[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Development Kleinevogel.de development at kleinevogel.de
Fri Jul 29 16:08:08 UTC 2022 

Dear all,
 
I setup my Debian 11.1 and Ubuntu 22.04 as Domain Members (ADS) with Samba 4.15.5, connected to my quiete new Samba 4.15.5 PDC and want to use them as Fileserver with Windows ACLs. For all of them, I compiled them by myself.
 
Hope you can give me some tips to get my new environment to work.
 
You will find my error log, troubleshooting steps and smb config at the end of this message.
 
The error message in windows, when I not used the Administrator Account:
"Error applying security
An error occurred while applying security information to:
\\kvstorage01\Demo-01
Failed to enumerate objects in the container. Access is denied."
 
The problem is
- that I can't setup the ACL permissions on the top of the share via the windows compmgmt.msc in the security tab from my Windows 10 Domain Member as another user than Domain\\Administrator.
- I can change / add share permissions to myself created domainlocal security groups when use the Domain Administrator
- I didn't test to create or add folders to / inside the share yet.
- Later, I will try to symlink directories from another mountpoint inside the sharing folder.
 
The domain has an full A-G-DL-P structure for future experiences on my side.
- The user james.bond is member of global group and has got an own uid 49999 and gid 39999
- The global group sec-admin-home-fileshare-administrator is member of domain local group
- The domain local group sec-file-home-administrator has a gid 11000 and is assigned for filepermission of the sharefolder in linux
- There is an created domain global group sec-admin-home-unix-domain-administrators, this
has gid 10001 and is member Domain\\Administrators
 
 
##########################################
My errors in /var/log/samba/192.168.188.91.log
 
[2022/07/29 13:50:01.941609, 3] ../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
smbd_do_query_security_desc: sd_size = 108.
[2022/07/29 13:50:01.943333, 3] ../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
smbd_do_query_security_desc: sd_size = 64.
[2022/07/29 13:50:01.945291, 3] ../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
smbd_dirptr_get_entry mask=[*] found . fname=. (.)
[2022/07/29 13:50:01.946070, 3] ../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)
[2022/07/29 13:50:01.946522, 3] ../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[STATUS_NO_MORE_FILES] || at ../../source3/smbd/smb2_query_directory.c:160
[2022/07/29 13:50:01.953769, 1] ../../source3/smbd/posix_acls.c:2962(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file on file [.]: (Die Operation ist nicht erlaubt)
[2022/07/29 13:50:01.953947, 3] ../../source3/smbd/posix_acls.c:3689(set_nt_acl)
set_nt_acl: failed to set file acl on file . (Die Operation ist nicht erlaubt).
[2022/07/29 13:50:01.954098, 3] ../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_setinfo.c:137
 
##########################################
My troubleshooting steps:
 
- SeDiskOperatorPrivilege
net rpc rights list privileges SeDiskOperatorPrivilege -U "Administrator"
Password for [DOMAIN\Administrator]:
SeDiskOperatorPrivilege:
DOMAIN\sec-file-home-administrator
BUILTIN\Administrators
DOMAIN\sec-admin-home-unix-domain-administrators
DOMAIN\james.bond
 
- wbinfo -u
DOMAIN\administrator
DOMAIN\svc-linuxreader-krb
DOMAIN\dns-kvaddc01
DOMAIN\james.bond
DOMAIN\guest
DOMAIN\krbtgt
DOMAIN\svc-linuxreader-ldap
DOMAIN\svc-nextcloud-ldap
-> I only create the svc-*'s and the james.bond user. Only the james.bond has an gid.
 
- getent group / user
DOMAIN\domain users:x:10000:
DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
DOMAIN\sec-file-home-administrator:x:11000:
DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
DOMAIN\james.bond-group:x:39999:

- smbd -b | grep HAVE_LIBACL
HAVE_LIBACL
 
- testparm -sv | grep acl
Load smb config files from /usr/local/samba/etc/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
acl allow execute always = No
acl check permissions = Yes
acl flag inherited canonicalization = Yes
acl group control = No
acl map full control = Yes
force unknown acl user = No
inherit acls = No
map acl inherit = No
nt acl support = Yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes

- ls -ll /media/fileshare/
drwxrwx--- 2 root Domain\sec-file-home-administrator 4096 29. Jul 06:03 Demo-01
 
- set and get acl in the filesystem
setfacl -m u:root:-,g:"DOMAIN\\sec-file-home-administrator":rw /media/fileshare/test.txt
getfacl /media/fileshare/test.txt
# file: media/fileshare/test.txt
# owner: root
# group: root
user::rw-
user:root:---
group::r--
group:DOMAIN\\sec-file-home-administrator:rw-
mask::rw-
other::r--
 
##########################################
My smb.conf
 
[global]
netbios name = KVSTORAGE01
security = ADS
workgroup = DOMAIN
realm = DOMAIN.HOME
log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5
bind interfaces only = yes
interfaces = lo enp2s0f0

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the DOMAIN domain
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-49999
idmap config DOMAIN:unix_nss_info = yes
idmap config DOMAIN:unix_primary_group = yes
 
# Enable Winbindd ENUM for Full NSSwitch Lookups by "getent passwd" or
# "getent groups"
# - Slowsdown the lookups by large users and groups
# - Only for testing and troubleshooting
# winbind enum users = yes
# winbind enum groups = yes
# - default domain = yes enable as last try to fix things..
# winbind use default domain = yes
# User Mapping for Overwriting Dom Users to
# Local System Users such as root!
username map = /usr/local/samba/etc/user.map
 
# Workaroud for Bug:
# Enable local root UID for Administrator User Mapping
# Set Min UID = 0, cause of an Bug in Samba
# https://community.spiceworks.com/topic/2339542-samba-file-sharing-stopped-working-nt-error-315-invalid-token
min domain uid = 0
 
# Enable ACL Support by setting on a Windows Network Client.
# Helps users to set permissions on new folders and files through Windows
vfs objects = acl_xattr
map acl inherit = Yes
 
# Allow Symlinks
# unix extensions = no
# follow symlinks = yes
# wide links = yes
 
#======================= Share Definitions =======================
[Demo-01]
# comment = Demo Share für authorisierte Benutzer
path = /media/fileshare/Demo-01/
read only = no
acl_xattr:ignore system acls = yes
# hide unreadable = Yes
# access based share enum = Yes
# browseable = yes
vfs objects = full_audit

More information about the samba mailing list