[Samba] Computer Management - Share Security - No Read Access

Rowland Penny rpenny at samba.org
Fri Feb 22 09:19:38 UTC 2019 

On Fri, 22 Feb 2019 09:52:36 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> > ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> > 
> > Can't see where I could be deviating
> Ok i think here ( as workaround ) the following. 
> 
> 
> > root at sce253:/# service smbd stop
> > root at sce253:/# rmdir /server/share-files
> > root at sce253:/# rmdir /server/users
> > root at sce253:/# cd ..
> > root at sce253:/# rmdir server
> > root at sce253:/# mkdir -p /server/share-files
> > root at sce253:/# mkdir -p /server/users
> 
> Install -d /server -o root -g "Domain Admins" -m 3771
> 
> > root at sce253:/# chown root:"Domain Admins" /server/share-files
> > root at sce253:/# chown root:"Domain Admins" /server/users
> > root at sce253:/# chmod 0770 /server/share-files
> > root at sce253:/# chmod 0770 /server/users
> 
> Now try again. 
> 
> The message: 
> > 
> > ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED 
> Purly due to /server not allowing "DOMAIN USER" write access. 
> Because ... What is the windows "Primary group" yes. Domain Users. 
> 
> So I thing also you might be affected with bug :  
> https://bugzilla.samba.org/show_bug.cgi?id=13371 

As I have already said, it depends on your perspective if bug 13371 is
actually a bug ;-)

If you use 'unix_primary_group = yes' and a user logs into a Unix
machine, they will get the Unix primary group instead of Domain Admins.
If the same user logs into a Windows machine, they will get Domain
Users as their primary group.

If the same user connects over the network (either from a Unix or
Windows machine) their primary group will be Domain Users, how can it
be otherwise, Samba is trying to emulate how Windows works, so it
doesn't care whether it is a Windows or a Unix machine. Because of
this, it has to work in the same way as a Windows machine expects.

My feelings are:
If you have only Unix clients, use 'unix_primary_group = yes' if you
wish. If you only have Windows clients, or a mixture of Unix & Windows
clients, don't.

Rowland

More information about the samba mailing list