[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
Rowland Penny
rpenny at samba.org
Wed Aug 10 09:52:26 UTC 2022
On Wed, 2022-08-10 at 10:43 +0200, Oliver via samba wrote:
> Am 10.08.2022 um 08:38 schrieb Rowland Penny via samba:
> > Sorry to be the bearer of bad news, but if 'security = ADS' is set
> > in
> > smb.conf on DC2 and DC3, then they are not DC's, they are Unix
> > domain
> > members, how did you join them ?
>
> I joined both members with :
>
> # net ads join -U administrator
If you wanted DC's, it should have been:
samba-tool domain join ${AD_DNSDOMAIN} DC -UAdministrator --
realm=${AD_KERBEROS_REALM}
>
> Cause of static ip in network adapter settings, I manuel created the
> reverse-PTR Record in the reverse dns zone via RSAT.
>
> When i run testjoin, also getting error on ldb. files...
>
> root at member1:~# net ads testjoin -d 3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[global]"
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface eth0 ip=192.168.188.24 bcast=192.168.188.255
> netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface eth0 ip=192.168.188.24 bcast=192.168.188.255
> netmask=255.255.255.0
> ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex:
> could
> not open file /usr/local/samba/private/secrets.ldb: Datei oder
> Verzeichnis nicht gefunden
>
> ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb':
> Datei
> oder Verzeichnis nicht gefunden
> ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb'
> with
> backend 'tdb': Unable to open tdb
> '/usr/local/samba/private/secrets.ldb': Datei oder Verzeichnis nicht
> gefunden
> Failed to create cldap tsocket_address for - NT_STATUS_ACCESS_DENIED
> ads_try_connect: CLDAP request failed.
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server 192.168.188.5
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> Failed to create cldap tsocket_address for -
> NT_STATUS_OBJECT_NAME_COLLISION
> ads_try_connect: CLDAP request failed.
> Failed to create cldap tsocket_address for -
> NT_STATUS_OBJECT_NAME_COLLISION
> ads_try_connect: CLDAP request failed.
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server 192.168.188.5
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server 192.168.188.5
> Connecting to 192.168.188.5 at port 389
> Connected to LDAP server dc1.domain.home
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Join is OK
> return code = 0
Your problem is that they are Unix domain members and not DC's.
Do you want DC's ?
If so, remove the two Unix domain members and start again.
Rowland
More information about the samba
mailing list