[Samba] Domain Administrator and shares problems

[Rowland Penny]

On Wed, 10 Oct 2018 11:03:17 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Im not saying anything but having a GID on "domain admins" works
> fine. For me then since 2014..
> 
> getent group "domain admins"
> domain admins:x:10001:admin,administrator
> 
> Can you post the output of 
> ls -ald  /data/samba
> 
> What happens when you do this. 
> chmod 1777 /data/samba/profiles
> or 3777, but that opens access for "domain users" to the users
> profiles folders. 
> 
> But really, if its the profiles folder its a windows only folder.
> 
> This works without any problems, set the settings you see here, then
> configure the share and security from a windows pc. And never touch
> it again. 
> 
> [profiles]
>     browseable = yes
>     path = /data/samba/profiles
>     read only = no
>     acl_xattr:ignore system acl = yes
> 
> ls -al /home/samba/
> drwxrwx--T+  88 root root  4096 Oct  4 13:55 profiles
> 
>  file: home/samba/profiles
> # owner: root
> # group: root
> # flags: --t
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:mask::rwx
> default:other::---
> 
> Ps , have you check the SePrivileges, do you have the needed
> mappings? My output. 
> 
> kinit Administrator
> net rpc rights list privileges SeDiskOperatorPrivilege -k -S
> $(hostname -s) SeDiskOperatorPrivilege:
>   BUILTIN\Administrators
> 
> net rpc rights list privileges SeSecurityPrivilege -k -S $(hostname
> -s) SeSecurityPrivilege:
>   BUILTIN\Administrators
> 
> net rpc rights list privileges SeTakeOwnershipPrivilege -k -S
> $(hostname -s) SeTakeOwnershipPrivilege:
>   BUILTIN\Administrators
> 

The problem isn't whether 'Domain Admins' has a gid or not, the OP
cannot open the security tab on windows as Administrator.

This is something I can only reproduce by not having a user.map in
smb.conf

Rowland