[Samba] Access denied to change share security staff
Rommel Rodriguez Toirac
rommelrt at nauta.cu
Thu Apr 13 21:10:16 UTC 2017
El 13 de abril de 2017 15:15:50 GMT-04:00, Rowland Penny <rpenny at samba.org> escribió:
>On Thu, 13 Apr 2017 14:18:16 -0400
>Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:
>
>>
>> I can change the permissions of share and I can change and add (or
>> remove) the owners of that share using the Share permissions tab, but
>> when try to change something with the Security tab there is when
>> happen the Access denied. I work in that tab, When I open it the user
>> and group listed are: All root (Unix User\root)
>> root (Unix Group\root)
>> CREATOR OWNER
>> CREATOR GROUP
>>
>> All of then just with Specials permissions set.
>>
>> When I try to add some other user or group, in the moment of Accept
>> or Aply the system say:
>>
>> "Error trying to apply the security information to:"
>> "\\GTMPVE.GTM.ONAT.GOB.CU\compartir"
>> "Access denied"
>>
>> And then any change happens.
>>
>
>If the change occurs, but you get the 'error' message before, then you
>can ignore the error, it is being caused by the differences between
>Samba AD and windows AD.
>
>If the changes don't work, can you try the following:
>
>Run the 'net rpc rights list privileges' command on the Unix machine
>that holds the share, this will confirm that 'Domain Admins' has the
>required privilege.
>
>Change the group ownership of the share i.e. from the wiki page:
>
>chgrp 'Domain Admins' /srv/samba/Demo
>
>Now try again from windows.
>
>Rowland
>
Thank Rowland for write me;
I run the comands, this are the result:
[root at gtmpve nagios]# net rpc rights list privileges -Uadministrator
Enter administrator's password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
SeSecurityPrivilege System security
[root at gtmpve nagios]# net rpc rights list accounts -U'ATGTM00\administrator'
Enter ATGTM00\administrator's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
ATGTM00\Domain Admins
SeDiskOperatorPrivilege
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
It look like the Domain admins yes have the 'SeDiskOperatorPrivilege' privilege.
I change the group of the share with chgrp and try from Windows RSAT. I saw the Doamin admins group with Special permissions set; but can chage anything in Secutiry tab. In Share permissions tab yes.
Now I get this:
[root at gtmpve nagios]# getfacl /test/compartir/
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: test/compartir/
# owner: root
# group: ATGTM00\134domain\040admins
user::rwx
group::r-x
other::r-x
[root at gtmpve nagios]# ls -lda /test/compartir/
drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13 08:29 /test/compartir/
The group ATGTM00\134domain\040admins have not permissions to write in this directory. Is that right?
Rommel Rodriguez Toirac
rommelrt at nauta.cu
More information about the samba
mailing list