[Samba] Share will Domain Users Full Control permissions, not accessible by domain user

Mason Schmitt mason at ftlcomputing.com
Wed Feb 20 23:45:07 UTC 2019 

Hello,

I'm really stumped and would greatly appreciate some help.

*Situation*
I have a couple windows 10 pro hosts that I have joined to a Samba4 AD
domain.  I have created 3 users in the domain, one that is a member of
Domain Admins and two that are only members of the Domain Users group.  I
have two samba shares (details below) on a separate samba file server.  The
share permissions were set using RSAT.  The samba file server was joined to
the samba4 ad domain using the realm command and specifying the use of
winbind, not SSSD.  Post join testing seems to suggest that the join was
successful.

If I log into either of the windows hosts, using any one of the three
users,  I can go to \\fileserver and see the two shares.  All three users
are able to enter the "users" share without any errors.  However, only the
Domain Admin user is able to enter the "operations" share.  When the other
two users attempt to enter the share, an error window pops up saying that I
do not have permission to access \\fileserver\operations.  I'm happy to
provide any logs you might want to see.


*Expectation*
I want the members of the Domain Users group to be able to do CRUD
operations within the operations share.


*Details*

*# The two servers*
*ad1*

   - Ubuntu 18.04.2
   - Samba version 4.7.6-Ubuntu from the 2:4.7.6+dfsg~ubuntu-0ubuntu2.6
   Ubuntu package
   - Configured as AD DC

*fileserver*

   - CentOS 7.6
   - smbd version 4.8.3 from the samba-4.8.3-4.el7.x86_64 EPEL package
   - Added as a domain member using the realm command and specifying the
   use of winbind, not sssd


*# smb.conf file on fileserver*

[global]
kerberos method = system keytab
workgroup = FTLC
security = ads
realm = AD.FTLCOMPUTING.COM

# Logging
log file = /var/log/samba/%m.log
log level = 5

# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# All linux users, logging in using an AD account
# will have their shell and home dir set as follows
template shell = /bin/bash
template homedir = /home/%U@%D

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes


##################################
#                          Shares                          #
##################################
# All shares will be created within the /srv/samba/shares/ folder,
# except for home dirs which are in /srv/samba/users/
# For example:
#[test]
#       path = /srv/samba/shares/test
#       comment = Test Share
#       guest ok = no
#       read only = no

[users]
        path = /srv/samba/users
        comment = Share for user home dirs
        guest ok = no
        read only = no

[operations]
        path = /srv/samba/shares/Operations
        comment = FTL Operations
        guest ok = no
        read only = no


*# Windows Share Permissions (set using RSAT tools)*

For the users share:
Domain Admins - Full Control
Domain Users - Change

For the operations share:
Domain Admins - Full Control
Domain Users - Full Control


*# Windows File Permissions (set using RSAT tools)*

For the users share:
Domain Admins - Full control - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
Domain Users - Read & execute - This folder only

For the operations share:
Domain Admins - Full control - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
Domain Users - Read & execute - This folder, subfolders and files


*# POSIX filesystem details (set using chown and chmod)*

/srv/samba/users/
drwxrwx---+ 2 root FTLC\domain admins.

/srv/samba/shares/Operations/
drwxrwx---. 2 root FTLC\domain admins


*# Output from getfacl*

# file: users/
# owner: root
# group: FTLC\134domain\040admins
user::rwx
user:root:rwx
user:2000512:rwx
user:2000513:r-x
group::rwx
group:FTLC\134domain\040admins:rwx
group:FTLC\134domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:2000512:rwx
default:group::---
default:group:FTLC\134domain\040admins:rwx
default:mask::rwx
default:other::---


# file: shares/Operations/
# owner: root
# group: FTLC\134domain\040admins
user::rwx
user:root:rwx
user:2000512:rwx
user:2000513:rwx
group::rwx
group:FTLC\134domain\040admins:rwx
group:FTLC\134domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:2000513:rwx
default:group::r-x
default:group:FTLC\134domain\040admins:r-x
default:group:FTLC\134domain\040users:rwx
default:mask::rwx
default:other::---


Thanks!

--
Mason

More information about the samba mailing list