[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Stephen stephen at ogdenradar.com
Mon Apr 1 15:03:59 UTC 2019

Cheers, that fixed it! :O) So, if I may summarise what we have just 

1) All newly created samba users need to have the uidNumber attribute 
set to a unique value (within the range specified in smb.conf for 
SAMDOM) when using ad backend with RFC2307.

2) All new groups need to have the gidNumber set to a unique value 
(within the range specified in smb.conf for SAMDOM) when using ad 
backend with RFC2307.

3) Don't delete group Everyone - even though the Windows UI will let you 
do this it will actually break your file permissions :(

Could I possibly ask you a couple of further related questions about 
this uidnumber and gidnumber issue please?

1) Previously I found I could access the share I created as 
SAMDOM/Administrator. However when I checked using Windows RSAT ADUC 
there is apparently no uidNumber set for this Administrator account by 
default. Is that what you would expect to see, presumably I do not need 
to supply uidNumbers for built-in default accounts?

2) I originally created SAMDOM/stephenellwood at the the DC command-line 
like so:

sudo samba-tool user add your_domain_user --given-name=your_name 
--surname=your_username --mail-address=your_domain_user at tecmint.lan 

The Samba docs here https://wiki.samba.org/index.php/Idmap_config_ad 
appear to suggest that the syntax I have used for my account creation 
command above is essentially incomplete given that I have also specified 
winbind nss info = rfc2307 in my smb.conf.

I am pretty sure that I need to add some extra command-line switches to 
my example above specify UID, home directory path, and primary group at 
account creation time as per the docs. Unfortunately though man 
samba-tool does not provide a full list of supported samba-tool user 
create command-line switches. What syntax would you recommend that I use 
for creating new users in my situation with samba-tool user create Rowland?

I do realise creating users in this fashion means having to track the 
last-used uidNumber manually somehow and thus might not be regarded as 
best practice.

3) Related to point two, had I instead created user 
SAMDOM/stephenellwood using the Windows RSAT ADUC tools would sensible 
uidNumber and gidNumber values have been chosen automatically 
potentially avoiding this entire problem?
The Samba docs here (https://wiki.samba.org/index.php/Idmap_config_ad) 
are a little unclear about this point. They say "When using the ADUC 
utility, the user and group IDs are automatically tracked inside AD and 
incremented when creating a new user or group."

The problem is I am unsure if userID == uidNumber, and likewise groupID 
= gidNumber or if these are actually different parameters.

Stephen Ellwood

On 01/04/2019 15:26, Rowland Penny via samba wrote:
> On Mon, 1 Apr 2019 15:12:21 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>> Hi Rowland, thanks for your suggestions. I have read and re-read the
>> Samba docs to try and understand where I went wrong here.
>> I added the uidNumber and gidNumber exactly as per your comments and
>> that seems to improve the situation markedly. I can now at least see
>> that the share exists from SAMDOM\stephenellwood which wasn't
>> possible before. File access is now possible from
>> SAMDOM/stephenellwood when I configure NTFS security permissions to
>> allow read and write access for group Everyone.
>> I am still seeing issues with fileshare access from custom AD groups
>> though. For example, I removed the NTFS security permissions access
>> to group Everyone on my share.
> Put 'Everyone' back, you need it ;-)
>> I then created a group OgdenFilesUsers
>> using the ADUC RSAT tool and added SAMDOM/stephenellwood to this.
>> Even when security permissions are set for OgdenFilesUsers to allow
>> read and write permissions it still won't seem to allow access. For
>> good measure I then went and set the gidNumber attribute for my newly
>> created OgdenFilesUsers group to 10001 but that didn't make any
>> difference.
> Try reading this:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> Rowland

More information about the samba mailing list