[Samba] Domain Member Server: Domain Users cannot access shares

Jason Secord it at plymouthhistory.org
Fri Sep 23 07:30:10 UTC 2016


Mediawiki is throwing an error at this moment but I followed that page when
I set up the shares and triple checked everything when I last reset ACLs.

JS

On Sep 23, 2016 2:51 AM, "Rowland Penny via samba" <samba at lists.samba.org>
wrote:

> On Thu, 22 Sep 2016 19:23:05 -0400
> Jason Secord via samba <samba at lists.samba.org> wrote:
>
> > *Another reply that was accidentally sent to the wrong address...*
> >
> > I ran another test of a share on the raid array after making the
> > changes you suggested Rowland.  I reset the ACLs
> > on /mnt/md0/samba_shares/test as outlined in the wiki and set the
> > default group to domain admins.  I executed setfacl commands g=rwx
> > and chgrp domain admins, then added the directory to my smb.conf and
> > ran "smbcontrol all reload-config".  I then logged in to a Windows
> > box as administrator and set ACLs for my test domain user account,
> > allowing full control in both share permissions and the security
> > tabs, applied settings and closed the snap-in.
> >
> > I then logged in to another machine as my test user and tried to
> > access the new share and still received access denied.
> >
> > I'd be oh so happy if this thread ends and the raid controller isn't
> > the root cause of this issue, but my gut says it must be as shares
> > that I copied from the array to the system drive retained the ACLs I
> > had set previously and we're accessible without modification.  I just
> > wish I could find some indication that this is a known issue, my
> > Google fu fails to reveal any evidence supporting the theory.
> >
> >
> > Kind Regards,
> >
> > JS
> >
> > On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org>
> > wrote:
> >
> > > Hi Rowland,
> > >
> > >
> > > *Apparently I accidentally replied directly to you instead of the
> > > list, this is from a couple days ago...*
> > >
> > > First off, thanks again for your help, your insight is invaluable.
> > >
> > > I have completed the changes you suggested:
> > >
> > > I've used ADUC to remove the NIS Domain and UID/GID number from the
> > > following Users/Groups:
> > >
> > >    - group policy creator owners
> > >    - enterprise admins
> > >    - schema admins
> > >    - dnsadmins
> > >    - Administrator
> > >
> > > I've added "username map = /etc/samba/user.map" to my smb.conf
> > >
> > > I've created /etc/samba/user.map
> > >
> > > ls -la /etc/samba/user.map
> > > -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
> > >
> > > cat /etc/samba/user.map
> > > !root = PHM\Administrator PHM\administrator Administrator
> > > administrator
> > >
> > > Here is the output of the getfacl command you requested I run:
> > >
> > > sudo getfacl /mnt/md0/samba_shares/Accounts
> > > getfacl: Removing leading '/' from absolute path names
> > > # file: mnt/md0/samba_shares/Accounts
> > > # owner: itwerks
> > > # group: domain\040admins
> > > user::rwx
> > > group::rwx
> > > other::rwx
> > > default:user::rwx
> > > default:group::rwx
> > > default:group:domain\040admins:rwx
> > > default:mask::rwx
> > > default:other::rwx
> > >
>
> If you look at the result of the 'getfacl' command, you can see that
> the share belongs to itwerks:Domain Admins, they both have 'rwx'
> permissions and 'others' is supposed to also get 'rwx' permissions, but
> I don't think it is working this way. Can I suggest you read this wiki
> page:
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list