[Samba] Access denied when setting permissions

Steven Whaley steven at puryear-it.com
Wed Feb 13 17:26:12 GMT 2008 

I have a windows 2003 AD domain and a server joined to that domain.  
Winbind is being used as an idmap.  Most everything seems to work fine. 

Winbind gets user info correctly:

[root at samba ~]# wbinfo -u
TESTDOMAIN\administrator
TESTDOMAIN\guest
TESTDOMAIN\support_388945a0
TESTDOMAIN\krbtgt
TESTDOMAIN\swhaley
TESTDOMAIN\test

[root at samba ~]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
TESTDOMAIN\domain computers
TESTDOMAIN\domain controllers
TESTDOMAIN\schema admins
TESTDOMAIN\enterprise admins
TESTDOMAIN\domain admins
TESTDOMAIN\domain users
TESTDOMAIN\domain guests
TESTDOMAIN\group policy creator owners
TESTDOMAIN\dnsupdateproxy


[root at samba ~]# wbinfo -a 'TESTDOMAIN\swhaley%password'
plaintext password authentication succeeded
challenge/response password authentication succeeded

Domain functionality seems to work fine.

[root at samba ~]# net ads testjoin
Join is OK

[root at samba ~]# net ads info
LDAP server: 192.168.222.84
LDAP server name: server.TESTDOMAIN.COM
Realm: TESTDOMAIN.COM
Bind Path: dc=TESTDOMAIN,dc=COM
LDAP port: 389
Server time: Wed, 13 Feb 2008 11:19:09 CST
KDC server: 192.168.222.84
Server time offset: -29

My user can connect to the samba share from a windows host without 
entering credentials, so kerberos and authentication is working 
properly.  But whenever I try to set permissions on the share, with a 
member of the Domain Admins group, from the Computer Management snap in 
I always get access denied errors.  I have nt acl support turned on for 
the share.

Here's my samba config:

[global]
security = ads
encrypt passwords = yes
realm = TESTDOMAIN.COM
workgroup = TESTDOMAIN
idmap uid = 200000 - 300000
idmap gid = 200000 - 300000
server string = Samba Server Version 3
netbios name = SAMBA
interfaces = lo eth0 192.168.222.110/24

[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
valid users = TESTDOMAIN.COM\swhaley
nt acl support = yes
map acl inherit = yes
inherit acls = yes

I've also assigned the SeDiskOperatorPrivilege to the Domain Admins group

[root at samba ~]# net rpc rights list accounts -Uswhaley
Password:
TESTDOMAIN\swhaley
SeDiskOperatorPrivilege

BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

TESTDOMAIN\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned

I'm running CentOS5, so POSIX acl support is on by default.  I tested it 
by setting and removing some ACLs just to be sure, and they worked 
properly. 

As mentioned, I'm running CentOS5.  Samba is version 3.0.25b. 

Can anyone shed some light on this?  It's been driving me crazy.

More information about the samba mailing list