[Samba] Unable to use BUILTIN AD groups on a domain member
Roy Eastwood
spindles7 at gmail.com
Wed Sep 25 17:53:24 UTC 2019
On 25 September 2019 17:25, Rowland penny wrote:
> On 25/09/2019 16:25, Roy Eastwood via samba wrote:
> > I have set up a share on a domain member server and am attempting to set the ACLs from a domain-joined Windows 7 computer as
> per the
> > WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > I want to use one of the BUILTIN groups, Backup Operators to be able to have Full Control on files in the share (as it will be
used
> > for backups). However, when trying to assign the group, Windows cannot find it. (If I perform that same on a share on one of
the
> > DCs, it works OK). I can set ACLs for the usual domain groups, eg Domain Admins, Domain Users etc, but none of the BUILTIN
> groups
> > are found.
> >
> > The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian. The sever knows about the groups as id test1 (an AD user)
gives:
> >
> > uid=13101(test1) gid=10513(domain users) groups=10513(domain users),13101(test1),2001(BUILTIN\users)
> >
> > So I assume nsswitch is set up OK.
> >
> > wbinfo -g and getent group (when the two "winbind enum" lines in smb.conf were active) lists all the Domain groups, but none of
> the
> > BUILTIN groups.
> >
> > The smb.conf is:
> > [global]
> > netbios name = pi4b
> > security = ADS
> > workgroup = MICROLYNX
> > realm = MICROLYNX.ORG
> >
> > # disable smb1
> > client min protocol = smb2_02
> > server min protocol = smb2_02
> >
> > log file = /var/log/samba/%m.log
> > log level = 1
> >
> > # to prevent "Address family not supported by protocol" messages (ipv6)
> > bind interfaces only = yes
> > interfaces = lo eth0
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = yes
> >
> > winbind use default domain = yes
> >
> > # Default idmap config used for BUILTIN and local accounts/groups
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> >
> > # idmap config for domain MICROLYNX
> > idmap config MICROLYNX:backend = rid
> > idmap config MICROLYNX:range = 10000-99999
> >
> > # next two lines for testing only - comment-out once working ok
> > # winbind enum users = yes
> > # winbind enum groups = yes
> >
> > # template shell = /bin/bash
> > # template homedir = /srv/samba/users/%U
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> > username map = /etc/samba/user.map
> >
> > [images]
> > # for backup images made by Macrium Reflect
> > path = /srv/samba/images
> > read only = no
> > acl_xattr:ignore system acl = yes
> >
> > In the meantime I have used Domain Admins. getfacl shows:
> >
> > getfacl /srv/samba/images
> > getfacl: Removing leading '/' from absolute path names
> > # file: srv/samba/images
> > # owner: root
> > # group: domain\040admins
> > user::rwx
> > user:root:rwx
> > user:10512:rwx
> > user:10513:r-x
> > group::rwx
> > group:NT\040Authority\\system:rwx
> > group:domain\040admins:rwx
> > group:domain\040users:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:10513:r-x
> > default:group::---
> > default:group:NT\040Authority\\system:rwx
> > default:group:domain\040admins:---
> > default:group:domain\040users:r-x
> > default:mask::rwx
> > default:other::---
> >
> > How do I assign the Backup Operators ACLs on the share? If this isn't possible, I guess I could use delegation or nested
groups.
> > But I think I must have something set up incorrectly. Appreciate any advice.
> >
> > Thanks,
> >
> > Roy
> >
> >
> >
> No, you haven't got anything set up incorrectly ;-)
>
> Backup Operators is a Windows group, so you cannot use it anywhere but
> on Windows or a Samba DC.
>
> I would just create a new group and make this group a member of Backup
> Operators.
>
> Rowland
Thanks. I think I understand. In that case should I be able to assign a BUILTIN group's permissions to a folder on the Windows
machine, which is joined to the domain, and I am logged on as a member of Domain Admins? But I get the same problem - cannot find
the group 'Backup Operators'. Does this mean this will only work when I am a member of a domain which has a Windows DC? Or are
the BUILTIN groups only available on a DC (Windows or Samba flavour) itself?
Yes, either way, I'll create a new group as you say. Once again many thanks for your help.
Roy
More information about the samba
mailing list