Date: Tue, 18 Sep 2018 00:00:21 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 231437] net/samba48: does not honor %U macro Message-ID: <bug-231437-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231437 Bug ID: 231437 Summary: net/samba48: does not honor %U macro Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: timur@FreeBSD.org Reporter: dougs@dawnsign.com Assignee: timur@FreeBSD.org Flags: maintainer-feedback?(timur@FreeBSD.org) Upgrading from 4.6 to 4.8 breaks the use of %U macro used in the [home] fol= der. smb4.conf: #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Glob= al Settings =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [global] # This would be your AD Domain (kerberos realm) realm =3D EXAMPLE.COM security =3D ADS encrypt passwords =3D yes workgroup =3D EXAMPLE server string =3D=20 hosts allow =3D 192.168.xxx. 192.168.xxx. 127. name resolve order =3D lmhosts bcast socket options =3D TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE # Uncomment this if you want 139 open, but why would you? We're doing SMB o= ver # TCP only. No NetBIOS here smb ports =3D 445 disable netbios =3D Yes # ver 4.1 - RID backend idmap config EXAMPLE:range =3D 50001-60000 idmap config EXAMPLE:default =3D yes=20 idmap config EXAMPLE:backend =3D rid=20 idmap config *:range =3D 1000-50000 idmap config *:backend =3D tdb winbind separator =3D - winbind enum users =3D Yes winbind enum groups =3D Yes winbind nested groups =3D Yes winbind cache time =3D 10 winbind offline logon =3D yes winbind refresh tickets =3D yes=20 kerberos method =3D secrets and keytab dedicated keytab file =3D /usr/local/etc/krb5.keytab winbind nss info =3D rfc2307 # ver 4.1 client ldap sasl wrapping =3D seal directory name cache size =3D 0 # workaround to constant error messages in log.192.168.101.175 # prevent winbindd from changing machine password # https://lists.samba.org/archive/samba/2016-September/203338.html machine password timeout =3D 0 ################# ### Member Server ################# # Browser settings preferred master =3D no local master =3D no domain master =3D no #=3D Disable Printing/Cups =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D load printers =3D no printing =3D bsd printcap name =3D /dev/null disable spoolss =3D yes # Change this to where you want the samba log log file =3D /var/log/samba4/log.%m # Debug goes from 1 to 10 * 10 way too much info for me to understand ;) #debug level =3D 10 log level =3D 2 #log level =3D 0=20 # Settings to enhance performance: strict locking =3D no read raw =3D yes write raw =3D yes #oplocks =3D yes max xmit =3D 65535 deadtime =3D 15 getwd cache =3D yes max connections =3D 65535 max open files =3D 65535 use sendfile =3D true=20 aio read size =3D 16384 # Use asynchronous I/O for reads bigger than 16KB request size aio write size =3D 16384=20=20=20=20=20=20=20=20=20=20=20 # Use asynchronous I/O for writes bigger than 16KB request size #aio write behind =3D true min receivefile size =3D 16384 strict sync =3D no sync always =3D no # End of performance section #assuming you installed bash - change as needed template shell =3D /bin/bash guest account =3D nobody=20 admin users =3D EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins" # ZFS stuff read only =3D no inherit permissions =3D Yes # allow ZFS to handle inheritance inherit acls =3D No inherit owner =3D Yes force unknown acl user =3D No store dos attributes =3D yes map read only =3D no map acl inherit =3D yes vfs objects =3D zfsacl acl_xattr audit netatalk nfs4:mode =3D special nfs4:acedup =3D merge nfs4:chown =3D yes #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Share Definitions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Share - man smb.conf for details [public] comment =3D test share # this share resides on an UFS filesystem! path =3D /zdata/public public =3D yes writable =3D yes printable =3D no write list =3D @"EXAMPLE-domain admins" [apps] comment =3D Folder for applications path =3D /zdata/apps valid users =3D @"EXAMPLE-domain admins" @"EXAMPLE-domain users" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [clients] comment =3D Folder for Internet client software for domain admins' use path =3D /zdata/clients valid users =3D @"EXAMPLE-domain admins" @"EXAMPLE-domain users" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [downloads] comment =3D Folder for downloads for domain admins' use path =3D /zdata/downloads valid users =3D @"EXAMPLE-domain admins" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [groups] comment =3D Departmental folders path =3D /zdata/groups valid users =3D "@EXAMPLE-domain users" @"EXAMPLE-domain admins" writable =3D yes printable =3D no force create mode =3D 0770 force directory mode =3D 0770 hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No # vfs objects =3D zfsacl, shadow_copy2, full_audit vfs objects =3D zfsacl, shadow_copy2 shadow: snapdir =3D .zfs/snapshot shadow: format =3D %Y-%m-%dT%H:%M:%S shadow: snapdirseverywhere =3D yes=20 shadow: sort =3D desc shadow: localtime =3D no # full_audit:prefix =3D %u|%I # full_audit:success =3D chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwrite pwrite_send pwrite_recv # full_audit:failure =3D none # full_audit:facility =3D LOCAL7 # full_audit:priority =3D ALERT [mac_software] comment =3D repository for all Mac OSX-related software path =3D /zdata/mac_software valid users =3D @EXAMPLE-production @"EXAMPLE-domain admins" @EXAMPLE-marketing writable =3D yes printable =3D no force create mode =3D 0770 force directory mode =3D 0770 hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [ops] comment =3D Folder for the old OPS files path =3D /zdata/ops valid users =3D @EXAMPLE-sales @"EXAMPLE-domain admins" writeable =3D yes printable =3Dno hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [payroll] comment =3D Folder for sensitive payroll functions path =3D /zdata/payroll valid users =3D @EXAMPLE-payroll "@EXAMPLE-domain admins" browseable =3D yes writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [perform] comment =3D Folder for purchase orders using Perform software path =3D /zdata/apps/PERFORM valid users =3D @EXAMPLE-finance @"EXAMPLE-domain admins" writeable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [pye] comment =3D Folder for year-end financial backups path =3D /zdata/pye valid users =3D @EXAMPLE-finance @"EXAMPLE-domain admins" writeable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [reports] comment =3D Folder for CRW reports path =3D /zdata/reports valid users =3D @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [shared] comment =3D Folder for intra-company sharing path =3D /zdata/shared valid users =3D @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [star] comment =3D Folder for old Starship shipping data path =3D /zdata/star valid users =3D @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [tm] comment =3D Folder for old TeleMagic data path =3D /zdata/tm valid users =3D @"EXAMPLE-domain admins" # read list =3D @"EXAMPLE-domain users" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [x-groups] comment =3D Old Groups Folder for intra-company sharing path =3D /zdata/x-groups valid users =3D @"EXAMPLE-domain users" @"EXAMPLE-domain admins" writable =3D yes printable =3D no hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/ delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit permissions =3D Yes inherit owner =3D Yes map archive =3D No vfs objects =3D zfsacl [profiles] comment =3D Users profiles # path =3D /zdata/profiles/%U path =3D /zdata/profiles # guest ok =3D no browseable =3D no read only =3D no force create mode =3D 0600 force directory mode =3D 0700 create mask =3D 0600 directory mask =3D 0700 valid users =3D EXAMPLE-%U @"EXAMPLE-domain admins" store dos attributes =3D Yes # commenting this out for v4.8 # profile acls =3D yes csc policy =3D disable # inherit permissions =3D Yes # inherit owner =3D Yes # delete veto files =3D Yes # veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ # hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempo= rary Items/ # map archive =3D No vfs objects =3D zfsacl force user =3D EXAMPLE-%U # uncomment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \\server\username [home] comment =3D Home directories for AD users path =3D /zdata/home # browseable =3D no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. read only =3D no=20=20=20 # File creation mask is set to 0700 for security reasons. If you want to # create files with group=3Drw permissions, set next parameter to 0775. create mask =3D 0700 # Directory creation mask is set to 0700 for security reasons. If you want = to # create dirs. with group=3Drw permissions, set next parameter to 0775. directory mask =3D 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only "username" can connect to \\server\username # This might need tweaking when using external authentication schemes ## valid users =3D EXAMPLE-%U @"EXAMPLE-domain admins" valid users =3D EXAMPLE-%U @"EXAMPLE-domain admins" # inherit permissions =3D Yes # inherit owner =3D Yes delete veto files =3D Yes veto files =3D /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ hide files =3D /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Tempor= ary Items/$RECYCLE.BIN/ # map archive =3D No=20=20 # map readonly =3D no=20 vfs objects =3D zfsacl, shadow_copy2, full_audit full_audit:prefix =3D %u|%I full_audit:success =3D chflags chmod chmod_acl chown mkdir rename rmdir = unlink write pwrite pwrite_send pwrite_recv full_audit:failure =3D none full_audit:facility =3D LOCAL7 full_audit:priority =3D ALERT shadow: snapdir =3D .zfs/snapshot shadow: format =3D %Y-%m-%dT%H:%M:%S shadow: snapdirseverywhere =3D yes=20 shadow: sort =3D desc shadow: localtime =3D no /etc/nsswitch.conf: # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/11.2/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z markj= $ # group: files winbind=20 #group: compat #group_compat: nis hosts: files dns winbind netgroup: compat networks: files passwd: files winbind=20 #passwd: compat #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files Changing from EXAMPLE-%U to @"EXAMPLE-domain users" allows my users to acce= ss their home folders successfully. Not sure why the %U macro isn't working fo= r me here. All of the other shares are accessible. None of my other FreeBSD serv= ers running samba48 have [home] folders so am unable to test. Changing the user macro to a domain user group in the [profiles] folder allows my users to ac= cess their profiles. However I am concerned about the "force user" parameter as = this is per-user basis-- not per group. ~Doug --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231437-7788>