[Samba] Setting up a Share Using Windows ACLs
rpenny at samba.org
Tue Jul 24 10:52:26 UTC 2018
On Tue, 24 Jul 2018 05:34:51 -0500 (CDT)
fret via samba <samba at lists.samba.org> wrote:
> Regardless of all the tips and procedures I read in the archives, I
> can not set permisisions under security tab, I get it every time:
> "Remotely setting permissions on the folder at the root of a share
> removes all inherited permissions from the root folder and all
> subfolders. To set permissions without removing the inherited
> permissions, click No and either change the permissions on a child
> folder or make the change while logged in locally"
> despite this warning when click on Yes button acces is denied and cant
> escape from loop(only task manager helps)
> Samba version on AD is 4.8.0 (compiled from source)
> Samba version on Domain member is Samba version
> I would like to point out that virtually all tests and parameters are
> working properly according to SambaWiki. smb_conf.txt
Please don't do that, just post it in the post i.e.
workgroup = TCIT
security = ADS
realm = TCIT.NOVOSTI.LAB
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config TCIT:backend = ad
idmap config TCIT:schema_mode = rfc2307
idmap config TCIT:range = 10000-999999
idmap config domain_name:unix_nss_info = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
path = /srv/samba/TestShare3/
read only = no
Just a few questions:
In the 'idmap config' lines you have 'domain_name', is this what is
actually there, or is it 'TCIT' ?
If it isn't 'TCIT' change it to 'TCIT'
What is in the user.map ?
Is the user you are trying to connect with 'Administrator' or a member
of Domain Admins ?
If it is 'Administrator', have you given 'Administrator' a uidNumber
attribute, if you have, remove it.
If your user is a member of Domain Admins, does Domain Admins have a
gidNumber attribute and the required privileges ?
More information about the samba