[Samba] permission denied with windows acls

Rowland Penny rpenny at samba.org
Mon Jan 29 20:33:58 UTC 2024 

On Mon, 29 Jan 2024 09:27:58 -0800
Peter Carlson via samba <samba at lists.samba.org> wrote:

> 
> On 1/29/24 08:17, Rowland Penny via samba wrote:
> > On Mon, 29 Jan 2024 07:55:05 -0800
> > Peter Carlson via samba<samba at lists.samba.org>  wrote:
> >
> >> Just to make sure this morning, I created another VM and it behaves
> >> the same, so obviously we have something slightly different in our
> >> configs. I think we have gone through the client side pretty
> >> thoroughly and they are the same.  That leaves:
> >>
> >>    * our security settings on the share -  but you said that your
> >> machine isn't in domain users and domain computers doesn't have
> >> access to the share.  What else there to test here?
> >>    * file server samba settings
> >>    * possibly version differences
> >>        o Client: Version 4.15.13-Ubuntu
> >>        o File Server: Version 4.19.0pre1-GIT-1e793357906
> >>        o Domain Controller: Version 4.18.0pre1-GIT-d385058ce7c
> >>        o I was doing some work on generic user level linux GPOs
> >> which is why the DC and FS are running from source
> >>    * or even at the DC.?
> >>
> >> What's the easiest way to proceed?  I can post pretty much any
> >> config needed.
> >>
> > The share I am mounting is a simple share on a Unix domain member
> > using the 'rid' backend (as is the client), these are the
> > permissions on the share:
> >
> > ls -lad /srv/share
> > drwxrwx--- 3 rowland domain users 4096 Jan 28 21:48 /srv/share
> >
> > The share in smb.conf is this:
> >
> > [data]
> >      path=/srv/share
> >      read only = no
> >
> > With that, I can start my VM and find the share in /mnt/test
> >
> > I think my next step will have to be to set up a new share on the
> > server, but this time set the permissions from Windows and see if
> > that mounts on the Unix client. But it will have to be tomorrow now.
> >
> > Rowland
> >
> No worries on the timeline, I appreciate the help!

OK, I thought I had to go and do something, but it got cancelled.
So I set up yet another couple of shares, one using windows permissions
like yours, the other giving Domain Users full control, they both mount
and work.

> 
> here is my windows share permissions:
> https://pasteboard.co/m6j9vYkRkt3q.png
> 
> here is my share config:
> 
> root at fs1:~# ls -lad /data/test
> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test
           ^
           |----- Where does the big T' come from, I do not get that.
It is my understanding that it shows the sticky bit is set on 'others',
but there is no 'x' set.

> 
> 
> [global]
> server string = %h server (Samba, Ubuntu)
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     logging = file
>     panic action = /usr/share/samba/panic-action %d
> log level = 3
> 
> kerberos method = secrets and keytab
> realm = CARLSON.LAB
> workgroup = CARLSON
> template homedir = /home/%U@%D
> template shell = /bin/bash
> security = ads
> idmap config CARLSON : range = 2000000-2999999
> idmap config CARLSON : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> 
> vfs objects = acl_xattr
> map acl inherit = yes
> 
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> 
> apply group policies = yes
> 
> #======================= Share Definitions =======================
> [Test]
>      path = /data/test
>      comment = test
>      writable = yes
> 
> 

There are some differences between my smb.conf and yours, but nothing
major except that I have:

dedicated keytab file = /etc/krb5.keytab

I am not sure if that has any bearing.

Rowland

More information about the samba mailing list