[Samba] Setting up a Share Using Windows ACLs

Rowland Penny rpenny at samba.org
Tue Jul 24 10:52:26 UTC 2018

On Tue, 24 Jul 2018 05:34:51 -0500 (CDT)
fret via samba <samba at lists.samba.org> wrote:

> Regardless of all the tips and procedures I read in the archives, I
> can not set permisisions under security tab, I get it every time:
> "Remotely setting permissions on the folder at the root of a share
> removes all inherited permissions from the root folder and all
> subfolders.  To set permissions without removing the inherited
> permissions, click No and either change the permissions on a child
> folder or make the change while logged in locally" 
> despite this warning when click on Yes button acces is denied and cant
> escape from loop(only task manager helps)
> Samba version on AD is 4.8.0 (compiled from source)
> Samba version on Domain member is Samba version
> 4.8.2-git.30.690aa93c1892.1-SUSE-SLE_12-x86_64
> I would like to point out that virtually all tests and parameters are
> working properly according to SambaWiki. smb_conf.txt
> <http://samba.2283325.n4.nabble.com/file/t372619/smb_conf.txt>  

Please don't do that, just post it in the post i.e.

        workgroup = TCIT
        security = ADS
        realm = TCIT.NOVOSTI.LAB
        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        idmap config TCIT:backend = ad
        idmap config TCIT:schema_mode = rfc2307
        idmap config TCIT:range = 10000-999999
        idmap config domain_name:unix_nss_info = yes

        winbind enum users = yes
        winbind enum groups = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        username map = /etc/samba/user.map
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = Yes 
       path = /srv/samba/TestShare3/
       read only = no

Just a few questions:
In the 'idmap config' lines you have 'domain_name', is this what is
actually there, or is it 'TCIT' ? 
If it isn't 'TCIT' change it to 'TCIT'

What is in the user.map ?

Is the user you are trying to connect with 'Administrator' or a member
of Domain Admins ?
If it is 'Administrator', have you given 'Administrator' a uidNumber
attribute, if you have, remove it.
If your user is a member of Domain Admins, does Domain Admins have a
gidNumber attribute and the required privileges ?


More information about the samba mailing list