[Samba] Cannot change NTACL for share from Windows

Viktor Trojanovic viktor at troja.ch
Sun May 31 16:20:32 UTC 2020 

On Sun, 31 May 2020 at 16:04, Rowland penny via samba <samba at lists.samba.org>
wrote:

> On 31/05/2020 16:37, Viktor Trojanovic via samba wrote:
> > I just joined a freshly installed Linux machine with Samba 4.11.6 to my
> > Windows AD, as a domain member. Followed the Wiki to a T, domain join
> > without errors, I can enumerate users/groups, I can create shares and
> work
> > with them from Windows (all that matters to me).
> >
> > Unfortunately, however, I don't seem to be able to change share security
> > settings, i.e. ACL from Windows. Whenever I do so, I get the error
> message
> > that "access is denied". Creating folders within the share and changing
> > ACLs for these works without issues, it's just the root folder of the
> share
> > I have problems with.
> >
> > I chose to go with the ad IDMAP backend. Of course, all recommendations
> are
> > followed:
> >
> > - Administrator and Domain Admins have no uidNumber/gidNumer set, all
> > others do. Though that shouldn't be relevant at this point since I'm only
> > accessing the shares from Windows.
> > - Administrator is mapped to root in user.map
> > - SeDiskOperatorPrivilege was given to new group "Unix Admins" which owns
> > the shares, together with root. Which still shouldn't matter here because
> > up to now everything was done using the Administrator account, mapped to
> > root.
> > - All shares are chmodded to 0770
> > - Share definitions in smb.conf are just 3 lines, as recommended in the
> > Wiki: share name, folder location, read only = no
> >
> >
> OK, lets start with the obvious, you have:
>
> workgroup = SAMDOMAIN
>
> and:
>
> idmap config hq:backend = ad
>
> Is 'SAMDOMAIN' actually 'HQ' ?
>
>
Yes


> Do all your users have a uidNumber attribute containing a number inside
> 10000-999999 ?
>
> Yes. It's a fresh AD. 2 users at the moment. And as mentioned, I've been
only using the Administrator so far.

Does Domain Users have a gidNumber attribute containing a number inside
> 10000-999999 ?
>
> Yes, 10000.

Is Apparmor (or Selinux) running and denying access ?


No Selinux present. As for Apparmor, it doesn't look like it.

 ubuntu at fs1:/$ sudo apparmor_status
apparmor module is loaded.
9 profiles are loaded.
9 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
0 processes have profiles defined.

More information about the samba mailing list