[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Rowland Penny rpenny at samba.org
Wed Aug 10 06:38:32 UTC 2022


On Wed, 2022-08-10 at 08:20 +0200, Oliver via samba wrote:
> Am 09.08.2022 um 17:35 schrieb Rowland Penny via samba:
> > On Tue, 2022-08-09 at 17:15 +0200, Oliver via samba wrote:
> > > Can I do some test, if there is winbind implemented corretcly in
> > > my
> > > machine?
> > > 
> > > 
> > > Am 04.08.2022 um 20:05 schrieb Rowland Penny via samba:
> > > > If you do not have secrets.ldb and sam.ldb on a DC, then you
> > > > have
> > > > really big problems. Have you checked if they exist or not ?
> > > Yes, they are not existing:
> > > 
> > > ls -ll /usr/local/samba/private/
> > > insgesamt 1012
> > > drwx------ 2 root root   4096  4. Aug 17:20 msg.sock
> > > -rw------- 1 root root  32768  3. Aug 14:27
> > > netlogon_creds_cli.tdb
> > > -rw------- 1 root root 421888  4. Jul 17:11 passdb.tdb
> > > -rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb
> > You appear to have a major problem if a run a similar command on
> > one of
> > my DC's, I get this:
> > 
> > pi at rpidc1:~ $ ls -ll /var/lib/samba/private/
> > total 20320
> > -rw-r----- 2 root bind     544 Mar 26  2021 dns.keytab
> > -rw------- 1 root root    2211 Jun 10  2021 dns_update_cache
> > -rw-r--r-- 1 root root    3663 Mar 26  2021 dns_update_list
> > -rw------- 1 root root      16 Mar 26  2021 encrypted_secrets.key
> > -rw------- 1 root root 1286144 Mar 26  2021 hklm.ldb
> > -rw------- 1 root root 4927488 Jul 23 12:07 idmap.ldb
> > -rw-r--r-- 1 root root     216 Mar 26  2021 krb5.conf
> > srwxrwxrwx 1 root root       0 Jul 30 14:34 ldapi
> > drwxr-x--- 2 root root    4096 Jul 30 14:34 ldap_priv
> > drwx------ 2 root root    4096 Aug  9 16:21 msg.sock
> > -rw------- 1 root root    4792 Jul 30 14:34 netlogon_creds_cli.tdb
> > -rw------- 1 root root  421888 Mar 26  2021 passdb.tdb
> > -rw------- 1 root root 1286144 May  7  2021 privilege.ldb
> > -rw------- 1 root root 4694016 Mar 26  2021 sam.ldb
> > drwx------ 2 root root    4096 Apr 24  2021 sam.ldb.d
> > -rw------- 1 root root   12288 Aug  5 10:16 schannel_store.tdb
> > -rw------- 1 root root     785 Mar 26  2021 secrets.keytab
> > -rw------- 1 root root 1286144 Mar 26  2021 secrets.ldb
> > -rw------- 1 root root  430080 Mar 26  2021 secrets.tdb
> > -rw------- 1 root root 1286144 Mar 26  2021 share.ldb
> > drwxr-xr-x 2 root root    4096 Mar 26  2021 smbd.tmp
> > -rw-r--r-- 1 root root     955 Mar 26  2021 spn_update_list
> > drwxr-xr-x 2 root root    4096 Apr 15  2021 tls
> > 
> > Was this DC provisioned, or another DC you have joined to an
> > existing
> > domain ?
> > 
> > Rowland
> 
> I only have got DC1, DC2 and DC3, all of them are build by myself.
> 
> I got the same files as you, but only on my DC1, which holds the
> FSMO 
> Roles.
> 
> DC2 + DC3 which have to work for filesharing are getting this files:
> 
> ls -ll /usr/local/samba/private/
> insgesamt 1012
> drwx------ 2 root root   4096  4. Aug 17:20 msg.sock
> -rw------- 1 root root  32768  3. Aug 14:27 netlogon_creds_cli.tdb
> -rw------- 1 root root 421888  4. Jul 17:11 passdb.tdb
> -rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb
> 
> 
> May I did understand something wrong?:
> - DC1 has an total other and shorter smb.conf than DC2 and DC3
> - Only the DC2 + DC3 has security = ADS  with the hole options of
> idmap and usermap in smb.conf

Sorry to be the bearer of bad news, but if 'security = ADS' is set in
smb.conf on DC2 and DC3, then they are not DC's, they are Unix domain
members, how did you join them ?

> - DC1 has BIND 9.18 DLZ Backend for DNS integraded.
> 
> Can I add my .conf files as an attachmend if needed?

No, you would have to post them inline, this list strips attachments.

Rowland





More information about the samba mailing list