[Samba] Unable to use BUILTIN AD groups on a domain member
Rowland penny
rpenny at samba.org
Wed Sep 25 18:34:32 UTC 2019
On 25/09/2019 18:53, Roy Eastwood wrote:
> On 25 September 2019 17:25, Rowland penny wrote:
>> On 25/09/2019 16:25, Roy Eastwood via samba wrote:
>>> I have set up a share on a domain member server and am attempting to set the ACLs from a domain-joined Windows 7 computer as
>> per the
>>> WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> I want to use one of the BUILTIN groups, Backup Operators to be able to have Full Control on files in the share (as it will be
> used
>>> for backups). However, when trying to assign the group, Windows cannot find it. (If I perform that same on a share on one of
> the
>>> DCs, it works OK). I can set ACLs for the usual domain groups, eg Domain Admins, Domain Users etc, but none of the BUILTIN
>> groups
>>> are found.
>>>
>>> The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian. The sever knows about the groups as id test1 (an AD user)
> gives:
>>> uid=13101(test1) gid=10513(domain users) groups=10513(domain users),13101(test1),2001(BUILTIN\users)
>>>
>>> So I assume nsswitch is set up OK.
>>>
>>> wbinfo -g and getent group (when the two "winbind enum" lines in smb.conf were active) lists all the Domain groups, but none of
>> the
>>> BUILTIN groups.
>>>
>>> The smb.conf is:
>>> [global]
>>> netbios name = pi4b
>>> security = ADS
>>> workgroup = MICROLYNX
>>> realm = MICROLYNX.ORG
>>>
>>> # disable smb1
>>> client min protocol = smb2_02
>>> server min protocol = smb2_02
>>>
>>> log file = /var/log/samba/%m.log
>>> log level = 1
>>>
>>> # to prevent "Address family not supported by protocol" messages (ipv6)
>>> bind interfaces only = yes
>>> interfaces = lo eth0
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> winbind refresh tickets = yes
>>>
>>> winbind use default domain = yes
>>>
>>> # Default idmap config used for BUILTIN and local accounts/groups
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>>
>>> # idmap config for domain MICROLYNX
>>> idmap config MICROLYNX:backend = rid
>>> idmap config MICROLYNX:range = 10000-99999
>>>
>>> # next two lines for testing only - comment-out once working ok
>>> # winbind enum users = yes
>>> # winbind enum groups = yes
>>>
>>> # template shell = /bin/bash
>>> # template homedir = /srv/samba/users/%U
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>> username map = /etc/samba/user.map
>>>
>>> [images]
>>> # for backup images made by Macrium Reflect
>>> path = /srv/samba/images
>>> read only = no
>>> acl_xattr:ignore system acl = yes
>>>
>>> In the meantime I have used Domain Admins. getfacl shows:
>>>
>>> getfacl /srv/samba/images
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: srv/samba/images
>>> # owner: root
>>> # group: domain\040admins
>>> user::rwx
>>> user:root:rwx
>>> user:10512:rwx
>>> user:10513:r-x
>>> group::rwx
>>> group:NT\040Authority\\system:rwx
>>> group:domain\040admins:rwx
>>> group:domain\040users:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:10513:r-x
>>> default:group::---
>>> default:group:NT\040Authority\\system:rwx
>>> default:group:domain\040admins:---
>>> default:group:domain\040users:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> How do I assign the Backup Operators ACLs on the share? If this isn't possible, I guess I could use delegation or nested
> groups.
>>> But I think I must have something set up incorrectly. Appreciate any advice.
>>>
>>> Thanks,
>>>
>>> Roy
>>>
>>>
>>>
>> No, you haven't got anything set up incorrectly ;-)
>>
>> Backup Operators is a Windows group, so you cannot use it anywhere but
>> on Windows or a Samba DC.
>>
>> I would just create a new group and make this group a member of Backup
>> Operators.
>>
>> Rowland
> Thanks. I think I understand. In that case should I be able to assign a BUILTIN group's permissions to a folder on the Windows
> machine, which is joined to the domain, and I am logged on as a member of Domain Admins? But I get the same problem - cannot find
> the group 'Backup Operators'. Does this mean this will only work when I am a member of a domain which has a Windows DC? Or are
> the BUILTIN groups only available on a DC (Windows or Samba flavour) itself?
>
> Yes, either way, I'll create a new group as you say. Once again many thanks for your help.
>
> Roy
>
I tried to find 'BUILTIN\Backup Operators' on a Windows 10 PC (something
I have never tried before) and you are correct, I couldn't find it. This
is probably down to it being a group in the BUILTIN domain (it is in
AD), but I wouldn't worry about this.
Rowland
More information about the samba
mailing list