[Samba] error on the modificed permission
Rowland Penny
rpenny at samba.org
Tue Feb 12 11:57:46 UTC 2019
On Tue, 12 Feb 2019 11:13:56 +0100
marco pirola via samba <samba at lists.samba.org> wrote:
> I obtaing this resulta. Imposible enumerated the object in the
> container: access negated.
>
Hi Marco, you posted this as your smb.conf:
[global]
security = ADS
workgroup = ROBINOOD
realm = ROBINOOD.TST
log file = /var/log/samba/%m.log
log level = 1
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ROBINOOD domain
idmap config ROBINOOD : backend = rid
idmap config ROBINOOD : range = 10000-999999
winbind use default domain = yes
username map = /etc/samba/user.map
[samba]
path = /home/samba/samba/
read only = no
So I added your share to an existing Unix domain member, that also uses
the 'rid' backend, these are my notes, they prove it works.
Log into the Samba Unix domain member that holds the share
Some commands will be run as root
Running the following command:
getent group Domain\ Admins
Should produce output similar to this:
domain_admins:x:10512:administrator,rowland
If you do not get output, then nothing is going to work.
List the existing SeDiskOperatorPrivilege owners
net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
If 'Domain Admins' isn't shown (as above), you need to add the group:
net rpc rights grant "ROBINOOD\Domain Admins" SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
Successfully granted rights.
Check the privelege owners again
net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
SeDiskOperatorPrivilege:
ROBINOOD\Domain_Admins
BUILTIN\Administrators
Now create the share directory (if it doesn't already exist):
sudo mkdir -p /home/samba/samba/
sudo chown root:Domain\ Admins /home/samba/samba/
sudo chmod 0770 /home/samba/samba/
Check the ownership:
ls -lad /home/samba/samba/
drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
Reload Samba:
sudo smbcontrol all reload-config
Now goto a Windows machine (in my case win10) and log on using an account that is a member of Domain Admins.
Click Start, enter Computer Management, and start the application.
Select Action --> Connect to another computer.
Enter the name of the Samba host and click OK to connect the console to the host.
Open System Tools
NOTE: You may get an error box, just click 'OK' and it will connect.
Open Shared Folders --> Shares menu entry.
Right-click the 'samba' share and select Properties.
Select the Security tab.
Click the Edit button and then the 'Add' button
Click 'Advanced' button
Click 'Find Now'
Select a user or group from the list, I will use 'Domain Users'
Click 'OK'
Click 'OK'
Select permissions to grant, I will grant 'Full control'
A windows security box should open, asking if you want to continue
Click 'Yes'
If you now check the list of 'Group or user names', you should find 'Domain Users' listed
Click OK to close the Properties box.
Back to the Samba share machine:
If you check the ownership of the share directory, you should see that something has been added:
ls -lad /home/samba/samba/
drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
^
|--- This
If you now run:
getfacl /home/samba/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/samba/
# owner: root
# group: domain_admins
user::rwx
user:root:rwx
user:10512:rwx
user:10513:rwx
group::rwx
group:domain_admins:rwx
group:domain_users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10513:rwx
default:group::r-x
default:group:domain_admins:r-x
default:group:domain_users:rwx
default:mask::rwx
default:other::r-x
You can now see that members of 'Domain Users' can Read, Write and enter the directory.
Hope this helps
Rowland
More information about the samba
mailing list