[Samba] Unable to set attributes in a samba share (error 0x00000005)

Mon Sep 9 07:34:09 UTC 2019

On 06/09/2019 17:00, Roberto Greiner via samba wrote:
> Hi,
>
> I've set a share using samba, connected it to my Active Directory, and
> now I'm having problems when I copy files into this share.
>
> To setup the AD connection I've followed
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
> and installed it into my Debian 9 install using APT, after
That would get you Samba 4.5.16, this is EOL as far as Samba is 
concerned, can you upgrade to Buster ? This will get you Samba 4.9.5
> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation.
>
> With the AD connection working, I've set my file share and connected to
> it from a Windows 2008 server.

Whoa, Windows 2000 ???? this went EOL in 2010

If you upgrade to 2003, this will get you to another EOL OS, this went 
EOL in 2015

If you upgrade to 2008, this will go EOL in January of next year

Do not think of adding a Samba AD DC into the mix, the Windows 2000 dns 
server (if it is running one) is incompatible with the Samba dns server. 
You would need to upgrade (if you can) your 2000 to 2003 and ensure it 
is running the dns server as a 2003 dns server and then, maybe, it might 
work.

> Then I started copying files from my old
> share using robocopy. If I use (z: is the old share, w: is the new one):
>
> robocopy /s /copy:DT /r:2 /w:1 z: w:
>
> It works. but if I use
>
> robocopy /s /copy:DATS /r:2 /w:1 z: w:
>
> The copy fails with error:
>
> 2019/09/06 10:18:40 ERROR 5 (0x00000005) Creating Destination Directory
> W:\<DESTINATION FOLDER>
> Access is denied.
>
> Since the share is used by different people with different privileges to
> the files, I need those additional attributes in /copy:DATS.
>
> Could somebody help me? My current setup is the following:
>
> Debian 9 VM, samba installed from APT
>
Try this smb.conf:

[global]
     workgroup = DOMAIN
     security = ADS
     realm = DOMAIN.FQDNFULLDOMAIN

     winbind use default domain = yes
     winbind expand groups = 2
     winbind refresh tickets = Yes
     winbind offline logon = yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config DOMAIN : backend = rid
     idmap config DOMAIN : range = 10000-999999
     template shell = /bin/bash
     template homedir = /home/%U

     domain master = no
     local master = no
     preferred master = no

     # user Administrator workaround, without it you are unable to set 
privileges
     username map = /etc/samba/user.map

     # For ACL support on domain member
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     log file = /var/log/samba/%m.log
     log level = 1

[Users]
     read only = no
     path = /share/Users

create the /etc/samba/user.map with this content:

!root = DOMAIN\Administrator

Restart Samba and then reread this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland