[Samba] Domain Member Server: Domain Users cannot access shares
Rowland Penny
rpenny at samba.org
Fri Sep 23 06:47:27 UTC 2016
On Thu, 22 Sep 2016 19:23:05 -0400
Jason Secord via samba <samba at lists.samba.org> wrote:
> *Another reply that was accidentally sent to the wrong address...*
>
> I ran another test of a share on the raid array after making the
> changes you suggested Rowland. I reset the ACLs
> on /mnt/md0/samba_shares/test as outlined in the wiki and set the
> default group to domain admins. I executed setfacl commands g=rwx
> and chgrp domain admins, then added the directory to my smb.conf and
> ran "smbcontrol all reload-config". I then logged in to a Windows
> box as administrator and set ACLs for my test domain user account,
> allowing full control in both share permissions and the security
> tabs, applied settings and closed the snap-in.
>
> I then logged in to another machine as my test user and tried to
> access the new share and still received access denied.
>
> I'd be oh so happy if this thread ends and the raid controller isn't
> the root cause of this issue, but my gut says it must be as shares
> that I copied from the array to the system drive retained the ACLs I
> had set previously and we're accessible without modification. I just
> wish I could find some indication that this is a known issue, my
> Google fu fails to reveal any evidence supporting the theory.
>
>
> Kind Regards,
>
> JS
>
> On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org>
> wrote:
>
> > Hi Rowland,
> >
> >
> > *Apparently I accidentally replied directly to you instead of the
> > list, this is from a couple days ago...*
> >
> > First off, thanks again for your help, your insight is invaluable.
> >
> > I have completed the changes you suggested:
> >
> > I've used ADUC to remove the NIS Domain and UID/GID number from the
> > following Users/Groups:
> >
> > - group policy creator owners
> > - enterprise admins
> > - schema admins
> > - dnsadmins
> > - Administrator
> >
> > I've added "username map = /etc/samba/user.map" to my smb.conf
> >
> > I've created /etc/samba/user.map
> >
> > ls -la /etc/samba/user.map
> > -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
> >
> > cat /etc/samba/user.map
> > !root = PHM\Administrator PHM\administrator Administrator
> > administrator
> >
> > Here is the output of the getfacl command you requested I run:
> >
> > sudo getfacl /mnt/md0/samba_shares/Accounts
> > getfacl: Removing leading '/' from absolute path names
> > # file: mnt/md0/samba_shares/Accounts
> > # owner: itwerks
> > # group: domain\040admins
> > user::rwx
> > group::rwx
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:group:domain\040admins:rwx
> > default:mask::rwx
> > default:other::rwx
> >
If you look at the result of the 'getfacl' command, you can see that
the share belongs to itwerks:Domain Admins, they both have 'rwx'
permissions and 'others' is supposed to also get 'rwx' permissions, but
I don't think it is working this way. Can I suggest you read this wiki
page:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Rowland
More information about the samba
mailing list