[Samba] Setting ACLs with smbcacls fails (partly)
Chris
samba at kirsche.org
Wed Dec 25 16:46:27 UTC 2019
Hello,
I'm running a PDC and a secondary DC in privilegded lxc containers and
try to setup a fileserver in an unprivileged lxc container.
The shares of the file server are on the ZFS of the host and mapped via
bind-mount.
I've got the problem, that I get error messages when setting the ACLs of
a samba share either via the Windows explorer or using the smbcacls command.
On Windows explorer I get the error message:
"Failed To Enumerate Objects In The Container, Access Is Denied"
With smbcacls when adding a user the error is:
root at svr-002:/# smbcacls //svr-002/users / -U administrator --add
ACL:S-1-5-21-106799508-1697487934-2302158525-1604:ALLOWED/3/FULL -d=0
Enter MYWRKGRP\administrator's password:
ERROR: security descriptor set failed: NT_STATUS_ACCESS_DENIED
Creating files and folders from within windows explorer works. I just
can't set the permissons on the elements without the error mesage.
Funny thing is, that ACL is set, even when there appears the above error
message:
So before issuing the smbcacls add command the ACLs are as follows:
root at svr-002:/# smbcacls //svr-002/users / -U administrator
lp_load_ex: changing to config backend registry
Enter MYWRKGRP\administrator's password:
REVISION:1
CONTROL:SR|SI|DI|DP
OWNER:MYWRKGRP\Administrator
GROUP:Unix Group\root
ACL:MYWRKGRP\Administrator:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Administrator:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:Unix User\root:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
ACL:Unix Group\root:ALLOWED/0x0/FULL
ACL:Unix Group\root:ALLOWED/0x0/FULL
ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
ACL:Creator Group:ALLOWED/OI|CI|IO/
ACL:Unix Group\root:ALLOWED/OI|CI|IO/
After issuing the smbcacls add command
root at svr-002:/# smbcacls //svr-002/users / -U administrator
lp_load_ex: changing to config backend registry
Enter MYWRKGRP\administrator's password:
REVISION:1
CONTROL:SR|SI|DP
OWNER:MYWRKGRP\administrator
GROUP:Unix Group\root
ACL:MYWRKGRP\administrator:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Testuser:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\administrator:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:Unix User\root:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
ACL:Unix Group\root:ALLOWED/0x0/FULL
ACL:Unix Group\root:ALLOWED/0x0/FULL
ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
ACL:Creator Group:ALLOWED/OI|CI|IO/
ACL:Unix Group\root:ALLOWED/OI|CI|IO/
As you can see, the user Testuser (the one with the SID
S-1-5-21-106799508-1697487934-2302158525-1604) has been added to the ACL
Similar behaviour under Windows. When I remove the user in the Advanced
Security Settings Dialog and press apply, the error message "Failed To
Enumerate Objects In The Container, Access Is Denied" appears.
When I leave the Advanced Security Settings dialog with cancel, the
settings have however been applied. So after the removal of user
Testuser from the Windows Explorer the check with smbcacls shows that
the user has been removed.
Has any one an idea what might causing this issue?
---- Things I've tried without success:
Playing around with
acl_xattr:ignore system acls
acl_xattr:default acl style
Setting up the file server in a privileged container
rejoining to the domain
playing around with different chmod and chgrp settings
----
---- Used software versions
Host is Proxmox 6.1-5, Kernel version 5.3.13-1-pve
The lxc containers are based on Debian 10.
Samba Version is 4.9.5-Debian
Windows Pro 10.0.17134
----
------------ file server settings ----------------------
--- smb.conf of the fileserver
[global]
workgroup = MYWRKGRP
realm = MYWRKGRP.MYDOM.COM
netbios name = SVR-002
security = ADS
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
winbind refresh tickets = Yes
template shell = /bin/bash
idmap config * : range = 10000 - 19999
idmap config MYWRKGRP : backend = rid
idmap config MYWRKGRP : range = 1000000 - 1999999
map acl inherit = yes
inherit acls = Yes
inherit permissions = Yes
store dos attributes = Yes
vfs objects = acl_xattr
bind interfaces only = no
[users]
path = /home/MYWRKGRP/
comment = Home Directories
guest ok = no
read only = no
browseable = no
create mask = 700
directory mask = 700
----
---- nsswitch.conf of the fileserver
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
----
---- output of net rpc rights
root at svr-002:/# net rpc rights list privileges SeDiskOperatorPrivilege
-Uadministrator
Enter administrator's password:
SeDiskOperatorPrivilege:
MYWRKGRP\administrator
BUILTIN\Administrators
MYWRKGRP\Domain Admins
----
---- output of getfacl
getfacl: Removing leading '/' from absolute path names
# file: home/MYWRKGRP/
# owner: MYWRKGRP\\administrator
# group: root
# flags: ss-
user::rwx
user:root:rwx
user:1000512:rwx
user:1000513:r-x
user:MYWRKGRP\\Testuser:rwx
user:1002103:rwx
group::rwx
group:root:rwx
group:MYWRKGRP\\administrator:rwx
group:MYWRKGRP\\domain\040admins:rwx
group:MYWRKGRP\\domain\040users:r-x
group:MYWRKGRP\\Testuser:rwx
group:MYWRKGRP\\unix\040admins:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:MYWRKGRP\\administrator:rwx
default:user:1000512:rwx
default:user:1000513:r-x
default:user:MYWRKGRP\\Testuser:rwx
default:group::---
default:group:root:---
default:group:MYWRKGRP\\administrator:rwx
default:group:MYWRKGRP\\domain\040admins:rwx
default:group:MYWRKGRP\\domain\040users:r-x
default:group:MYWRKGRP\\Testuser:rwx
default:mask::rwx
default:other::rwx
----
---- output of getfattr
root at svr-002:/# getfattr -n security.NTACL -d /home/MYWRKGRP/
/home/MYWRKGRP/: security.NTACL: No such attribute
----
--------------------- PDC settings --------------------------------
---- smb.conf of the PDC
[global]
netbios name = DC-101
realm = MYWRKGRP.MYDOM.COM
server role = active directory domain controller
dns forwarder = 10.0.0.1
workgroup = MYWRKGRP
[netlogon]
path = /var/lib/samba/sysvol/mywrkgrp.mydom.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----
----------------- lxc and settings on the lxc host ---------------------
---- ZFS is setup as follows:
root at proxmox02:/etc/pve/lxc# zfs get xattr hdd_zfs_guests/home
NAME PROPERTY VALUE SOURCE
hdd_zfs_guests/home xattr sa inherited from hdd_zfs_guests
root at proxmox02:/etc/pve/lxc# zfs get acltype hdd_zfs_guests/home
NAME PROPERTY VALUE SOURCE
hdd_zfs_guests/home acltype posixacl local
root at proxmox02:/etc/pve/lxc# zfs get aclinherit hdd_zfs_guests/home
NAME PROPERTY VALUE SOURCE
hdd_zfs_guests/home aclinherit passthrough local
----
---- The container is setup as follows:
arch: amd64
cores: 2
hostname: svr-002
memory: 1024
mp0: /hdd_zfs_guests/shares,mp=/shares
mp1: /hdd_zfs_guests/home,mp=/home
nameserver: 10.0.1.5
net0:
name=eth0,bridge=vmbr1,gw=10.0.0.1,hwaddr=56:19:46:64:BA:6B,ip=10.0.2.3/8,tag=2,type=veth
ostype: debian
rootfs: hdd_zfs_guests:subvol-312-disk-5,acl=1,size=8G
searchdomain: mywrkgrp.mydom.com
swap: 1024
unprivileged: 1
lxc.idmap: u 0 100000 2000000
lxc.idmap: g 0 100000 2000000
----
---- files /etc/setgid and /etc/setuid have the same content
root:10000:2100000
----
-------------------------------------------------------------------------
Any help is really appreciated as I'm trying to get around this error
now for days.
Thanks!
Chris
More information about the samba
mailing list