[Samba] Samba shares with Windows ACL's

Peter Pollock peter.pollock at kingschristian.org
Wed Nov 4 20:01:40 UTC 2020 

>
>
>
> OK, you are using the winbind 'rid' backend, so it is okay to use
> 'Domain Admins', so start again and follow that wikipage:
>
> Ensure you have the 'acl' & 'attr' packages installed (this is what they
> are called on Debian based distros)
>

They are installed. I built the server using the walk through you gave me.


> Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege' privilege,
> this must be granted on the Unix domain member, or to put it another
> way, the command must be run on the Unix domain member that holds the
> share.
>

 itadmin at john:~$ net rpc rights list privileges SeDiskOperatorPrivilege -U
"INTERNAL\administrator"
Enter INTERNAL\administrator's password:
SeDiskOperatorPrivilege:
  INTERNAL\Domain Admins
  BUILTIN\Administrators


> Ensure the share directory belongs to 'root:Domain Admins' with 0770
> permissions
>

itadmin at john:~$ ls -l /hdd
drwxrwx---+ 192 root   domain admins 12288 Sep  4 12:02 roaming


>
> Now go to a Windows PC, log in as Administrator or as a member of the
> 'Domain Admins' group.
>

Logged in as peterpollock

itadmin at john:~$ getent group "domain admins"
domain
admins:x:10512:backupadmin,administrator,kevindalafu,peterpollock,domainadmin


>
> Follow 'Setting Share Permissions and ACLs'
>

Followed the instructions again. Got through to the second to last line,
clicked OK to close the permissions window and a "Windows Security Setting
security information on:" window popped up and immediately an error window
popped up telling me that it could not enumerate objects in the container
and access was denied.



>
> Do not run chmod against the share directory once the shares are set
> from Windows.
>
> If it still doesn't work, suspect something like Apparmor or Selinux.
>

I have uninstalled Apparmor because it has only ever caused me issues.
Selinux is installed but not activated.

I'm at a loss.


>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list