-to-date version, which means it is missing
a lot of improvements.

As for the missing security tab, this could be a windows problem, or it
could be something in your smb.conf, so can you please post this.

Rowland

[Rowland Penny via samba]

On Sun, 5 Mar 2017 14:20:48 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

> on the Windows site I checked a possible active group policy, but
> there was none. Also, I don't have this problem voor sysvol or
> netlogon.
>
>  
> This is my smb.conf
>
>  
>  
> # Global parameters
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.COM
>         netbios name = LX01
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idmap_ldb:use rfc2307 = yes
>  [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>         read only = No
>  [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>  [Data]
>         path = /data/smb/data
>         read only = No
>  [Maarten]
>         path = /data/smb/maarten
>         read only = No
>  [Erik]
>         path = /data/smb/erik
>         read only = No
>   Cheers,
>  BC
>

I think your problem is being caused by the OS not knowing your users
and groups, have a look here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

But before you do that, UPGRADE your Samba version. I said that there
have been a lot of improvements, one of them is the 'winbind' built
into the 'samba' binary has been replaced by the same separate
'winbindd' binary used on a domain member, this by its self is worth
upgrading for.

[Bart Coninckx via samba]

>I think your problem is being caused by the OS not knowing your users
>and groups, have a look here:

>https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

 

I will look into that, cheers!

>But before you do that, UPGRADE your Samba version. I said that there
>have been a lot of improvements, one of them is the 'winbind' built
>into the 'samba' binary has been replaced by the same separate
'>winbindd' binary used on a domain member, this by its self is worth
>upgrading for.

>Rowland
 

Would you advise to start new again or do an upgrade, respecting the current config and Active Directory?

 
Cheers,

 
 
BC

[Rowland Penny via samba]

On Sun, 5 Mar 2017 15:47:21 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

> Would you advise to start new again or do an upgrade, respecting the
> current config and Active Directory?

Either is a possibility, but, if you are only running a test domain,
then starting anew is probably the easiest way.

If you do upgrade, do it like this:

download and unpack the new tarball
then run configure: ./configure
Then compile it: make
Stop Samba
Install the new packages: make install
Start Samba

I would also check here (whichever way you decide to go):

https://wiki.samba.org/index.php/Samba_Dependencies_Required_to_Build_Samba#Red_Hat_Enterprise_Linux_.2F_CentOS_.2F_Scientific_Linux

There are dependencies show there that are not on the howto you posted.

Rowland

[Reindl Harald via samba]

Am 05.03.2017 um 15:47 schrieb Bart Coninckx via samba:
>> I think your problem is being caused by the OS not knowing your users
>> and groups, have a look here:
>
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> I will look into that, cheers!
>
>> But before you do that, UPGRADE your Samba version. I said that there
>> have been a lot of improvements, one of them is the 'winbind' built
>> into the 'samba' binary has been replaced by the same separate
> '>winbindd' binary used on a domain member, this by its self is worth
>> upgrading for.
>

> Would you advise to start new again or do an upgrade, respecting the current config and Active Directory?

as you currently don't have a working as desired setup i would start
from scratch because you can't distinct between probably upgrade related
problems and others in your current state

normally purge the configs and *also* "/var/lib/samba" which contans all
the databases should bring you in a state like nothing tried before

[Rowland Penny via samba]

On Sun, 5 Mar 2017 16:04:10 +0100
Reindl Harald via samba <sa...@lists.samba.org> wrote:

> as you currently don't have a working as desired setup i would start
> from scratch because you can't distinct between probably upgrade
> related problems and others in your current state

The OP does have a working setup, it just isn't working as he expected,
probably because he hasn't set up libnss_winbind.

>
> normally purge the configs and *also* "/var/lib/samba" which contans
> all the databases should bring you in a state like nothing tried
> before

That will not work, mostly because the OP compiled Samba into the
default location '/usr/local/samba'

Rowland

[Reindl Harald via samba]

Am 05.03.2017 um 16:15 schrieb Rowland Penny via samba:
> On Sun, 5 Mar 2017 16:04:10 +0100
> Reindl Harald via samba <sa...@lists.samba.org> wrote:
>
>> as you currently don't have a working as desired setup i would start
>> from scratch because you can't distinct between probably upgrade
>> related problems and others in your current state
>
> The OP does have a working setup, it just isn't working as he expected,
> probably because he hasn't set up libnss_winbind.

that's nitpicking - a wroking setup works as i expect :-)

when working without packaging which would remove orphaned files proper
start from scratch and "rm -rf" is better and in case of a retry i would
start with a rpm-spec with %files pointing to /usr/local/samba/ because
that makes upgrades / downgrades in the future cleaner instead a "make
install"

>> normally purge the configs and *also* "/var/lib/samba" which contans
>> all the databases should bring you in a state like nothing tried
>> before
>
> That will not work, mostly because the OP compiled Samba into the
> default location '/usr/local/samba'

missed that - but must be the case because he refers to RHEL7/CentOS7
which ships with 4.4.4 and not 4.1.x - anyways, the tree brelow the
install prefix is the same and the main part of the coniguration lives
below the lib folder whereever it is located and so the point was just
remove the configs itself won't reset completly

[Rowland Penny via samba]

On Sun, 5 Mar 2017 16:30:00 +0100
Reindl Harald via samba <sa...@lists.samba.org> wrote:

>
>
> that's nitpicking - a wroking setup works as i expect :-)

No, its not nitpicking, the OP has an AD DC that is working as
recommended, but the OP wants to also use it as a fileserver, so he
needs to configure it a bit more. The only problem he really has is,
he used the wrong version of Samba.

>
> when working without packaging which would remove orphaned files
> proper start from scratch and "rm -rf" is better and in case of a
> retry i would start with a rpm-spec with %files pointing
> to /usr/local/samba/ because that makes upgrades / downgrades in the
> future cleaner instead a "make install"

You can do what you like, but running 'make install' is just as easy as
downloading the latest Samba tarball, compiling it into an RPM and then
installing that RPM.

> missed that - but must be the case because he refers to RHEL7/CentOS7
> which ships with 4.4.4 and not 4.1.x - anyways, the tree brelow the
> install prefix is the same and the main part of the coniguration
> lives below the lib folder whereever it is located and so the point
> was just remove the configs itself won't reset completly

You, being (by the sound of it) a Red-Hat user, will very well know
that you cannot create an AD DC with Red-Hat packages yet, so, unless
you configure it differently, Samba puts everything into
/usr/local/samba

Rowland

[Reindl Harald via samba]

Am 05.03.2017 um 16:51 schrieb Rowland Penny via samba:
> On Sun, 5 Mar 2017 16:30:00 +0100
> Reindl Harald via samba <sa...@lists.samba.org> wrote:
>> when working without packaging which would remove orphaned files
>> proper start from scratch and "rm -rf" is better and in case of a
>> retry i would start with a rpm-spec with %files pointing
>> to /usr/local/samba/ because that makes upgrades / downgrades in the
>> future cleaner instead a "make install"
>
> You can do what you like, but running 'make install' is just as easy as
> downloading the latest Samba tarball, compiling it into an RPM and then
> installing that RPM

the install yes

longtime maintainment for sure no, because the next "make install" won't
remove orphaned files after major upgrades, a package will

i was there with mysql for years and randomly other software linking
against it's libraries stopped to build until i manually deleted every
mysql related file and built it again

never saw such issue on package-only systems and since i have here 30
machines running Fedora 25 hich where installed in 2008 with Fedora 9 i
have some expierience with long-time maintainance of a server system

[Bart Coninckx via samba]

>> missed that - but must be the case because he refers to RHEL7/CentOS7
>> which ships with 4.4.4 and not 4.1.x - anyways, the tree brelow the
>> install prefix is the same and the main part of the coniguration
>> lives below the lib folder whereever it is located and so the point
>> was just remove the configs itself won't reset completly

>You, being (by the sound of it) a Red-Hat user, will very well know
>that you cannot create an AD DC with Red-Hat packages yet, so, unless
>you configure it differently, Samba puts everything into
>/usr/local/samba

>Rowland

Personally I find it an advantage of Samba living in /usr/local as it emphasizes that this Samba install is not created from packages and it represents it's own biotope because all relevant folders are in that one folder.

 
BC

[Reindl Harald via samba]

Am 06.03.2017 um 14:56 schrieb Bart Coninckx via samba:
>>> missed that - but must be the case because he refers to RHEL7/CentOS7
>>> which ships with 4.4.4 and not 4.1.x - anyways, the tree brelow the
>>> install prefix is the same and the main part of the coniguration
>>> lives below the lib folder whereever it is located and so the point
>>> was just remove the configs itself won't reset completly
>
>> You, being (by the sound of it) a Red-Hat user, will very well know
>> that you cannot create an AD DC with Red-Hat packages yet, so, unless
>> you configure it differently, Samba puts everything into
>> /usr/local/samba
>

> Personally I find it an advantage of Samba living in /usr/local as it emphasizes that this Samba install is not created from packages and it represents it's own biotope because all relevant folders are in that one folder.

well, there is nothing different when you use rpmbuild and chose the
prefix you want besides that:

* cleanup of orphan files
* simpe upgarde/downgrade because you have your prebuild .rpm files
* no need of devel-packages / compilers on the target machine
* no need to --exclude=/usr/local/smaba/var/lib/samba fpr rsync
if you build on a different machine because rpm don't touch
files which it didn't create
* easy re-use on serveral machines including a testing-one

the only real difference is that "make install" goes into the
buildfolder - i don't see any advantage in "as it emphasizes that this
Samba install is not created from packages" since for a decade now i
override postfix, mysql, httpd, apr, php and so on on Fedora with self
built packages and a higher epoch in the rpm-spec so that the own repos win

[Bart Coninckx via samba]

-----Original message-----
From:Reindl Harald via samba <sa...@lists.samba.org>
Sent:Mon 06-03-2017 15:50
Subject:Re: [Samba] Missing security tab samba 4.1.13
To:sa...@lists.samba.org;


>well, there is nothing different when you use rpmbuild and chose the
>prefix you want besides that:
>
>* cleanup of orphan files
>* simpe upgarde/downgrade because you have your prebuild .rpm files
>* no need of devel-packages / compilers on the target machine
>* no need to --exclude=/usr/local/smaba/var/lib/samba fpr rsync
>  if you build on a different machine because rpm don't touch
>  files which it didn't create
>* easy re-use on serveral machines including a testing-one
>
>the only real difference is that "make install" goes into the
>buildfolder - i don't see any advantage in "as it emphasizes that this
>Samba install is not created from packages" since for a decade now i
>override postfix, mysql, httpd, apr, php and so on on Fedora with self
>built packages and a higher epoch in the rpm-spec so that the own repos win
 

Frankly, I have never done that before. I did not find a wiki entry for that and I have somewhat of a time constraint, but might check that out later,

 
BC

[Rowland Penny via samba]

On Mon, 6 Mar 2017 15:48:32 +0100

Reindl Harald via samba <sa...@lists.samba.org> wrote:

> well, there is nothing different when you use rpmbuild and chose the
> prefix you want besides that:
>
> * cleanup of orphan files
> * simpe upgarde/downgrade because you have your prebuild .rpm files
> * no need of devel-packages / compilers on the target machine
> * no need to --exclude=/usr/local/smaba/var/lib/samba fpr rsync
> if you build on a different machine because rpm don't touch
> files which it didn't create
> * easy re-use on serveral machines including a testing-one
>
> the only real difference is that "make install" goes into the
> buildfolder - i don't see any advantage in "as it emphasizes that
> this Samba install is not created from packages" since for a decade
> now i override postfix, mysql, httpd, apr, php and so on on Fedora
> with self built packages and a higher epoch in the rpm-spec so that
> the own repos win
>

OK, you sound like you know how to do this, so why don't you add it to
the Samba wiki, or if you don't want to register on the wiki, just
write it all down, send it to me and I will put it on the wiki for you.

Rowland

[Reindl Harald via samba]

Am 06.03.2017 um 16:06 schrieb Rowland Penny:
> On Mon, 6 Mar 2017 15:48:32 +0100
> Reindl Harald via samba <sa...@lists.samba.org> wrote:
>
>> well, there is nothing different when you use rpmbuild and chose the
>> prefix you want besides that:
>>
>> * cleanup of orphan files
>> * simpe upgarde/downgrade because you have your prebuild .rpm files
>> * no need of devel-packages / compilers on the target machine
>> * no need to --exclude=/usr/local/smaba/var/lib/samba fpr rsync
>> if you build on a different machine because rpm don't touch
>> files which it didn't create
>> * easy re-use on serveral machines including a testing-one
>>
>> the only real difference is that "make install" goes into the
>> buildfolder - i don't see any advantage in "as it emphasizes that
>> this Samba install is not created from packages" since for a decade
>> now i override postfix, mysql, httpd, apr, php and so on on Fedora
>> with self built packages and a higher epoch in the rpm-spec so that
>> the own repos win
>
> OK, you sound like you know how to do this, so why don't you add it to
> the Samba wiki, or if you don't want to register on the wiki, just
> write it all down, send it to me and I will put it on the wiki for you

in short: it's not samba specific at all

https://wiki.centos.org/HowTos/SetupRpmBuildEnvironment

you just place the same configure line with whatever otpions in the
specfile as well as any other stuff and scriptings, just keep the %files
the first time empty and then you get every folder or file listed at the
error output which is not packaged and just write your filelist

as start in doubt just use a already existing spec file which for sure
exists and modify it for your needs
___________________________________________________

just a simple one - no rocket science

[builduser@testserver:/rpmbuild/SPECS]$ cat /rpmbuild/SPECS/aespipe.spec
Summary: AES-encryption tool for tar/cpio and loop-aes images
Name: aespipe
Version: 2.4d
Release: 2%{?dist}
License: GPL
Group: Applications
URL: http://loop-aes.sourceforge.net/
Source0: %{name}/%{name}-v%{version}.tar.bz2
BuildRequires: autoconf
BuildRequires: automake

%description
aespipe is an encryption tool that reads from standard input and
writes to standard output. It uses the AES (Rijndael) cipher

It can be used as an encryption filter, to create and restore
encrypted tar/cpio backup archives and to read/write and convert
loop-AES compatible encrypted images

%prep
%setup -q -n %{name}-v%{version}

%build
aclocal && autoconf || exit 1
export CFLAGS="%{optflags} -fPIE -fuse-ld=gold -fuse-linker-plugin"
export CXXFLAGS="$CFLAGS"
export FFLAGS="$CFLAGS"
export CPPFLAGS="$CFLAGS"
export CC="gcc $CFLAGS"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -pie $CFLAGS"
%configure --enable-intelaes --disable-padlock
%{__make} %{?_smp_mflags} amd64

%install
install -d %{buildroot}{%{_bindir},%{_mandir}/man1}
install %{name} %{buildroot}%{_bindir}
install %{name}.1 %{buildroot}%{_mandir}/man1
strip -s %{buildroot}%{_bindir}/%{name}

%files
%attr(755,root,root) %{_bindir}/*
%{_mandir}/man1/*

%changelog
* Sun May 24 2015 Reindl Harald <h.re...@thelounge.net>
- Update to 2.4d

[Rowland Penny via samba]

On Mon, 6 Mar 2017 16:15:49 +0100
Reindl Harald <h.re...@thelounge.net> wrote:

>
> in short: it's not samba specific at all

I actually knew that.

>
> https://wiki.centos.org/HowTos/SetupRpmBuildEnvironment
>

That's not really what I meant, how about creating a Samba rpm and
then documenting just how you did it, or to put it it another way:

Put up, or shut up!

Rowland

[Reindl Harald via samba]

Am 06.03.2017 um 16:40 schrieb Rowland Penny via samba:
> On Mon, 6 Mar 2017 16:15:49 +0100
> Reindl Harald <h.re...@thelounge.net> wrote:
>>
>> in short: it's not samba specific at all
>
> I actually knew that.
>>
>> https://wiki.centos.org/HowTos/SetupRpmBuildEnvironment
>
> That's not really what I meant, how about creating a Samba rpm and
> then documenting just how you did it, or to put it it another way:
>
> Put up, or shut up!

WTF - i don't need it beause i am satisfied with the Fedora repo - but
since i *never* install any software on any production machine without
build a proper RPM for maintainaince reasons *for sure* i will not shut
up to recommend learning to build a package to anybody which types "make
install" into any terminal for whatever software

[Rowland Penny via samba]

On Mon, 6 Mar 2017 16:48:47 +0100

Reindl Harald via samba <sa...@lists.samba.org> wrote:

> WTF - i don't need it beause i am satisfied with the Fedora repo -
> but since i *never* install any software on any production machine
> without build a proper RPM for maintainaince reasons *for sure* i
> will not shut up to recommend learning to build a package to anybody
> which types "make install" into any terminal for whatever software
>

Typical, you tell everybody 'do it my way', but wont explain just how
to do it for a particular package, in this case, Samba.

What I was trying to get across, this is the Samba mailing list and as
such, creating debs or rpms has no place here, it should be on the
relevant OS pages. If you can help someone with a Samba problem, then
this help will be welcome, but saying that you shouldn't compile Samba
with 'make install' isn't.

This is getting the OP nowhere, so I suggest we leave it there, before
one of us says something we later regret.

Rowland

[Bart Coninckx via samba]

>I think your problem is being caused by the OS not knowing your users
>and groups, have a look here:
>
>https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
>But before you do that, UPGRADE your Samba version. I said that there
>have been a lot of improvements, one of them is the 'winbind' built
>into the 'samba' binary has been replaced by the same separate
>'winbindd' binary used on a domain member, this by its self is worth
>upgrading for.
>
>Rowland
 

Hi,

 
I think I successfully upgraded to the latest version. I see Winbindd being started as a part of the samba process. As the Winbindd wiki page said "To run Winbindd on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the smb.conf file is required.", I changed nothing in the smb.conf file, exept for adding a share. 

Again, this share does not show the Security tab. 

I have not yet added a pointer record for the server, but I doubt that will be related.

Do you have pointers as to where the problem might be? 

 
Cheers,

 
BC

[Bart Coninckx via samba]

>Hi,
>
> 
>I think I successfully upgraded to the latest version. I see Winbindd being started as a part of the samba process. As the Winbindd wiki >page said "To run Winbindd on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the smb.conf file >is required.", I changed nothing in the smb.conf file, exept for adding a share. 
>
>Again, this share does not show the Security tab. 
>
>I have not yet added a pointer record for the server, but I doubt that will be related.
>
>Do you have pointers as to where the problem might be? 
>
> 
>Cheers,
>
> 
>BC
 

Adding a pointer record for the server didn't help either. I am going to test another Windows PC now to see if the problem exists there as well.

[Bart Coninckx via samba]

>Adding a pointer record for the server didn't help either. I am going to test another Windows PC now to see if the problem exists there as well.
>
> 
>BC

The other Windows machine has the same issue. I have one symptom more now: when connecting to the DC, I get a "1745" error message in Windows. Will look that one up. 

If someone has any suggestions, please speak up. Upgrading Samba did not help, so I am looking for other alleys,

 
Cheers,

[Rowland Penny via samba]

On Mon, 6 Mar 2017 19:10:11 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

>  
> Adding a pointer record for the server didn't help either. I am going
> to test another Windows PC now to see if the problem exists there as
> well.

This is strange, don't think I have ever had this problem.

Can you post the following files from the Samba AD DC:

/etc/hosts
/etc/hostname
/etc/resolv.conf
/etc/krb5.conf
/etc/nsswitch.conf

Can you also tell us the FQDN and ipaddress of the DC.

Rowland

[Bart Coninckx via samba]

>Adding a pointer record for the server didn't help either. I am going to test another Windows PC now to see if the problem exists there as well.
>
> 
>BC

I just realized that I omitted an important piece of information and that is that I am using a separate EXT4 volume for my shares. I just did a test and it seems that shares on the same volume as sysvol and netlogon funtion as expected but shares on the second volume have the issue. 

I just mounted that second volume with explicit acl and user_xattr options in fstab, but this makes no difference.

[Rowland Penny via samba]

On Mon, 6 Mar 2017 19:59:21 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

>  
> will do - please have a look at my more recent post. The problem
> seems related to my separate data volume. Does a non-root ext4 volume
> need preparation to function as a Samba share?
>

I have and the answer to your question is NO.

[Bart Coninckx via samba]

>This is strange, don't think I have ever had this problem.
>
>Can you post the following files from the Samba AD DC:
>
>/etc/hosts
>/etc/hostname
>/etc/resolv.conf
>/etc/krb5.conf
>/etc/nsswitch.conf
>
>Can you also tell us the FQDN and ipaddress of the DC.
>
>Rowland

Hi Rowland,

 
will do - please have a look at my more recent post. The problem seems related to my separate data volume. Does a non-root ext4 volume need preparation to function as a Samba share?

 

BC

[Rowland Penny via samba]

On Mon, 6 Mar 2017 19:51:42 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:


> I just realized that I omitted an important piece of information and
> that is that I am using a separate EXT4 volume for my shares. I just
> did a test and it seems that shares on the same volume as sysvol and
> netlogon funtion as expected but shares on the second volume have the
> issue. 
>
> I just mounted that second volume with explicit acl and user_xattr
> options in fstab, but this makes no difference.

It wouldn't, amongst the defaults for EXT4 are 'acl' & 'user_xattr' and
it shouldn't matter if the shares are on a different partition.

Rowland

[Bart Coninckx via samba]

>> I just realized that I omitted an important piece of information and
>> that is that I am using a separate EXT4 volume for my shares. I just
>> did a test and it seems that shares on the same volume as sysvol and
>> netlogon funtion as expected but shares on the second volume have the
>> issue. 
>>
>> I just mounted that second volume with explicit acl and user_xattr
>> options in fstab, but this makes no difference.

>It wouldn't, amongst the defaults for EXT4 are 'acl' & 'user_xattr' and
>it shouldn't matter if the shares are on a different partition.
>
>Rowland

I agree. Yet it does. I just did the tests on https://wiki.samba.org/index.php/File_System_Support , which went successfull, so my EXT4 volume has the necessary attributes activated. For Samba there must exist a difference in between my root volume and my data volume.

 
This is my smb.conf currently:

 
# Global parameters
[global]
netbios name = LX01
realm = DOMAIN.COM
workgroup = DOMAIN
dns forwarder = 8.8.8.8

server role = active directory domain controller

idmap_ldb:use rfc2307 = yes
 [netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
read only = No
 [sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
 [Data]
        path = /data/smb/data
        read only = No

 [test]
path = /test
read only = No 

[Rowland Penny via samba]

On Mon, 6 Mar 2017 20:06:31 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

> >> I just realized that I omitted an important piece of information
> >> and that is that I am using a separate EXT4 volume for my shares.
> >> I just did a test and it seems that shares on the same volume as
> >> sysvol and netlogon funtion as expected but shares on the second
> >> volume have the issue. 
> >>
> >> I just mounted that second volume with explicit acl and user_xattr
> >> options in fstab, but this makes no difference.
>
> >It wouldn't, amongst the defaults for EXT4 are 'acl' & 'user_xattr'
> >and it shouldn't matter if the shares are on a different partition.
> >
> >Rowland
>
> I agree. Yet it does. I just did the tests
> on https://wiki.samba.org/index.php/File_System_Support , which went
> successfull, so my EXT4 volume has the necessary attributes
> activated. For Samba there must exist a difference in between my root
> volume and my data volume.

No, it shouldn't matter, here is the proof that it works:

smbclient -L dc1
Enter rowland's password:
Anonymous login successful
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.5.3]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
data Disk
home Disk
data2 Disk
images Disk
profiles Disk
dropbox Disk
IPC$ IPC IPC Service (Samba 4.5.3)
Anonymous login successful
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.5.3]

Server Comment
--------- -------

Workgroup Master
--------- -------

Lets connect to 'data2'

rowland@devstation:~$ smbclient \\\\dc1\\data2
Enter rowland's password:
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.5.3]
smb: \>

and here is the share in smb.conf:

[data2]
path = /mnt/2HD/thinkpad/rowland
read only = no

And here is the kicker, it isn't just on a different partition, it is
on a different Disk!

Rowland

[Bart Coninckx via samba]

What do you know: I experimented a bit with directory depths and all of a sudden I get the security tab. Me happy. For a very short while that is, because now I cannot open the DC anymore when I want to manage it. I now get "The program cannot open the required dialog box because no locations can be found."

Let's see if Google knows.

 
BC

[Rowland Penny via samba]

On Mon, 6 Mar 2017 20:44:22 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

> What do you know: I experimented a bit with directory depths and all
> of a sudden I get the security tab. Me happy. For a very short while
> that is, because now I cannot open the DC anymore when I want to
> manage it. I now get "The program cannot open the required dialog box
> because no locations can be found."
>

Please post the conf files I asked for, lets start there.

Rowland

[Miguel Medalha via samba]

> What do you know: I experimented a bit with directory depths and all of a sudden I get the security tab. Me happy. For a very short while that is, because now I cannot open the DC anymore when I want to manage it. I now get "The program cannot open the required dialog box because no locations can be found."

You don't need to "experiment a bit with directory depths". Just use
absolute paths in share definitions, not relative ones.
Where in the filesystem tree is your "separate EXT4 volume" mounted?

[Bart Coninckx via samba]

>> What do you know: I experimented a bit with directory depths and all of a sudden I get the security tab. Me happy. For a very short while that is, because now I cannot open the DC anymore when I want to manage it. I now get "The program cannot open the required dialog box because no locations can be found."

>You don't need to "experiment a bit with directory depths". Just use
>absolute paths in share definitions, not relative ones.
>Where in the filesystem tree is your "separate EXT4 volume" mounted?
 

Hi,

 
the experimenting was part of the troubleshooting. A folder  in the root level was working fine, so instead of /data/smb/data, I tried /data. That worked, but using /data/smb/data (though probably unrelated) again worked from that point on.

 
We use absolute paths, relative does not make sense to us, because, relative to "what"?

The EXT4 volume is mounted to a folder in the root level. 

 
cheers,

 
BC

[Bart Coninckx via samba]

>Please post the conf files I asked for, lets start there.
>
>Rowland
 

At this point it seems to work reliably. I will send the files anyway. 

I also noticed that my Windows 7 station cannot get to the domain when IPv6 is enabled on Windows. Do you need any additional files for that or just the ones you asked before?

 
BC

[Rowland Penny via samba]

On Mon, 6 Mar 2017 21:34:25 +0100
Bart Coninckx <in...@bitsandtricks.com> wrote:

>
> I also noticed that my Windows 7 station cannot get to the domain
> when IPv6 is enabled on Windows. Do you need any additional files for
> that or just the ones you asked before?

No just the ones I asked for.
is ipv6 set up on the DC ?

It shouldn't matter if the share is in /data/smb/data as long as the
path in the share in smb.conf contains the full path to the share.

Rowland

[Bart Coninckx via samba]

>No just the ones I asked for.
>is ipv6 set up on the DC ?

 

I previously disabled it, but enabled it again as per advice on several webpages on the subject.

>It shouldn't matter if the share is in /data/smb/data as long as the
>path in the share in smb.conf contains the full path to the share.

 

The smb.conf seems correct.  At the moment things seems stable.

 
BC