[Samba] Permission Denied

L.P.H. van Belle belle at bazuin.nl
Wed Nov 25 11:51:06 UTC 2015 

If this is about problems on a member server, read on. 
If its on a ADDC, then i dont know, but good info below. ;-) 

( Rowland, maybe a thing to put on the wiki also, read on..  ) 


If you only use the share from windows machines, make your life easy. 
Add : acl_xattr:ignore system acls = yes to the share.
And set the correct rights from within windows. 

If you do use the shares /folders also from within linux. 
Set UID/GID for all (needed) users/groups. 
Use the user_mapping in samba to map root to the domain administrator, 
And/or set user Administrator on the folder 
now set the correct rights from withing windows. 

Above can be done on ADDC or member server but there is a big differens. 

Regarding.. ( more explained ) 
> sudo ls -l /srv/samba/ 
> > drwxrwxr-x  2 root domain admins 4096 Nov 15 11:51 Finance
> > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home

> When i try to set the ACLs in Windows I get "Permission Denied"

Yes, totaly correct, i assum you did read: 
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs 
which says, 
# chmod g=rwx /srv/samba/Demo/
# chgrp "Domain Admins" /srv/samba/Demo/

But this example is done on a addc server, and not on a member server. 
On a ADDC user Administrator is automaticly mapped to root, 
id administrator on addc results in UID 0 and imo most important info, 
is missing on the wiki.

I also assume your doing this on a member server. 
Which is ok also, but in the 2 ls example above. 

drwxrwxr-x  2 root domain admins	
does not work an a member server without the user mapping or a bit different rights. 
So set Adminstrator:"domain admins" on this folder OR use the user mapping. 

And make user that /srv/samba at least has 2775 rights. 
And maybe a chgrp "Domain Admins" /srv/samba


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: woensdag 25 november 2015 11:30
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission Denied
> 
> On 24/11/15 23:00, Henry McLaughlin wrote:
> > I have created a [home] share:
> >
> > user at jupiter:~$ sudo ls -l /srv/samba/
> > total 24
> > drwxrwxr-x  2 root domain admins 4096 Nov 22 21:38 Demo
> > drwxrwxr-x  2 root domain admins 4096 Nov 15 11:51 Finance
> > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home
> > drwxrwxr-x+ 9 root domain admins 4096 Nov 24 21:06 Printer_drivers
> >
> > When i try to set the ACLs in Windows I get "Permission Denied"
> >
> > In Windows I am logged in as "administrator" who is a member of "Domain
> > Admins"
> >
> > user at jupiter:~$ getfacl /srv/samba/home
> > getfacl: Removing leading '/' from absolute path names
> >
> > # file: srv/samba/home
> > # owner: root
> > # group: domain\040admins
> > user::rwx
> > user:root:rwx
> > group::r-x
> > group:domain\040admins:r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:group::r-x
> > default:group:domain\040admins:rwx
> > default:mask::rwx
> > default:other::r-x
> >
> >
> >
> 
> OK, the unix permissions are:
> 
> drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home
> 
> But getfacl shows two group permissions:
> 
> # group: domain\040admins
> group::r-x
> group:domain\040admins:r-x
> 
> Both of which shows that the group has *no* write permissions, fix this
> and it should work as expected.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list