[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
Oliver
development at kleinevogel.de
Wed Aug 3 12:33:30 UTC 2022
Hello Rowland,
thanks for your reply on my message. I just could check your answers today.
Am 29.07.2022 um 19:05 schrieb Rowland Penny:
> You can get 4.16.1 from Debian 11 backports
Thanks for the information. I will try this out in a few days.
The reason why I choose a self-compiled installation is, that I will not
get trouble when I run apt-get upgrade or other package installation
tasks on the machines and get all the same versions on the machines.
>> - getent group / user
>> DOMAIN\domain users:x:10000:
>> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
>> DOMAIN\sec-file-home-administrator:x:11000:
>> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
> No it isn't, so that is probably why it doesn't work.
>
> The user must be a member of the group that owns the directory and that
> group must hold the SeDiskOperatorPrivilege
>
> Rowland
Yes thanks that's true. I did not know that the getend group command
also list member of domain groups..
I think that's the main problem here. But I realy don't know why.
When I look up in the ADUC on my Windows Host, the user james.bond is
member of the domain global group. And the domain global group is member
of the domain local group, like that:
- james.bond -> Member of: sec-admin-home-fileshare-administrato
- sec-admin-home-fileshare-administrator -> Member of:
- sec-file-home-administrator -> Assigned as ownergroup of Fileshare
Directory
( I also put the user directly inside the sec-file-home-administrator an
tested the szenario)
*All of them has an GID and can be find by getend, the output is:*
# getent user "DOMAIN\james.bond"
DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
# getent group "DOMAIN\\james.bond-group"
DOMAIN\james.bond-group:x:39999:
# getent group "DOMAIN\sec-admin-home-fileshare-administrator"
DOMAIN\sec-file-home-administrator:x:11000:
# getent group "DOMAIN\sec-admin-home-fileshare-administrator"
DOMAIN\sec-admin-home-fileshare-administrator:x:18888:
But the group members are not showing.. There for, the user can't setup
the ACL permissions for the file. He is not authorized. Also the Domain
Users group and every other group I fill with users is not showing them
up. Even not, when added enum winbind in global section of smb.conf:
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
Did I miss anything or is something destroyed?
Can you give me some tips, how I can troubleshoot the issue in details.
My nsswitch.conf is:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns winss
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Thanks,
Oliver
More information about the samba
mailing list