[Samba] Permission Denied

Rowland Penny rowlandpenny241155 at gmail.com
Wed Nov 25 12:25:16 UTC 2015

On 25/11/15 11:51, L.P.H. van Belle wrote:
> If this is about problems on a member server, read on.
> If its on a ADDC, then i dont know, but good info below. ;-)
> ( Rowland, maybe a thing to put on the wiki also, read on..  )

The thing is, it was on the wiki and Marc decided it would be better to 
go down the 'Domain Admins' line. He doesn't seem to like the username 
map way of doing things. I think it needs to be put back.

Hopefully Marc will pick-up on this and comment.

> If you only use the share from windows machines, make your life easy.
> Add : acl_xattr:ignore system acls = yes to the share.
> And set the correct rights from within windows.
> If you do use the shares /folders also from within linux.
> Set UID/GID for all (needed) users/groups.
> Use the user_mapping in samba to map root to the domain administrator,
> And/or set user Administrator on the folder
> now set the correct rights from withing windows.
> Above can be done on ADDC or member server but there is a big differens.
> Regarding.. ( more explained )
>> sudo ls -l /srv/samba/
>>> drwxrwxr-x  2 root domain admins 4096 Nov 15 11:51 Finance
>>> drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home
>> When i try to set the ACLs in Windows I get "Permission Denied"
> Yes, totaly correct, i assum you did read:
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> which says,
> # chmod g=rwx /srv/samba/Demo/
> # chgrp "Domain Admins" /srv/samba/Demo/
> But this example is done on a addc server, and not on a member server.
> On a ADDC user Administrator is automaticly mapped to root,
> id administrator on addc results in UID 0 and imo most important info,
> is missing on the wiki.
> I also assume your doing this on a member server.
> Which is ok also, but in the 2 ls example above.
> drwxrwxr-x  2 root domain admins	
> does not work an a member server without the user mapping or a bit different rights.
> So set Adminstrator:"domain admins" on this folder OR use the user mapping.

This would mean that you would have to give Administrator a uidNumber, 
breaking the link between 'root' and 'Administrator'. Not saying this is 
a bad idea, just that you should be aware of it.

> And make user that /srv/samba at least has 2775 rights.
> And maybe a chgrp "Domain Admins" /srv/samba
> Greetz,
> Louis

More information about the samba mailing list