[Samba] Access denied when setting permissions
Steven Whaley
steven at puryear-it.com
Wed Feb 13 20:53:37 GMT 2008
I wish it were that simple, but I synced them with net time set before
running through all of this, and checked again before testing a second
time.
Rondall Stewart wrote:
> I may be totally wrong but for what it is worth.
>
> Looking at this it looks like your workstation time and server time are out of sync. Check to make sure your timezone is correct and run the following command.
>
> net time set /S server
>
>
>
> [root at samba ~]# net ads info
> LDAP server: 192.168.222.84
> LDAP server name: server.TESTDOMAIN.COM
> Realm: TESTDOMAIN.COM
> Bind Path: dc=TESTDOMAIN,dc=COM
> LDAP port: 389
> Server time: Wed, 13 Feb 2008 11:19:09 CST
> KDC server: 192.168.222.84
> Server time offset: -29
>
> ________________________________
>
> From: samba-bounces+rstewart=iccpartners.com at lists.samba.org on behalf of Steven Whaley
> Sent: Wed 2/13/2008 12:26 PM
> To: samba at lists.samba.org
> Subject: [Samba] Access denied when setting permissions
>
>
>
> I have a windows 2003 AD domain and a server joined to that domain.
> Winbind is being used as an idmap. Most everything seems to work fine.
>
> Winbind gets user info correctly:
>
> [root at samba ~]# wbinfo -u
> TESTDOMAIN\administrator
> TESTDOMAIN\guest
> TESTDOMAIN\support_388945a0
> TESTDOMAIN\krbtgt
> TESTDOMAIN\swhaley
> TESTDOMAIN\test
>
> [root at samba ~]# wbinfo -g
> BUILTIN\administrators
> BUILTIN\users
> TESTDOMAIN\domain computers
> TESTDOMAIN\domain controllers
> TESTDOMAIN\schema admins
> TESTDOMAIN\enterprise admins
> TESTDOMAIN\domain admins
> TESTDOMAIN\domain users
> TESTDOMAIN\domain guests
> TESTDOMAIN\group policy creator owners
> TESTDOMAIN\dnsupdateproxy
>
>
> [root at samba ~]# wbinfo -a 'TESTDOMAIN\swhaley%password'
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> Domain functionality seems to work fine.
>
> [root at samba ~]# net ads testjoin
> Join is OK
>
> [root at samba ~]# net ads info
> LDAP server: 192.168.222.84
> LDAP server name: server.TESTDOMAIN.COM
> Realm: TESTDOMAIN.COM
> Bind Path: dc=TESTDOMAIN,dc=COM
> LDAP port: 389
> Server time: Wed, 13 Feb 2008 11:19:09 CST
> KDC server: 192.168.222.84
> Server time offset: -29
>
> My user can connect to the samba share from a windows host without
> entering credentials, so kerberos and authentication is working
> properly. But whenever I try to set permissions on the share, with a
> member of the Domain Admins group, from the Computer Management snap in
> I always get access denied errors. I have nt acl support turned on for
> the share.
>
> Here's my samba config:
>
> [global]
> security = ads
> encrypt passwords = yes
> realm = TESTDOMAIN.COM
> workgroup = TESTDOMAIN
> idmap uid = 200000 - 300000
> idmap gid = 200000 - 300000
> server string = Samba Server Version 3
> netbios name = SAMBA
> interfaces = lo eth0 192.168.222.110/24
>
> [public]
> comment = Public Stuff
> path = /home/samba
> public = yes
> writable = yes
> printable = no
> valid users = TESTDOMAIN.COM\swhaley
> nt acl support = yes
> map acl inherit = yes
> inherit acls = yes
>
> I've also assigned the SeDiskOperatorPrivilege to the Domain Admins group
>
> [root at samba ~]# net rpc rights list accounts -Uswhaley
> Password:
> TESTDOMAIN\swhaley
> SeDiskOperatorPrivilege
>
> BUILTIN\Print Operators
> No privileges assigned
>
> BUILTIN\Account Operators
> No privileges assigned
>
> BUILTIN\Backup Operators
> No privileges assigned
>
> TESTDOMAIN\Domain Admins
> SeDiskOperatorPrivilege
>
> BUILTIN\Server Operators
> No privileges assigned
>
> BUILTIN\Administrators
> SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
>
> Everyone
> No privileges assigned
>
> I'm running CentOS5, so POSIX acl support is on by default. I tested it
> by setting and removing some ACLs just to be sure, and they worked
> properly.
>
> As mentioned, I'm running CentOS5. Samba is version 3.0.25b.
>
> Can anyone shed some light on this? It's been driving me crazy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
>
More information about the samba
mailing list