[Samba] error on the modificed permission

Rowland Penny rpenny at samba.org
Tue Feb 12 11:57:46 UTC 2019


On Tue, 12 Feb 2019 11:13:56 +0100
marco pirola via samba <samba at lists.samba.org> wrote:

> I obtaing this resulta. Imposible enumerated the object in the 
> container: access negated.
> 

Hi Marco, you posted this as your smb.conf:

[global] 
 security = ADS
 workgroup = ROBINOOD
 realm = ROBINOOD.TST
 log file = /var/log/samba/%m.log
 log level = 1
 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes
 # Default ID mapping configuration for local BUILTIN accounts
 # and groups on a domain member. The default (*) domain:
 # - must not overlap with any domain ID mapping configuration!
 # - must use a read-write-enabled back end, such as tdb.
 idmap config * : backend = tdb
 idmap config * : range = 3000-7999
 # - You must set a DOMAIN backend configuration
 # idmap config for the ROBINOOD domain
 idmap config ROBINOOD : backend = rid
 idmap config ROBINOOD : range = 10000-999999
 winbind use default domain = yes
 username map = /etc/samba/user.map

 [samba]
 path = /home/samba/samba/ 
 read only = no

So I added your share to an existing Unix domain member, that also uses
the 'rid' backend, these are my notes, they prove it works.

Log into the Samba Unix domain member that holds the share

Some commands will be run as root 

Running the following command:

getent group Domain\ Admins

Should produce output similar to this:

domain_admins:x:10512:administrator,rowland

If you do not get output, then nothing is going to work.

List the existing SeDiskOperatorPrivilege owners

net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators

If 'Domain Admins' isn't shown (as above), you need to add the group:

net rpc rights grant "ROBINOOD\Domain Admins" SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
Successfully granted rights.

Check the privelege owners again

net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
SeDiskOperatorPrivilege:
  ROBINOOD\Domain_Admins
  BUILTIN\Administrators

Now create the share directory (if it doesn't already exist):

sudo mkdir -p /home/samba/samba/

sudo chown root:Domain\ Admins /home/samba/samba/
sudo chmod 0770 /home/samba/samba/

Check the ownership:

ls -lad /home/samba/samba/
drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/

Reload Samba:

sudo smbcontrol all reload-config

Now goto a Windows machine (in my case win10) and log on using an account that is a member of Domain Admins.

    Click Start, enter Computer Management, and start the application.

    Select Action --> Connect to another computer.

    Enter the name of the Samba host and click OK to connect the console to the host.

    Open System Tools
    NOTE: You may get an error box, just click 'OK' and it will connect.

    Open Shared Folders --> Shares menu entry.   

    Right-click the 'samba' share and select Properties.

    Select the Security tab.

    Click the Edit button and then the 'Add' button

    Click 'Advanced' button

    Click 'Find Now'

    Select a user or group from the list, I will use 'Domain Users'

    Click 'OK'

    Click 'OK'

    Select permissions to grant, I will grant 'Full control'

    A windows security box should open, asking if you want to continue
    Click 'Yes'

    If you now check the list of 'Group or user names', you should find 'Domain Users' listed

    Click OK to close the Properties box.


Back to the Samba share machine:

If you check the ownership of the share directory, you should see that something has been added:

ls -lad /home/samba/samba/
drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
          ^
          |--- This

If you now run:

getfacl /home/samba/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/samba/
# owner: root
# group: domain_admins
user::rwx
user:root:rwx
user:10512:rwx
user:10513:rwx
group::rwx
group:domain_admins:rwx
group:domain_users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10513:rwx
default:group::r-x
default:group:domain_admins:r-x
default:group:domain_users:rwx
default:mask::rwx
default:other::r-x

You can now see that members of 'Domain Users' can Read, Write and enter the directory.
 
Hope this helps

Rowland





More information about the samba mailing list