[Samba] Unable to use BUILTIN AD groups on a domain member

Rowland penny rpenny at samba.org
Wed Sep 25 18:34:32 UTC 2019 

On 25/09/2019 18:53, Roy Eastwood wrote:
> On 25 September 2019 17:25, Rowland penny wrote:
>> On 25/09/2019 16:25, Roy Eastwood via samba wrote:
>>> I have set up a share on a domain member server and am attempting to set the ACLs from a domain-joined Windows 7 computer as
>> per the
>>> WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> I want to use one of the BUILTIN groups, Backup Operators to be able to have Full Control on files in the share (as it will be
> used
>>> for backups).   However, when trying to assign the group, Windows cannot find it.   (If I perform that same on a share on one of
> the
>>> DCs, it works OK).   I can set ACLs for the usual domain groups, eg Domain Admins, Domain Users etc, but none of the BUILTIN
>> groups
>>> are found.
>>>
>>> The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian.   The sever knows about the groups as id test1 (an AD user)
> gives:
>>> 	uid=13101(test1) gid=10513(domain users) groups=10513(domain users),13101(test1),2001(BUILTIN\users)
>>>
>>> So I assume nsswitch is set up OK.
>>>
>>> wbinfo -g and  getent group (when the two "winbind enum" lines in smb.conf were active) lists all the Domain groups, but none of
>> the
>>> BUILTIN groups.
>>>
>>> The smb.conf is:
>>> [global]
>>>           netbios name = pi4b
>>>           security = ADS
>>>           workgroup = MICROLYNX
>>>           realm = MICROLYNX.ORG
>>>
>>>          # disable smb1
>>>          client min protocol = smb2_02
>>>          server min protocol = smb2_02
>>>
>>>           log file = /var/log/samba/%m.log
>>>           log level = 1
>>>
>>>           # to prevent "Address family not supported by protocol" messages (ipv6)
>>>           bind interfaces only = yes
>>>           interfaces = lo eth0
>>>
>>>           dedicated keytab file = /etc/krb5.keytab
>>>           kerberos method = secrets and keytab
>>>           winbind refresh tickets = yes
>>>
>>>           winbind use default domain = yes
>>>
>>>           # Default idmap config used for BUILTIN and local accounts/groups
>>>           idmap config * : backend = tdb
>>>           idmap config * : range = 2000-9999
>>>
>>>           # idmap config for domain MICROLYNX
>>>           idmap config MICROLYNX:backend = rid
>>>           idmap config MICROLYNX:range = 10000-99999
>>>
>>>           # next two lines for testing only - comment-out once working ok
>>> #        winbind enum users = yes
>>> #        winbind enum groups = yes
>>>
>>> #       template shell = /bin/bash
>>> #       template homedir = /srv/samba/users/%U
>>>
>>>           vfs objects = acl_xattr
>>>           map acl inherit = yes
>>>           store dos attributes = yes
>>>           username map = /etc/samba/user.map
>>>
>>> [images]
>>>           # for backup images made by Macrium Reflect
>>>           path = /srv/samba/images
>>>           read only = no
>>>           acl_xattr:ignore system acl = yes
>>>
>>> In the meantime I have used Domain Admins.   getfacl shows:
>>>
>>> getfacl /srv/samba/images
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: srv/samba/images
>>> # owner: root
>>> # group: domain\040admins
>>> user::rwx
>>> user:root:rwx
>>> user:10512:rwx
>>> user:10513:r-x
>>> group::rwx
>>> group:NT\040Authority\\system:rwx
>>> group:domain\040admins:rwx
>>> group:domain\040users:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:10513:r-x
>>> default:group::---
>>> default:group:NT\040Authority\\system:rwx
>>> default:group:domain\040admins:---
>>> default:group:domain\040users:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> How do I assign the Backup Operators ACLs on the share?    If this isn't possible, I guess I could use delegation or nested
> groups.
>>> But I think I must have something set up incorrectly.   Appreciate any advice.
>>>
>>> Thanks,
>>>
>>> Roy
>>>
>>>
>>>
>> No, you haven't got anything set up incorrectly ;-)
>>
>> Backup Operators is a Windows group, so you cannot use it anywhere but
>> on Windows or a Samba DC.
>>
>> I would just create a new group and make this group a member of Backup
>> Operators.
>>
>> Rowland
> Thanks.   I think I understand.  In that case should I be able to assign a BUILTIN group's permissions to a folder on the Windows
> machine, which is joined to the domain, and I am logged on as a member of Domain Admins?   But I get the same problem - cannot find
> the group 'Backup Operators'.   Does this mean this will only work when I am a member of a domain which has a Windows DC?   Or are
> the BUILTIN groups only available on a DC (Windows or Samba flavour) itself?
>
> Yes, either way, I'll create a new group as you say.   Once again many thanks for your help.
>
> Roy
>
I tried to find 'BUILTIN\Backup Operators' on a Windows 10 PC (something 
I have never tried before) and you are correct, I couldn't find it. This 
is probably down to it being a group in the BUILTIN domain (it is in 
AD), but I wouldn't worry about this.

Rowland

More information about the samba mailing list