[Samba] Fwd: Administrator User Has no access to Remote File Server

L.P.H. van Belle belle at bazuin.nl
Wed Dec 8 07:56:41 UTC 2021 

> > Run :
> > getfacl /storage
> root at filesrv1:/# getfacl storage/
> # file: storage/
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x

Good enough, we use the last r-x.. 
* if you didnt map root to administrator 

> > getfacl /storage/netfiles
> root at filesrv1:/# getfacl storage/netfiles
> # file: storage/netfiles
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:DOMAIN\\it:rwx
> mask::rwx
> other::r-x

Good enough, we use the last r-x.. 
* if you didnt map root to administrator and/or didnt add Administrator in the IT group.

> 
> > getfacl /storage/netfiles/mis
> root at filesrv1:/# getfacl storage/netfiles/mis
> # file: storage/netfiles/mis
> # owner: root
> # group: DOMAIN\\domadmins
> # flags: -s-
> user::rwx
> user:81:rwx
> user:DOMAIN\\ralph.strebbing:rwx
> user:DOMAIN\\dvr:r-x
> group::rwx
> group:DOMAIN\\domadmins:rwx
> group:DOMAIN\\it:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:81:rwx
> default:user:DOMAIN\\ralph.strebbing:rwx
> default:group::rwx
> default:group:DOMAIN\\domadmins:rwx
> default:group:DOMAIN\\it:rwx
> default:mask::rwx
> default:other::---
> 
> The domadmin entries above are a separate group which used to be an
> Admins group in the NT4 domain (gid 910)
> 
> > Whats set for the share security?
> https://imgur.com/a/t4ex8i6 
> > Normaly thats everyone full controll, did you change anything here?
> Under Share Permissions, nothing's been changed. Only thing we've ever
> changed has been through setfacl on the commandline.

Good enough also.. 

So, looks like /storage/netfiles/ is missing rights. 

Add in the Permissions. 
Domain Users, read & execute, Non inherited, Applies to "this folder only" 
See if that helps, this gives all users, the right to enter that folder/share. 

The rights on MIS are ok to me. 


The other pittfall..The recent updates..  

Did you add what Rowland also asked? 
To add  'min domain uid = 0' to the smb.conf 

And.. Make sure this is set. 
    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping
Content : !root = ADDOM_CHANGE_IT\Administrator ADDOM_CHANGE_IT\administrator



Greetz, 

Louis

More information about the samba mailing list