[Samba] Unable to use BUILTIN AD groups on a domain member

Roy Eastwood spindles7 at gmail.com
Wed Sep 25 17:53:24 UTC 2019 

On 25 September 2019 17:25, Rowland penny wrote:
> On 25/09/2019 16:25, Roy Eastwood via samba wrote:
> > I have set up a share on a domain member server and am attempting to set the ACLs from a domain-joined Windows 7 computer as
> per the
> > WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > I want to use one of the BUILTIN groups, Backup Operators to be able to have Full Control on files in the share (as it will be
used
> > for backups).   However, when trying to assign the group, Windows cannot find it.   (If I perform that same on a share on one of
the
> > DCs, it works OK).   I can set ACLs for the usual domain groups, eg Domain Admins, Domain Users etc, but none of the BUILTIN
> groups
> > are found.
> >
> > The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian.   The sever knows about the groups as id test1 (an AD user)
gives:
> >
> > 	uid=13101(test1) gid=10513(domain users) groups=10513(domain users),13101(test1),2001(BUILTIN\users)
> >
> > So I assume nsswitch is set up OK.
> >
> > wbinfo -g and  getent group (when the two "winbind enum" lines in smb.conf were active) lists all the Domain groups, but none of
> the
> > BUILTIN groups.
> >
> > The smb.conf is:
> > [global]
> >          netbios name = pi4b
> >          security = ADS
> >          workgroup = MICROLYNX
> >          realm = MICROLYNX.ORG
> >
> >         # disable smb1
> >         client min protocol = smb2_02
> >         server min protocol = smb2_02
> >
> >          log file = /var/log/samba/%m.log
> >          log level = 1
> >
> >          # to prevent "Address family not supported by protocol" messages (ipv6)
> >          bind interfaces only = yes
> >          interfaces = lo eth0
> >
> >          dedicated keytab file = /etc/krb5.keytab
> >          kerberos method = secrets and keytab
> >          winbind refresh tickets = yes
> >
> >          winbind use default domain = yes
> >
> >          # Default idmap config used for BUILTIN and local accounts/groups
> >          idmap config * : backend = tdb
> >          idmap config * : range = 2000-9999
> >
> >          # idmap config for domain MICROLYNX
> >          idmap config MICROLYNX:backend = rid
> >          idmap config MICROLYNX:range = 10000-99999
> >
> >          # next two lines for testing only - comment-out once working ok
> > #        winbind enum users = yes
> > #        winbind enum groups = yes
> >
> > #       template shell = /bin/bash
> > #       template homedir = /srv/samba/users/%U
> >
> >          vfs objects = acl_xattr
> >          map acl inherit = yes
> >          store dos attributes = yes
> >          username map = /etc/samba/user.map
> >
> > [images]
> >          # for backup images made by Macrium Reflect
> >          path = /srv/samba/images
> >          read only = no
> >          acl_xattr:ignore system acl = yes
> >
> > In the meantime I have used Domain Admins.   getfacl shows:
> >
> > getfacl /srv/samba/images
> > getfacl: Removing leading '/' from absolute path names
> > # file: srv/samba/images
> > # owner: root
> > # group: domain\040admins
> > user::rwx
> > user:root:rwx
> > user:10512:rwx
> > user:10513:r-x
> > group::rwx
> > group:NT\040Authority\\system:rwx
> > group:domain\040admins:rwx
> > group:domain\040users:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:10513:r-x
> > default:group::---
> > default:group:NT\040Authority\\system:rwx
> > default:group:domain\040admins:---
> > default:group:domain\040users:r-x
> > default:mask::rwx
> > default:other::---
> >
> > How do I assign the Backup Operators ACLs on the share?    If this isn't possible, I guess I could use delegation or nested
groups.
> > But I think I must have something set up incorrectly.   Appreciate any advice.
> >
> > Thanks,
> >
> > Roy
> >
> >
> >
> No, you haven't got anything set up incorrectly ;-)
> 
> Backup Operators is a Windows group, so you cannot use it anywhere but
> on Windows or a Samba DC.
> 
> I would just create a new group and make this group a member of Backup
> Operators.
> 
> Rowland

Thanks.   I think I understand.  In that case should I be able to assign a BUILTIN group's permissions to a folder on the Windows
machine, which is joined to the domain, and I am logged on as a member of Domain Admins?   But I get the same problem - cannot find
the group 'Backup Operators'.   Does this mean this will only work when I am a member of a domain which has a Windows DC?   Or are
the BUILTIN groups only available on a DC (Windows or Samba flavour) itself?

Yes, either way, I'll create a new group as you say.   Once again many thanks for your help.

Roy

More information about the samba mailing list