[Samba] Issue creating share on Windows domain-joined Debian 12 Server

Rowland Penny rpenny at samba.org
Wed Oct 18 07:25:21 UTC 2023 

On Tue, 17 Oct 2023 19:12:17 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Tue, 17 Oct 2023 11:34:35 -0600
> Joel R Smith via samba <samba at lists.samba.org> wrote:
> 
> > Environment:
> > New install of Debian 12 (Physical Server)
> > Latest Samba via apt (4.17.12)
> > 
> > So I am most of the way there getting this to work. I have
> > successfully joined the Debian server to our windows domain. I have
> > created a "Unix Admins" windows security group with the
> > "SeDiskOperatorPrivilege" enabled. The file share exists although I
> > am not yet able to open it. The problem I am having is when
> > attempting to manage the share by connecting to the Linux server in
> > Windows using Computer Management > Shared Folders > Shares > "Share
> > Name" > Properties. In the properties of the share when I go to the
> > "Security" tab, the following message appears: "You must have read
> > permissions to view the properties of this object". I am unable to
> > take ownership through the interface.
> > 
> > Some strange behavior I also noticed that may be related: When I
> > attempt to map the domain account I am using to the local root
> > account (user.map: !root = NETWORK\Admin) I am unable to connect to
> > the Debian server using computer management. It immediately gives an
> > error and the Computer Management MMC opens up blank. Immediately
> > after commenting out the user.map line and running  smbcontrol all
> > reload-config I can again connect to the server with Computer
> > Management.
> > 
> > Here are the guides I have been referencing:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Did you miss the part about 'Setting up a Basic smb.conf File',
> particular the part about selecting an idmap backend ?
> 
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > 
> > 
> > contents of smb.conf:
> > 
> > workgroup = network
> > password server = dc.network.domain.ca
> 
> You shouldn't set the 'password server', you should allow Samba to
> find the best DC to use.
> 
> > realm = NETWORK.DOMAIN.CA
> > security = ads
> > idmap config * : range = 16777216-33554431
> 
> There aren't enough 'idmap config' lines, also that is a strange
> range, could you also be running sssd ?
> 
> > template homedir = /home/%D/%U
> 
> That is the default.
> 
> > template shell = /bin/bash
> > winbind use default domain = true
> > winbind offline logon = false
> > min protocol = SMB3
> > passdb backend = smbpasswd
> 
> Why ? The default is the much newer tdbsam
> 
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > username map = /etc/samba/user.map
> 
> What are the contents of the user.map ?

My mistake, I missed that you have set the user.map to:

!root = NETWORK\Admin

If that is exactly what is in your user.map, can I suggest you add
'istrator' to the end of it i.e. make it look like this:

!root = NETWORK\Administrator

Then connect as the domain Administrator.

Rowland

More information about the samba mailing list