[Samba] Unable to set attributes in a samba share (error 0x00000005)

Roberto Greiner roberto.greiner at fundunesp.unesp.br
Fri Sep 6 16:00:17 UTC 2019


Hi,

I've set a share using samba, connected it to my Active Directory, and
now I'm having problems when I copy files into this share.

To setup the AD connection I've followed
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
and installed it into my Debian 9 install using APT, after
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation.

With the AD connection working, I've set my file share and connected to
it from a Windows 2008 server. Then I started copying files from my old
share using robocopy. If I use (z: is the old share, w: is the new one):

robocopy /s /copy:DT /r:2 /w:1 z: w:

It works. but if I use

robocopy /s /copy:DATS /r:2 /w:1 z: w:

The copy fails with error:

2019/09/06 10:18:40 ERROR 5 (0x00000005) Creating Destination Directory
W:\<DESTINATION FOLDER>
Access is denied.

Since the share is used by different people with different privileges to
the files, I need those additional attributes in /copy:DATS.

Could somebody help me? My current setup is the following:

Debian 9 VM, samba installed from APT

smb.conf (comments removed):
[global]
security = ADS
workgroup = DOMAIN
realm = DOMAIN.FQDNFULLDOMAIN
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
[Users]
        browseable = yes
        writable = yes
        guest ok = no
        path = /share/Users
        directory mode = 770
        create mode = 0770
        force create mode = 0770
        inherit acls = yes
        inherit permissions = yes
        inherit owner = yes

/etc/krb5.conf:
[libdefaults]
 default_realm = DOMAIN.FQDNDOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = true

/etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

wbinfo --ping-dc indicates a sucessfull connection.

'getent passwd' and 'getent group' list users and groups from windows
correctly. Following
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs,
I added the 'SeDiskOperatorPrivilege' privilege to my 'DOMAIN\domain
admins' group, and /share/Users folder in the server was given the owner
and attributes indicated in the same document.

Am I missing something? Is there anything else that would be needed for
understanding the problem?

Thank you,

Roberto Greiner


-- 


More information about the samba mailing list