[Samba] Unable to use BUILTIN AD groups on a domain member
Rowland penny
rpenny at samba.org
Wed Sep 25 16:24:58 UTC 2019
On 25/09/2019 16:25, Roy Eastwood via samba wrote:
> I have set up a share on a domain member server and am attempting to set the ACLs from a domain-joined Windows 7 computer as per the
> WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> I want to use one of the BUILTIN groups, Backup Operators to be able to have Full Control on files in the share (as it will be used
> for backups). However, when trying to assign the group, Windows cannot find it. (If I perform that same on a share on one of the
> DCs, it works OK). I can set ACLs for the usual domain groups, eg Domain Admins, Domain Users etc, but none of the BUILTIN groups
> are found.
>
> The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian. The sever knows about the groups as id test1 (an AD user) gives:
>
> uid=13101(test1) gid=10513(domain users) groups=10513(domain users),13101(test1),2001(BUILTIN\users)
>
> So I assume nsswitch is set up OK.
>
> wbinfo -g and getent group (when the two "winbind enum" lines in smb.conf were active) lists all the Domain groups, but none of the
> BUILTIN groups.
>
> The smb.conf is:
> [global]
> netbios name = pi4b
> security = ADS
> workgroup = MICROLYNX
> realm = MICROLYNX.ORG
>
> # disable smb1
> client min protocol = smb2_02
> server min protocol = smb2_02
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # to prevent "Address family not supported by protocol" messages (ipv6)
> bind interfaces only = yes
> interfaces = lo eth0
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind use default domain = yes
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
>
> # idmap config for domain MICROLYNX
> idmap config MICROLYNX:backend = rid
> idmap config MICROLYNX:range = 10000-99999
>
> # next two lines for testing only - comment-out once working ok
> # winbind enum users = yes
> # winbind enum groups = yes
>
> # template shell = /bin/bash
> # template homedir = /srv/samba/users/%U
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> username map = /etc/samba/user.map
>
> [images]
> # for backup images made by Macrium Reflect
> path = /srv/samba/images
> read only = no
> acl_xattr:ignore system acl = yes
>
> In the meantime I have used Domain Admins. getfacl shows:
>
> getfacl /srv/samba/images
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/images
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:10512:rwx
> user:10513:r-x
> group::rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:domain\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:10513:r-x
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:---
> default:group:domain\040users:r-x
> default:mask::rwx
> default:other::---
>
> How do I assign the Backup Operators ACLs on the share? If this isn't possible, I guess I could use delegation or nested groups.
> But I think I must have something set up incorrectly. Appreciate any advice.
>
> Thanks,
>
> Roy
>
>
>
No, you haven't got anything set up incorrectly ;-)
Backup Operators is a Windows group, so you cannot use it anywhere but
on Windows or a Samba DC.
I would just create a new group and make this group a member of Backup
Operators.
Rowland
More information about the samba
mailing list