[Samba] Samba shares with Windows ACL's

Peter Pollock peter.pollock at kingschristian.org
Wed Nov 4 23:26:07 UTC 2020 

So... I have discovered that the issue is with pre-existing directories.

If I make a new directory, do all the share stuff and then copy the old
files in, it works fine. If I just try to share the pre-existing directory,
it doesn't work.

That's not terribly convenient, but it won't take too much work to make new
directories and move the files over to them.

On Wed, Nov 4, 2020 at 12:10 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 04/11/2020 20:01, Peter Pollock wrote:
> >
> >
> >
> >     OK, you are using the winbind 'rid' backend, so it is okay to use
> >     'Domain Admins', so start again and follow that wikipage:
> >
> >     Ensure you have the 'acl' & 'attr' packages installed (this is
> >     what they
> >     are called on Debian based distros)
> >
> > They are installed. I built the server using the walk through you gave
> me.
> >
> >
> >     Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege'
> >     privilege,
> >     this must be granted on the Unix domain member, or to put it another
> >     way, the command must be run on the Unix domain member that holds
> >     the share.
> >
> >
> >  itadmin at john:~$ net rpc rights list privileges
> > SeDiskOperatorPrivilege -U "INTERNAL\administrator"
> > Enter INTERNAL\administrator's password:
> > SeDiskOperatorPrivilege:
> >   INTERNAL\Domain Admins
> >   BUILTIN\Administrators
> >
> >
> >     Ensure the share directory belongs to 'root:Domain Admins' with 0770
> >     permissions
> >
> >
> > itadmin at john:~$ ls -l /hdd
> > drwxrwx---+ 192 root   domain admins 12288 Sep  4 12:02 roaming
> >
> >
> >     Now go to a Windows PC, log in as Administrator or as a member of the
> >     'Domain Admins' group.
> >
> >
> > Logged in as peterpollock
> >
> > itadmin at john:~$ getent group "domain admins"
> > domain
> >
> admins:x:10512:backupadmin,administrator,kevindalafu,peterpollock,domainadmin
> >
> >
> >     Follow 'Setting Share Permissions and ACLs'
> >
> >
> > Followed the instructions again. Got through to the second to last
> > line, clicked OK to close the permissions window and a "Windows
> > Security Setting security information on:" window popped up and
> > immediately an error window popped up telling me that it could not
> > enumerate objects in the container and access was denied.
> >
> >
> >     Do not run chmod against the share directory once the shares are set
> >     from Windows.
> >
> >     If it still doesn't work, suspect something like Apparmor or Selinux.
> >
> >
> > I have uninstalled Apparmor because it has only ever caused me issues.
> > Selinux is installed but not activated.
> >
> > I'm at a loss.
>
> As am I 🙁
>
> OK, it is late here, so nothing is going to happen tonight, but in the
> morning I will install Debian 10 in a VM, install Samba using the 'rid'
> backend and see what happens.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list