[Samba] Unable to use BUILTIN AD groups on a domain member

Roy Eastwood spindles7 at gmail.com
Wed Sep 25 15:25:37 UTC 2019 

I have set up a share on a domain member server and am attempting to set the ACLs from a domain-joined Windows 7 computer as per the
WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I want to use one of the BUILTIN groups, Backup Operators to be able to have Full Control on files in the share (as it will be used
for backups).   However, when trying to assign the group, Windows cannot find it.   (If I perform that same on a share on one of the
DCs, it works OK).   I can set ACLs for the usual domain groups, eg Domain Admins, Domain Users etc, but none of the BUILTIN groups
are found.

The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian.   The sever knows about the groups as id test1 (an AD user) gives:

	uid=13101(test1) gid=10513(domain users) groups=10513(domain users),13101(test1),2001(BUILTIN\users)

So I assume nsswitch is set up OK.

wbinfo -g and  getent group (when the two "winbind enum" lines in smb.conf were active) lists all the Domain groups, but none of the
BUILTIN groups.

The smb.conf is:
[global]
        netbios name = pi4b
        security = ADS
        workgroup = MICROLYNX
        realm = MICROLYNX.ORG

       # disable smb1
       client min protocol = smb2_02
       server min protocol = smb2_02

        log file = /var/log/samba/%m.log
        log level = 1

        # to prevent "Address family not supported by protocol" messages (ipv6)
        bind interfaces only = yes
        interfaces = lo eth0

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes

        winbind use default domain = yes

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        # idmap config for domain MICROLYNX
        idmap config MICROLYNX:backend = rid
        idmap config MICROLYNX:range = 10000-99999

        # next two lines for testing only - comment-out once working ok
#        winbind enum users = yes
#        winbind enum groups = yes

#       template shell = /bin/bash
#       template homedir = /srv/samba/users/%U

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        username map = /etc/samba/user.map

[images]
        # for backup images made by Macrium Reflect
        path = /srv/samba/images
        read only = no
        acl_xattr:ignore system acl = yes

In the meantime I have used Domain Admins.   getfacl shows:

getfacl /srv/samba/images
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/images
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:10512:rwx
user:10513:r-x
group::rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10513:r-x
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:---
default:group:domain\040users:r-x
default:mask::rwx
default:other::---

How do I assign the Backup Operators ACLs on the share?    If this isn't possible, I guess I could use delegation or nested groups.
But I think I must have something set up incorrectly.   Appreciate any advice.

Thanks,

Roy

More information about the samba mailing list