[Samba] Samba shares with Windows ACL's

Rowland penny rpenny at samba.org
Wed Nov 4 20:09:54 UTC 2020 

On 04/11/2020 20:01, Peter Pollock wrote:
>
>
>
>     OK, you are using the winbind 'rid' backend, so it is okay to use
>     'Domain Admins', so start again and follow that wikipage:
>
>     Ensure you have the 'acl' & 'attr' packages installed (this is
>     what they
>     are called on Debian based distros)
>
> They are installed. I built the server using the walk through you gave me.
>
>
>     Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege'
>     privilege,
>     this must be granted on the Unix domain member, or to put it another
>     way, the command must be run on the Unix domain member that holds
>     the share.
>
>
>  itadmin at john:~$ net rpc rights list privileges 
> SeDiskOperatorPrivilege -U "INTERNAL\administrator"
> Enter INTERNAL\administrator's password:
> SeDiskOperatorPrivilege:
>   INTERNAL\Domain Admins
>   BUILTIN\Administrators
>
>
>     Ensure the share directory belongs to 'root:Domain Admins' with 0770
>     permissions
>
>
> itadmin at john:~$ ls -l /hdd
> drwxrwx---+ 192 root   domain admins 12288 Sep  4 12:02 roaming
>
>
>     Now go to a Windows PC, log in as Administrator or as a member of the
>     'Domain Admins' group.
>
>
> Logged in as peterpollock
>
> itadmin at john:~$ getent group "domain admins"
> domain 
> admins:x:10512:backupadmin,administrator,kevindalafu,peterpollock,domainadmin
>
>
>     Follow 'Setting Share Permissions and ACLs'
>
>
> Followed the instructions again. Got through to the second to last 
> line, clicked OK to close the permissions window and a "Windows 
> Security Setting security information on:" window popped up and 
> immediately an error window popped up telling me that it could not 
> enumerate objects in the container and access was denied.
>
>
>     Do not run chmod against the share directory once the shares are set
>     from Windows.
>
>     If it still doesn't work, suspect something like Apparmor or Selinux.
>
>
> I have uninstalled Apparmor because it has only ever caused me issues. 
> Selinux is installed but not activated.
>
> I'm at a loss.

As am I 🙁

OK, it is late here, so nothing is going to happen tonight, but in the 
morning I will install Debian 10 in a VM, install Samba using the 'rid' 
backend and see what happens.

Rowland

More information about the samba mailing list