[Samba] Samba 4 Domain Member fileserver permission denied error

Wed Apr 30 05:45:08 MDT 2014

Il 30/04/2014 10:39, steve ha scritto:
> On Wed, 2014-04-30 at 08:58 +0200, Lorenzo Faleschini wrote:
>> Chris,
>>
>> I'am sorry, I just noticed I've same 770 config on my subfolders (the actual shares)
>> i've chmodded 660 just the mountpoint, but that's not significant.
>>
>>
>> actually if I chmod 760 the domain users from windows clients cannot even access the share, so I suppose 770 is needed.
>>
>> who knows..
> As recommended, if you're having no luck don't understand chmod with
> Samba or it just isn't working as you wish, allocate an admin user and
> set the share acls from the security tab in windows.
> Does your filesystem support extended acls?
Yes and it works (did tests as written in the wiki and I find that any 
security tab setting is responding correctly) but I have to chmod 770 
the folder in the fileserver to make this work.

if I set it to 760 or 660  it just won't let any user from "domain 
users" whose ACLs rights are correctly set in security tab to RW or even 
to RO.

if I chmod 770 the dir (administrator:domain users) then the ACLs work 
correctly = if I give domin users read only permissions it does give RO 
permissions, if I add modify in security tab it let 'em add or mod files.

what permissions do you have in your fileserver share folders? 660 or 770?

> HTH
>> btw 770 is always better than 777 :)
>>
>> cheers
>>
>> Lorenzo Faleschini
>> IT Manager @ Nord Est Systems srl
>> ----------------------------------------
>> m: +39 335 6055225 | skype: falegalizeit
>>
>> Il 29/04/2014 18:12, steve ha scritto:
>>> On Tue, 2014-04-29 at 17:00 +0100, Chris Alavoine wrote:
>>>> Hi Lorenzo,
>>>>
>>>> Have tried it with 660 but I keep getting "You do not have permission to
>>>> view or edit this object's permission settings" when trying to set the
>>>> Security perms via RSAT. Have rebooted both RSAT and domain member server.
>>>> Like you, I would expect 660 to work but it's not for me. For now I'll go
>>>> with 770 which is the mode we always used on our old Samba3 fileservers
>>>> anyway.
>>> Nominate someone who can?
>>> admin user = someone-responsible
>>>
>>> HTH
>>> Steve
>>>
>>>
>>>> Thanks for your help,
>>>> Chris.
>>>>
>>>>
>>>> On 29 April 2014 16:48, Lorenzo Faleschini <
>>>> lorenzo.faleschini at nordestsystems.com> wrote:
>>>>
>>>>>    I'm glad it worked,
>>>>>
>>>>> anyway I don't really think you need execute on the fileserver directories
>>>>> (apart if you have to run something from them).
>>>>> you can consider using 660, if it doesn't work straight then try to log
>>>>> out and in from the windows workstation you use for RSAT (or whathever
>>>>> you're using) and then test again.
>>>>>
>>>>> if you need exectuion of some subfolder you can always chmod it later, but
>>>>> the narrower permissions are the better.
>>>>> just my 2cents.
>>>>>
>>>>>
>>>>>
>>>>>    Lorenzo Faleschini
>>>>> IT Manager @ Nord Est Systems srl
>>>>> ----------------------------------------
>>>>> m: +39 335 6055225 | skype: falegalizeit
>>>>>
>>>>> Il 29/04/2014 17:25, Chris Alavoine ha scritto:
>>>>>
>>>>> Hi Lorenzo,
>>>>>
>>>>>    Many thanks for this. I had most of the GID/UID stuff already in place
>>>>> (for NSLCD), but the chowning and chmoding part is what fixed it for me.
>>>>> Had to use chmod 770 to get it working though, but many thanks for the top
>>>>> tips! I can now get down to fully testing this is a viable fileserver
>>>>> option.
>>>>>
>>>>>    Cheers,
>>>>> c:)
>>>>>
>>>>>
>>>>> On 29 April 2014 15:32, Lorenzo Faleschini <
>>>>> lorenzo.faleschini at nordestsystems.com> wrote:
>>>>>
>>>>>>    I had same issue.
>>>>>>
>>>>>> the ugly chmod 777 fixed the issue, but that was not a fix, was a crap,
>>>>>> so ended out in
>>>>>>
>>>>>> assigning GID to group "Domain Users"
>>>>>> assigning UID to all users in my domain
>>>>>>
>>>>>> then on the member server
>>>>>> (wich idmap was set as the same used on the samba4 DC  30000000-40000000
>>>>>> to have consistent mappings throughout the domain servers)
>>>>>> I set the shares mountpoint with the following ownerships and permissions
>>>>>>
>>>>>> chown -R "DOMAIN\Administrator":"DOMAIN\Domain Users" /path/to/shares
>>>>>> chmod -R 660 /path/to/shares
>>>>>>
>>>>>> let me know if works for you
>>>>>>
>>>>>>
>>>>>>    Lorenzo Faleschini
>>>>>> IT Manager @ Nord Est Systems srl
>>>>>> ----------------------------------------
>>>>>> m: +39 335 6055225 | skype: falegalizeit
>>>>>>
>>>>>> Il 29/04/2014 12:34, Chris Alavoine ha scritto:
>>>>>>
>>>>>> Hi there,
>>>>>>
>>>>>> I have a working Samba 4 domain (4.1.5) with several DC's spread over a
>>>>>> global network. They are all based on Ubuntu 12.04. At present the domain
>>>>>> member fileservers for this network are all running Samba 3.4.7 and using
>>>>>> NSLCD and *nix permissions to allow access. This is working nicely.
>>>>>>
>>>>>> I am now trying to create a new Samba 4 (4.1.7 Ubuntu 12.04) domain member
>>>>>> fileserver and have been following these guides:
>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Serverhttps://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>>>>
>>>>>> wbinfo and getent all work as described.
>>>>>>
>>>>>> All looks good until I get to the section on setting permissions on the
>>>>>> share at which point I get "An error occurred while applying the security
>>>>>> information to: \\SERVER\share  Access is denied"
>>>>>>
>>>>>> Has anyone reached this point with similar results? Any help appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>> Chris.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>    --
>>>>> ACS (Alavoine Computer Services Ltd)
>>>>> Chris Alavoine
>>>>> mob +44 (0)7724 710 730
>>>>> www.alavoinecs.co.uk
>>>>> http://twitter.com/#!/alavoinecs
>>>>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>>>>
>>>>>
>>>>>
>>>> -- 
>>>> ACS (Alavoine Computer Services Ltd)
>>>> Chris Alavoine
>>>> mob +44 (0)7724 710 730
>>>> www.alavoinecs.co.uk
>>>> http://twitter.com/#!/alavoinecs
>>>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>