[Samba] Share access error

Rowland Penny rpenny at samba.org
Sat Dec 10 19:02:29 UTC 2022 


On 10/12/2022 18:38, Luis Peromarta via samba wrote:
> Contingency server (4.17.3):
> 
> root at servercont:/home2# ls -lad /home2/shares
> drwxrwx---+ 23 luis domain admins 4096 Nov 17 14:17 /home2/shares
> 
> root at servercont:/home2# getfacl /home2/shares
> getfacl: Removing leading '/' from absolute path names
> # file: home2/shares
> # owner: luis
> # group: domain\040admins
> user::rwx
> user:luis:rwx
> group::rwx
> group:domain\040users:r-x
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:luis:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
> 
> root at servercont:/home2# samba-tool ntacl get /home2/shares --as-sddl
> O:S-1-5-21-2152908145-95474353-1514027631-1110G:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;CI;0x001200a9;;;DU)
> root at servercont:/home2#

 From Windows, members of Domain Admins get full control and Domain 
Users get read and execute. The user 'luis' is probably just a member of 
Domain Users and so cannot write to the share.

> 
> Main server (4.9.5):
> 
> server:/home2# ls -lad /home2/shares
> drwxrwx---+ 23 luis domain admins 4096 Nov 17 14:17 /home2/shares
> server:/home2# getfacl /home2/shares
> getfacl: Removing leading '/' from absolute path names
> # file: home2/shares
> # owner: luis
> # group: domain\040admins
> user::rwx
> user:luis:rwx
> group::rwx
> group:domain\040users:r-x
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:luis:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
> 
> server:/home2# samba-tool ntacl get /home2/shares --as-sddl
> ERROR: Unable to read domain SID from configuration files
> server:/home2#

Hmm, why doesn't that work ?
You are running it as root ?

I have been taking another look at the smb.conf you posted and noticed a 
couple of things:

You have,

vfs objects = fruit streams_xattr

and then a bit further down,

vfs objects = acl_xattr

The latter takes precedence over the first, or to put it another way, 
the first one will be ignored.

You have also commented out the 'username map' line, why ?

Rowland

More information about the samba mailing list