[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Oliver development at kleinevogel.de
Wed Aug 3 12:33:30 UTC 2022 

Hello Rowland,

thanks for your reply on my message. I just could check your answers today.

Am 29.07.2022 um 19:05 schrieb Rowland Penny:
> You can get 4.16.1 from Debian 11 backports

Thanks for the information. I will try this out in a few days.

The reason why I choose a self-compiled installation is, that I will not 
get trouble when I run apt-get upgrade or other package installation 
tasks on the machines and get all the same versions on the machines.

>> - getent group / user
>> DOMAIN\domain users:x:10000:
>> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
>> DOMAIN\sec-file-home-administrator:x:11000:
>> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
> No it isn't, so that is probably why it doesn't work.
>
> The user must be a member of the group that owns the directory and that
> group must hold the SeDiskOperatorPrivilege
>
> Rowland

Yes thanks that's true.  I did not know that the getend group command 
also list member of domain groups..

I think that's the main problem here. But I realy don't know why.

When I look up in the ADUC on my Windows Host, the user james.bond is 
member of the domain global group. And the domain global group is member 
of the domain local group, like that:

- james.bond -> Member of: sec-admin-home-fileshare-administrato

- sec-admin-home-fileshare-administrator -> Member of:

- sec-file-home-administrator  -> Assigned as ownergroup of Fileshare 
Directory

( I also put the user directly inside the sec-file-home-administrator an 
tested the szenario)


*All of them has an GID and can be find by getend, the output is:*

# getent user "DOMAIN\james.bond"

DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash


#  getent group "DOMAIN\\james.bond-group"

DOMAIN\james.bond-group:x:39999:


# getent group "DOMAIN\sec-admin-home-fileshare-administrator"

DOMAIN\sec-file-home-administrator:x:11000:


# getent group "DOMAIN\sec-admin-home-fileshare-administrator"

DOMAIN\sec-admin-home-fileshare-administrator:x:18888:


But the group members are not showing.. There for, the user can't setup 
the ACL permissions for the file. He is not authorized. Also the Domain 
Users group and every other group I fill with users is not showing them 
up. Even not, when added enum winbind in global section of smb.conf:

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes


Did I miss anything or is something destroyed?

Can you give me some tips, how I can troubleshoot the issue in details.


My nsswitch.conf is:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns winss
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Thanks,

Oliver

More information about the samba mailing list