[Samba] error on the modificed permission

marco pirola mapirola81 at gmail.com
Wed Feb 13 08:45:33 UTC 2019 

Hi, witch command

getent group Domain\ Admins

I optaing domain admins:x:10512:

It's correct?


Il 12/02/2019 12:57, Rowland Penny via samba ha scritto:
> On Tue, 12 Feb 2019 11:13:56 +0100
> marco pirola via samba <samba at lists.samba.org> wrote:
>
>> I obtaing this resulta. Imposible enumerated the object in the
>> container: access negated.
>>
> Hi Marco, you posted this as your smb.conf:
>
> [global]
>   security = ADS
>   workgroup = ROBINOOD
>   realm = ROBINOOD.TST
>   log file = /var/log/samba/%m.log
>   log level = 1
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   # Default ID mapping configuration for local BUILTIN accounts
>   # and groups on a domain member. The default (*) domain:
>   # - must not overlap with any domain ID mapping configuration!
>   # - must use a read-write-enabled back end, such as tdb.
>   idmap config * : backend = tdb
>   idmap config * : range = 3000-7999
>   # - You must set a DOMAIN backend configuration
>   # idmap config for the ROBINOOD domain
>   idmap config ROBINOOD : backend = rid
>   idmap config ROBINOOD : range = 10000-999999
>   winbind use default domain = yes
>   username map = /etc/samba/user.map
>
>   [samba]
>   path = /home/samba/samba/
>   read only = no
>
> So I added your share to an existing Unix domain member, that also uses
> the 'rid' backend, these are my notes, they prove it works.
>
> Log into the Samba Unix domain member that holds the share
>
> Some commands will be run as root
>
> Running the following command:
>
> getent group Domain\ Admins
>
> Should produce output similar to this:
>
> domain_admins:x:10512:administrator,rowland
>
> If you do not get output, then nothing is going to work.
>
> List the existing SeDiskOperatorPrivilege owners
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
> Enter ROBINOOD\administrator's password:
> SeDiskOperatorPrivilege:
>    BUILTIN\Administrators
>
> If 'Domain Admins' isn't shown (as above), you need to add the group:
>
> net rpc rights grant "ROBINOOD\Domain Admins" SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
> Enter ROBINOOD\administrator's password:
> Successfully granted rights.
>
> Check the privelege owners again
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
> Enter ROBINOOD\administrator's password:
> SeDiskOperatorPrivilege:
>    ROBINOOD\Domain_Admins
>    BUILTIN\Administrators
>
> Now create the share directory (if it doesn't already exist):
>
> sudo mkdir -p /home/samba/samba/
>
> sudo chown root:Domain\ Admins /home/samba/samba/
> sudo chmod 0770 /home/samba/samba/
>
> Check the ownership:
>
> ls -lad /home/samba/samba/
> drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
>
> Reload Samba:
>
> sudo smbcontrol all reload-config
>
> Now goto a Windows machine (in my case win10) and log on using an account that is a member of Domain Admins.
>
>      Click Start, enter Computer Management, and start the application.
>
>      Select Action --> Connect to another computer.
>
>      Enter the name of the Samba host and click OK to connect the console to the host.
>
>      Open System Tools
>      NOTE: You may get an error box, just click 'OK' and it will connect.
>
>      Open Shared Folders --> Shares menu entry.
>
>      Right-click the 'samba' share and select Properties.
>
>      Select the Security tab.
>
>      Click the Edit button and then the 'Add' button
>
>      Click 'Advanced' button
>
>      Click 'Find Now'
>
>      Select a user or group from the list, I will use 'Domain Users'
>
>      Click 'OK'
>
>      Click 'OK'
>
>      Select permissions to grant, I will grant 'Full control'
>
>      A windows security box should open, asking if you want to continue
>      Click 'Yes'
>
>      If you now check the list of 'Group or user names', you should find 'Domain Users' listed
>
>      Click OK to close the Properties box.
>
>
> Back to the Samba share machine:
>
> If you check the ownership of the share directory, you should see that something has been added:
>
> ls -lad /home/samba/samba/
> drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
>            ^
>            |--- This
>
> If you now run:
>
> getfacl /home/samba/samba/
> getfacl: Removing leading '/' from absolute path names
> # file: home/samba/samba/
> # owner: root
> # group: domain_admins
> user::rwx
> user:root:rwx
> user:10512:rwx
> user:10513:rwx
> group::rwx
> group:domain_admins:rwx
> group:domain_users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:10513:rwx
> default:group::r-x
> default:group:domain_admins:r-x
> default:group:domain_users:rwx
> default:mask::rwx
> default:other::r-x
>
> You can now see that members of 'Domain Users' can Read, Write and enter the directory.
>   
> Hope this helps
>
> Rowland
>
>
>

More information about the samba mailing list