[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
Oliver
development at kleinevogel.de
Wed Aug 3 14:36:24 UTC 2022
I check out this article, where you helped a member of askubuntu for the
same problem:
https://askubuntu.com/questions/1309659/samba-domain-member-not-pulling-ad-group-user-info
I follow your introduction and set the winbind before systemd inside
nsswitch.conf, like:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns winss
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Am 03.08.2022 um 14:33 schrieb Oliver via samba:
> Hello Rowland,
>
> thanks for your reply on my message. I just could check your answers
> today.
>
> Am 29.07.2022 um 19:05 schrieb Rowland Penny:
>> You can get 4.16.1 from Debian 11 backports
>
> Thanks for the information. I will try this out in a few days.
>
> The reason why I choose a self-compiled installation is, that I will
> not get trouble when I run apt-get upgrade or other package
> installation tasks on the machines and get all the same versions on
> the machines.
>
>>> - getent group / user
>>> DOMAIN\domain users:x:10000:
>>> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
>>> DOMAIN\sec-file-home-administrator:x:11000:
>>> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
>> No it isn't, so that is probably why it doesn't work.
>>
>> The user must be a member of the group that owns the directory and that
>> group must hold the SeDiskOperatorPrivilege
>>
>> Rowland
>
> Yes thanks that's true. I did not know that the getend group command
> also list member of domain groups..
>
> I think that's the main problem here. But I realy don't know why.
>
> When I look up in the ADUC on my Windows Host, the user james.bond is
> member of the domain global group. And the domain global group is
> member of the domain local group, like that:
>
> - james.bond -> Member of: sec-admin-home-fileshare-administrato
>
> - sec-admin-home-fileshare-administrator -> Member of:
>
> - sec-file-home-administrator -> Assigned as ownergroup of Fileshare
> Directory
>
> ( I also put the user directly inside the sec-file-home-administrator
> an tested the szenario)
>
>
> *All of them has an GID and can be find by getend, the output is:*
>
> # getent user "DOMAIN\james.bond"
>
> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
>
>
> # getent group "DOMAIN\\james.bond-group"
>
> DOMAIN\james.bond-group:x:39999:
>
>
> # getent group "DOMAIN\sec-admin-home-fileshare-administrator"
>
> DOMAIN\sec-file-home-administrator:x:11000:
>
>
> # getent group "DOMAIN\sec-admin-home-fileshare-administrator"
>
> DOMAIN\sec-admin-home-fileshare-administrator:x:18888:
>
>
> But the group members are not showing.. There for, the user can't
> setup the ACL permissions for the file. He is not authorized. Also the
> Domain Users group and every other group I fill with users is not
> showing them up. Even not, when added enum winbind in global section
> of smb.conf:
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> winbind use default domain = yes
>
>
> Did I miss anything or is something destroyed?
>
> Can you give me some tips, how I can troubleshoot the issue in details.
>
>
> My nsswitch.conf is:
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd
> group: files winbind systemd
> shadow: files
> gshadow: files
>
> hosts: files dns winss
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> Thanks,
>
> Oliver
More information about the samba
mailing list