[Samba] Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container
Rowland Penny
rpenny at samba.org
Wed Sep 12 08:17:29 UTC 2018
On Tue, 11 Sep 2018 20:14:58 -0400
Jonathan Kreider via samba <samba at lists.samba.org> wrote:
> I'm tying to set up a member server for serving files following the
> instructions at:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
>
> Since I'm not an expert with log files or debugging, I need help
> troubleshooting the following:
>
> When I get to the part where I connect to the member server from the
> Windows Computer Management tool, I get a long message starting with
> "Computer FS3.MYDOM.COM cannot be connected. ..."
>
> But then the tool connects anyway and lets me change the "Share
> permissions" settings. I can add and delete groups here.
>
> But when I click on the security tab I get a message "You must have
> read permissions to view the properties of this object." Other
> times, the tab has displayed properly and allowed me to add groups
> and change permissions, but then it won't allow me to save the
> changes.
>
> Shared directory permissions:
> drwxrwxrwx 2 root KMS2\domain admins 2 Sep 11 22:40 shared/
>
> testparm output:
> # Global parameters
> [global]
> dns proxy = No
> log file = /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> realm = KMS2.SAMDOM.COM (sanitized)
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> username map = /etc/samba/user.map
> winbind refresh tickets = Yes
> workgroup = KMS2
> acl_xattr:default acl style = windows (tried with and
> without - could not tell a difference)
> acl_xattr:ignore system acls = yes (tried with and
> without - could not tell a difference)
> idmap config kms2 : range = 10000-19999
> idmap config kms2 : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [printers]
> browseable = No
> comment = All Printers
> create mask = 0700
> path = /var/spool/samba
> printable = Yes
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> [Shared]
> path = /home/shared
> read only = No
> acl_xattr:default acl style = windows (tried with and
> without - could not tell a difference)
> acl_xattr:ignore system acls = yes (tried with and without -
> could not tell a difference)
>
> Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu
> 16.04 host
> Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
> AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged
> container on the same host as above.
> Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
> container on same host.
>
> The underlying file system is zfs-on-linux and in all cases I set the
> following zfs attributes:
> xattrs=sa
> aclinherit=passthrough
> acltype=posix
>
> A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same
> host. All workstations on the network are successfully joined to AD.
> Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have
> the DNS tools. so I had to downgrade.
>
> All containers are "privileged" b/c samba NTACLs use the "security"
> namespace which requires root privileges. This seems to work for the
> AD DCs
> - I can't get the AD DCs to work in unprivileged mode.
Bit confused here, you talk about an error message 'Computer
FS3.MYDOM.COM cannot be connected' , you then you post a smb.conf but
then go on to say 'A member server fs3 w/Samba 4.7.6-Ubuntu also
privileged on the same host.'. It sounds like the smb.conf is not from
'FS3'.
By my count, you seem to running 4 hosts on the same computer, 2 DC's
and 2 Unix domain members. This is not a good idea, if something goes
wrong with the host computer, you will loose everything.
Finally, stop me if I am wrong, but doesn't zfs use ntfs4acls ?
So I think you need 'vfs_nfs4acl_xattr' instead of 'vfs_acl_xattr'
Rowland
More information about the samba
mailing list