[Samba] Unable to set attributes in a samba share (error 0x00000005)

Roberto Greiner roberto.greiner at fundunesp.unesp.br
Fri Sep 6 16:00:17 UTC 2019


I've set a share using samba, connected it to my Active Directory, and
now I'm having problems when I copy files into this share.

To setup the AD connection I've followed
and installed it into my Debian 9 install using APT, after

With the AD connection working, I've set my file share and connected to
it from a Windows 2008 server. Then I started copying files from my old
share using robocopy. If I use (z: is the old share, w: is the new one):

robocopy /s /copy:DT /r:2 /w:1 z: w:

It works. but if I use

robocopy /s /copy:DATS /r:2 /w:1 z: w:

The copy fails with error:

2019/09/06 10:18:40 ERROR 5 (0x00000005) Creating Destination Directory
Access is denied.

Since the share is used by different people with different privileges to
the files, I need those additional attributes in /copy:DATS.

Could somebody help me? My current setup is the following:

Debian 9 VM, samba installed from APT

smb.conf (comments removed):
security = ADS
workgroup = DOMAIN
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
        browseable = yes
        writable = yes
        guest ok = no
        path = /share/Users
        directory mode = 770
        create mode = 0770
        force create mode = 0770
        inherit acls = yes
        inherit permissions = yes
        inherit owner = yes

 default_realm = DOMAIN.FQDNDOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = true

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

wbinfo --ping-dc indicates a sucessfull connection.

'getent passwd' and 'getent group' list users and groups from windows
correctly. Following
I added the 'SeDiskOperatorPrivilege' privilege to my 'DOMAIN\domain
admins' group, and /share/Users folder in the server was given the owner
and attributes indicated in the same document.

Am I missing something? Is there anything else that would be needed for
understanding the problem?

Thank you,

Roberto Greiner


More information about the samba mailing list