[Samba] Domain Administrator and shares problems

Rowland Penny rpenny at samba.org
Tue Oct 9 19:25:53 UTC 2018 

On Tue, 9 Oct 2018 19:44:55 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> I made a fresh install of the AD DC, a member server, and a Windows
> 10 PC that was never part of any domain. Authentication works, Active 
> Directory works, DNS works, the Administrator can add, edit, and
> delete entries. The AD DC running CentOS 7.5, with a self compiled
> Samba 4.9.1. The member server using CentOS 7.5 with Samba 4.7.1 from
> standard distribution packages. I have also tested a self compiled
> Samba 4.9.1 as domain member. The configurations are identical to the
> ones used in production. Firewalls disabled, as is SeLinux on both
> Linux boxes.
> 
> However, file sharing is a complete disaster. The Samba member server 
> automatically uses ACLs when creating files and folders, which the 
> production server doesn't. Everything positive ends here. The rest of 
> the process using Windows Computer Manager for setting up the share 
> parameters, is completely derailed.
> 
> If the domain Administrator, Domain Admins, or any account with 
> Administrator privileges figure anywhere, everything is completely 
> blocked. 

When you say blocked, do you mean you get an error message like this
when you click on the 'security' tab:

You do not have permission to view to view or edit this object’s
permission settings.

I set up a totally new centos 7 VM and installed Samba, but somehow I
missed out the user.map line and I got that error. Added the line:

username map = /etc/samba/user.map

created the user.map:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

Restarted Samba and it now works.

Unix permissions before attempting any changes from windows:

[root at cen7member ~]# ls -lad /data/samba/profiles
drwxrwx--- 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles

After adding a user to the share from windows 'Security' tab:

Edit -> Add -> Advanced -> Find Now -> select user (Rowland Penny) ->
OK -> OK -> standard permissions: Read & execute, List folder contents,
Read

[root at cen7member ~]# ls -lad /data/samba/profiles
drwxrwx---+ 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles

And the extend ACLs now set:
[root at cen7member ~]# getfacl /data/samba/profiles
getfacl: Removing leading '/' from absolute path names
# file: data/samba/profiles
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
user:rowland:r-x
user:12122:rwx
group::rwx
group:rowland:r-x
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:rowland:r-x
default:group::r-x
default:group:rowland:r-x
default:group:unix\040admins:r-x
default:mask::rwx
default:other::r-x

> 
> I'll get on my bike and take a trip in the countryside tomorrow,
> instead of fighting wind mills...

Yes, I always find walking away and returning later usually works ;-)

Rowland

More information about the samba mailing list