[Samba] Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container
Jochen Eggemann
Jochen.Eggemann at nw-fva.de
Wed Sep 12 05:50:11 UTC 2018
Set the permissions to drwxrwx---+ and make sure 'vfs objects =
acl_xattr' is set in smb.conf.
Good luck
Jochen
Am 12.09.2018 um 02:14 schrieb Jonathan Kreider via samba:
> I'm tying to set up a member server for serving files following the
> instructions at:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
>
> Since I'm not an expert with log files or debugging, I need help
> troubleshooting the following:
>
> When I get to the part where I connect to the member server from the
> Windows Computer Management tool, I get a long message starting with
> "Computer FS3.MYDOM.COM cannot be connected. ..."
>
> But then the tool connects anyway and lets me change the "Share
> permissions" settings. I can add and delete groups here.
>
> But when I click on the security tab I get a message "You must have read
> permissions to view the properties of this object." Other times, the tab
> has displayed properly and allowed me to add groups and change permissions,
> but then it won't allow me to save the changes.
>
> Shared directory permissions:
> drwxrwxrwx 2 root KMS2\domain admins 2 Sep 11 22:40 shared/
>
> testparm output:
> # Global parameters
> [global]
> dns proxy = No
> log file = /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> realm = KMS2.SAMDOM.COM (sanitized)
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> username map = /etc/samba/user.map
> winbind refresh tickets = Yes
> workgroup = KMS2
> acl_xattr:default acl style = windows (tried with and without -
> could not tell a difference)
> acl_xattr:ignore system acls = yes (tried with and without -
> could not tell a difference)
> idmap config kms2 : range = 10000-19999
> idmap config kms2 : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [printers]
> browseable = No
> comment = All Printers
> create mask = 0700
> path = /var/spool/samba
> printable = Yes
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> [Shared]
> path = /home/shared
> read only = No
> acl_xattr:default acl style = windows (tried with and without -
> could not tell a difference)
> acl_xattr:ignore system acls = yes (tried with and without - could
> not tell a difference)
>
> Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu 16.04
> host
> Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
> AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged container
> on the same host as above.
> Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
> container on same host.
>
> The underlying file system is zfs-on-linux and in all cases I set the
> following zfs attributes:
> xattrs=sa
> aclinherit=passthrough
> acltype=posix
>
> A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same host.
> All workstations on the network are successfully joined to AD.
> Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have the
> DNS tools. so I had to downgrade.
>
> All containers are "privileged" b/c samba NTACLs use the "security"
> namespace which requires root privileges. This seems to work for the AD DCs
> - I can't get the AD DCs to work in unprivileged mode.
More information about the samba
mailing list