[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Aug 12 14:29:27 MDT 2014 

On 12/08/14 20:41, Davor Vusir wrote:
> In my first setup, a combined (compiled) AD DC and file server I never
> got it to work with "vfs objects = acl_xattr" in the global section. I
> had two more shares and could not get the permissions to work until I
> put "vfs objects = acl_xattr" in the share sections. The shares were
> on LVM volumes mapped to directories later shared with Samba. My
> conclusion is that "vfs objects = acl_xattr" in the global section on
> a AD DC does not extend (or how to put it) beyond the netlogon and
> sysvol shares. I have not tested this configuration on one (1) mounted
> LVM volume where /usr/local and Sambashares reside.

If you add "vfs objects = acl_xattr" to smb.conf on a Samba 4 AD DC, you 
are turning off the 'dfs_samba4' vfs module. If you run 'testpam 
--suppress-prompt --verbose', you will find 'vfs objects = dfs_samba4, 
acl_xattr'.

>
> I have now changed the setup to a dedicated virtual AD DC and a
> physical file server because of poor network performance. After the
> switch I experienced the same; proper permissions denies access... The
> setup is still the same; mounted LVM volumes later shared with samba.
> By removing "vfs objects = acl_xattr, map acl inherit = Yes and store
> dos attributes = Yes" from the global section, as mentioned in
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs,

You only add these line to a member server, they are not required on the 
AD DC.

Rowland

> and instead putting "vfs objects = acl_xattr" in the share section
> solves it. If you are using more vfs objects you may have to reorder
> them. And I also noticed that removing Everyone from the Share tab
> will neither let you edit nor remove ACE:s in the Security tab. So
> first let Everyone be there, add Domain Admins, press Apply. Add
> Domain Admins to the ACL, press Apply. Take ownership. After this
> procedure you are able to edit ACE:s. This will not guarantee that
> inheritence is correct. Again, "vfs objects = acl_xattr" in the global
> section does not seem to extend beyond global section. And I'm not
> sure why "map acl inherit = Yes and store dos attributes = Yes" are in
> the global section (I'm using neither). Both belongs to a share
> section according to
> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.
>
> Hope it helps.
>
> Regards
> Davor
>
>

More information about the samba mailing list