[Samba] samba4 active directory - all permissions seem to be messed up

Luis Peromarta lperoma at icloud.com
Fri Nov 10 09:44:14 UTC 2023 

Hi. Please reply to the list not to me.

passdb backend line is not needed in member server.

I don’t think you’ve mapped Administrator to root.

See

http://samba.bigbird.es/doku.php?id=samba:file-server

Scroll down to “map administrator to root”. And try again

Regards.

LP
On 10 Nov 2023 at 08:25 +0000, Jürgen Echter <j.echter at echter-kuechen-elektro.de>, wrote:
> Hi Luis,
>
> here is my smb.conf for DC1:
>
> [global]
>     netbios name = SMBADDC1
>     realm = SAMDOM.DOMAIN.LOC
>     server role = active directory domain controller
>     workgroup = SAMDOM
>     dns forwarder = 192.168.0.1
>         tls keyfile  = tls/SMBADDC1.key
>         tls certfile = tls/SMBADDC1.crt
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/SAMDOM.DOMAIN.LOC/scripts
>     read only = No
>
> for DC2:
>
> [global]
>     netbios name = SMBADDC2
>     realm = SAMDON.DOMAIN.LOC
>     server role = active directory domain controller
>     workgroup = SAMDOM
>     dns forwarder = 192.168.0.1
>     tls keyfile = tls/SMBADDC2.key tls
>     certfile = tls/SMBADDC2.crt
>
> [sysvol] path = /usr/local/samba/var/locks/sysvol
>     read only = No
>     acls = yes
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/samdom.domain.loc/scripts
>     read only = No
>
> for DC3:
>
> [global]
>     netbios name = SMBADDC3
>     realm = SAMDOM.DOMAIN.LOC
>     server role = active directory domain controller
>     workgroup = SAMDOM
>     dns forwarder = 192.168.0.1
>
>     tls enabled  = yes
>     tls keyfile  = tls/SMBADDC3.key
>     tls certfile = tls/SMBADDC3.crt
>
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
>
> [netlogon]
>     path = /var/lib/samba/sysvol/samdom.domain.loc/scripts
>     read only = No
>
> and for the membver server with the shares:
>
> [global]
> #log level = 10
> #debug pid = yes
>         security = ADS
>         workgroup = SAMDOM
>         realm = SAMDOM.DOMAIN.LOC
>
>         winbind refresh tickets = Yes
>
>         winbind nss info = template
>         template shell = /bin/bash
>         template homedir = /home/%U
>         idmap config ELEMAY : backend = rid
>         idmap config ELEMAY : range = 10000-999999
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>
>     passdb backend = tdbsam
>
>     printing = cups
>     printcap name = cups
>     load printers = yes
>     cups options = raw
>
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>
>     aio read size = 1
>     aio write size = 1
>
> [share1]
>    path = /srv/samba/share1
>    browseable = yes
>    read only = no
>    guest ok = no
>    vfs objects = acl_xattr recycle io_uring
>    recycle:repository = .recycle
>    recycle:keeptree = yes
>    recycle:versions = yes
>    recycle:directory_mode = 0770
>    acl_xattr:ignore system acls = yes
>
> [share2]
>    path = /srv/samba/share2
>    browseable = Yes
>    read only = no
>    guest ok = no
>    vfs objects = acl_xattr recycle io_uring
>    recycle:repository = .recycle
>    recycle:keeptree = yes
>    recycle:versions = yes
>    recycle:touch_mtime = yes
>    recycle:directory_mode = 0770
>    acl_xattr:ignore system acls = yes
>
>
>
> Am Freitag, November 10, 2023 07:55 CET, schrieb Luis Peromarta via samba <samba at lists.samba.org>:
>
> > It would be easier if you shared your smb.conf file for DCs and member server.
> >
> > LP
> > On 9 Nov 2023 at 22:12 +0000, Jürgen Echter via samba <samba at lists.samba.org>, wrote:
> > >
> > > Hi,
> > >
> > > i have a big issue here.
> > >
> > > I have 3 samba addc domain controllers (Version 4.19.2) and one member server (Version 4.17.5).
> > >
> > > Out of the blue i cannot delete my own files anymore - access denied - user DOMAIN/administrator has to give you permission to do so.
> > >
> > > If i type in a windows cmd 'whoami' i get domain/administrator, so i am the user which hold the permsissions on the files. Security tab looks good to me - Domain Admins - Full Access, Administrator - Full Access
> > >
> > > If i check the permissions on the share itself everything is looking like i set it up (i check in windows on the security tab). If i try to redo the permission from within windows i get 'cannot enumerate objects in container - access denied.'
> > >
> > > ls -alh on the member server tells me root:"SAMDOM/Domain Admins" is the owner of the directory.
> > >
> > > smb.conf on the member server:
> > >
> > > [share]
> > > path = /srv/samba/share
> > > acl_xattr:ignore system acls = yes
> > >
> > > Shares where created like this wiki entry tells me to do: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > >
> > > Everything worked until today where i wanted to check why another share isn't inheriting the permissions to subfolders.
> > >
> > > I only touched the share which didn't work as expected, so i have no clue why out of the sudden all my permissions seem to have messed up.
> > >
> > > I also removed an old DC 2 weeks ago and added a new one. So i guess this has nothing to do with it either.
> > >
> > > I really would appreciate any helping hand here. I can provide screenshots or whatever is needed. The error messages may be not accurate as i translated the german error messages i got.
> > >
> > > Thanks for listening and hopefully some hints what could have gone wrong with my setup.
> > >
> > > Juergen
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list