[Samba] Cannot change NTACL for share from Windows
Viktor Trojanovic
viktor at troja.ch
Sun May 31 15:37:06 UTC 2020
I just joined a freshly installed Linux machine with Samba 4.11.6 to my
Windows AD, as a domain member. Followed the Wiki to a T, domain join
without errors, I can enumerate users/groups, I can create shares and work
with them from Windows (all that matters to me).
Unfortunately, however, I don't seem to be able to change share security
settings, i.e. ACL from Windows. Whenever I do so, I get the error message
that "access is denied". Creating folders within the share and changing
ACLs for these works without issues, it's just the root folder of the share
I have problems with.
I chose to go with the ad IDMAP backend. Of course, all recommendations are
followed:
- Administrator and Domain Admins have no uidNumber/gidNumer set, all
others do. Though that shouldn't be relevant at this point since I'm only
accessing the shares from Windows.
- Administrator is mapped to root in user.map
- SeDiskOperatorPrivilege was given to new group "Unix Admins" which owns
the shares, together with root. Which still shouldn't matter here because
up to now everything was done using the Administrator account, mapped to
root.
- All shares are chmodded to 0770
- Share definitions in smb.conf are just 3 lines, as recommended in the
Wiki: share name, folder location, read only = no
I'm stuck and would appreciate your support. Some configuration details to
follow though it's all really basically just a copy from the Wiki.
[global]
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
printcap name = /dev/null
realm = SAMDOMAIN.EXAMPLE.COM
security = ADS
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
winbind refresh tickets = Yes
workgroup = SAMDOMAIN
idmap config hq:unix_nss_info = yes
idmap config hq:range = 10000-999999
idmap config hq:schema_mode = rfc2307
idmap config hq:backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
[myshare]
path = /srv/samba/EXAMPLESHARE
read only = No
my user.map:
!root = SAMDOMAIN\Administrator SAMDOMAIN\administrator
getfacl output:
ubuntu at fs1:/srv/samba/$ getfacl EXAMPLESHARE
# file: EXAMPLESHARE
# owner: root
# group: HQ\\unix\040admins
user::rwx
user:root:rwx
group::rwx
group:HQ\\unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:HQ\\unix\040admins:r-x
default:mask::rwx
default:other::---
Please note that I have the same problem with all shares, not just with
this one.
Thanks,
Viktor
More information about the samba
mailing list