[Samba] Cannot change NTACL for share from Windows
viktor at troja.ch
Sun May 31 16:20:32 UTC 2020
On Sun, 31 May 2020 at 16:04, Rowland penny via samba <samba at lists.samba.org>
> On 31/05/2020 16:37, Viktor Trojanovic via samba wrote:
> > I just joined a freshly installed Linux machine with Samba 4.11.6 to my
> > Windows AD, as a domain member. Followed the Wiki to a T, domain join
> > without errors, I can enumerate users/groups, I can create shares and
> > with them from Windows (all that matters to me).
> > Unfortunately, however, I don't seem to be able to change share security
> > settings, i.e. ACL from Windows. Whenever I do so, I get the error
> > that "access is denied". Creating folders within the share and changing
> > ACLs for these works without issues, it's just the root folder of the
> > I have problems with.
> > I chose to go with the ad IDMAP backend. Of course, all recommendations
> > followed:
> > - Administrator and Domain Admins have no uidNumber/gidNumer set, all
> > others do. Though that shouldn't be relevant at this point since I'm only
> > accessing the shares from Windows.
> > - Administrator is mapped to root in user.map
> > - SeDiskOperatorPrivilege was given to new group "Unix Admins" which owns
> > the shares, together with root. Which still shouldn't matter here because
> > up to now everything was done using the Administrator account, mapped to
> > root.
> > - All shares are chmodded to 0770
> > - Share definitions in smb.conf are just 3 lines, as recommended in the
> > Wiki: share name, folder location, read only = no
> OK, lets start with the obvious, you have:
> workgroup = SAMDOMAIN
> idmap config hq:backend = ad
> Is 'SAMDOMAIN' actually 'HQ' ?
> Do all your users have a uidNumber attribute containing a number inside
> 10000-999999 ?
> Yes. It's a fresh AD. 2 users at the moment. And as mentioned, I've been
only using the Administrator so far.
Does Domain Users have a gidNumber attribute containing a number inside
> 10000-999999 ?
> Yes, 10000.
Is Apparmor (or Selinux) running and denying access ?
No Selinux present. As for Apparmor, it doesn't look like it.
ubuntu at fs1:/$ sudo apparmor_status
apparmor module is loaded.
9 profiles are loaded.
9 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
More information about the samba