[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Wed Aug 10 10:20:46 UTC 2022

Am 10.08.2022 um 11:52 schrieb Rowland Penny via samba:
> On Wed, 2022-08-10 at 10:43 +0200, Oliver via samba wrote:
>> Am 10.08.2022 um 08:38 schrieb Rowland Penny via samba:
>>> Sorry to be the bearer of bad news, but if 'security = ADS' is set
>>> in
>>> smb.conf on DC2 and DC3, then they are not DC's, they are Unix
>>> domain
>>> members, how did you join them ?
>> I joined both members with :
>>
>> # net ads join -U administrator
> If you wanted DC's, it should have been:
>
> samba-tool domain join ${AD_DNSDOMAIN} DC -UAdministrator --
> realm=${AD_KERBEROS_REALM}
>
>> Cause of static ip in network adapter settings, I manuel created the
>> reverse-PTR Record in the reverse dns zone via RSAT.
>>
>> When i run testjoin, also getting error on ldb. files...
>>
>> root at member1:~#  net ads testjoin -d 3
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> Processing section "[global]"
>> added interface lo ip=127.0.0.1 bcast=127.255.255.255
>> netmask=255.0.0.0
>> added interface eth0 ip=192.168.188.24 bcast=192.168.188.255
>> netmask=255.255.255.0
>> Registered MSG_REQ_POOL_USAGE
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> added interface lo ip=127.0.0.1 bcast=127.255.255.255
>> netmask=255.0.0.0
>> added interface eth0 ip=192.168.188.24 bcast=192.168.188.255
>> netmask=255.255.255.0
>> ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex:
>> could
>> not open file /usr/local/samba/private/secrets.ldb: Datei oder
>> Verzeichnis nicht gefunden
>>
>> ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb':
>> Datei
>> oder Verzeichnis nicht gefunden
>> ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb'
>> with
>> backend 'tdb': Unable to open tdb
>> '/usr/local/samba/private/secrets.ldb': Datei oder Verzeichnis nicht
>> gefunden
>> Failed to create cldap tsocket_address for  - NT_STATUS_ACCESS_DENIED
>> ads_try_connect: CLDAP request  failed.
>> get_dc_list: preferred server list: ", *"
>> Successfully contacted LDAP server 192.168.188.5
>> get_dc_list: preferred server list: ", *"
>> get_dc_list: preferred server list: ", *"
>> Failed to create cldap tsocket_address for  -
>> NT_STATUS_OBJECT_NAME_COLLISION
>> ads_try_connect: CLDAP request  failed.
>> Failed to create cldap tsocket_address for  -
>> NT_STATUS_OBJECT_NAME_COLLISION
>> ads_try_connect: CLDAP request  failed.
>> get_dc_list: preferred server list: ", *"
>> Successfully contacted LDAP server 192.168.188.5
>> get_dc_list: preferred server list: ", *"
>> get_dc_list: preferred server list: ", *"
>> Successfully contacted LDAP server 192.168.188.5
>> Connecting to 192.168.188.5 at port 389
>> Connected to LDAP server dc1.domain.home
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'http_negotiate' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Join is OK
>> return code = 0
> Your problem is that they are Unix domain members and not DC's.
>
> Do you want DC's ?
> If so, remove the two Unix domain members and start again.
>
> Rowland

No, I would like one for DC and two as domain members, to share files. 
This members has to take the user and groups for share and acl 
permissions setup by a windows client from the DC.

The DC don't need to be a  fileserver.

Oliver