[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Rowland Penny rpenny at samba.org
Fri Jul 29 17:05:03 UTC 2022 

On Fri, 2022-07-29 at 18:08 +0200, Development Kleinevogel.de via samba
wrote:
> Dear all,
>  
> I setup my Debian 11.1 

You can get 4.16.1 from Debian 11 backports
 
> and Ubuntu 22.04 as Domain Members (ADS) with Samba 4.15.5, connected
> to my quiete new Samba 4.15.5 PDC 

I could say 'that is your problem' but I think you mean 'first DC', all
DC's are equal except for the FSMO roles.

> and want to use them as Fileserver with Windows ACLs. For all of
> them, I compiled them by myself.

Why ?

>  
> Hope you can give me some tips to get my new environment to work.
>  
> You will find my error log, troubleshooting steps and smb config at
> the end of this message.
>  
> The error message in windows, when I not used the Administrator
> Account:
> "Error applying security
> An error occurred while applying security information to:
> \\kvstorage01\Demo-01
> Failed to enumerate objects in the container. Access is denied."

The Linux for that is 'You do not have the required permissions'

>  
> The problem is
> - that I can't setup the ACL permissions on the top of the share via
> the windows compmgmt.msc in the security tab from my Windows 10
> Domain Member as another user than Domain\\Administrator.
> - I can change / add share permissions to myself created domainlocal
> security groups when use the Domain Administrator
> - I didn't test to create or add folders to / inside the share yet.
> - Later, I will try to symlink directories from another mountpoint
> inside the sharing folder.
>  
> The domain has an full A-G-DL-P structure for future experiences on
> my side.
> - The user james.bond is member of global group and has got an own
> uid 49999 and gid 39999
> - The global group sec-admin-home-fileshare-administrator is member
> of domain local group
> - The domain local group sec-file-home-administrator has a gid 11000
> and is assigned for filepermission of the sharefolder in linux
> - There is an created domain global group sec-admin-home-unix-domain-
> administrators, this
> has gid 10001 and is member Domain\\Administrators
>  
>  
> ##########################################
> My errors in /var/log/samba/192.168.188.91.log
>  
> [2022/07/29 13:50:01.941609, 3]
> ../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
> smbd_do_query_security_desc: sd_size = 108.
> [2022/07/29 13:50:01.943333, 3]
> ../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
> smbd_do_query_security_desc: sd_size = 64.
> [2022/07/29 13:50:01.945291, 3]
> ../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found . fname=. (.)
> [2022/07/29 13:50:01.946070, 3]
> ../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)
> [2022/07/29 13:50:01.946522, 3]
> ../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
> status[STATUS_NO_MORE_FILES] || at
> ../../source3/smbd/smb2_query_directory.c:160
> [2022/07/29 13:50:01.953769, 1]
> ../../source3/smbd/posix_acls.c:2962(set_canon_ace_list)
> set_canon_ace_list: sys_acl_set_file on file [.]: (Die Operation ist
> nicht erlaubt)
> [2022/07/29 13:50:01.953947, 3]
> ../../source3/smbd/posix_acls.c:3689(set_nt_acl)
> set_nt_acl: failed to set file acl on file . (Die Operation ist nicht
> erlaubt).
> [2022/07/29 13:50:01.954098, 3]
> ../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at
> ../../source3/smbd/smb2_setinfo.c:137
>  
> ##########################################
> My troubleshooting steps:
>  
> - SeDiskOperatorPrivilege
> net rpc rights list privileges SeDiskOperatorPrivilege -U
> "Administrator"
> Password for [DOMAIN\Administrator]:
> SeDiskOperatorPrivilege:
> DOMAIN\sec-file-home-administrator
> BUILTIN\Administrators
> DOMAIN\sec-admin-home-unix-domain-administrators
> DOMAIN\james.bond
>  
> - wbinfo -u
> DOMAIN\administrator
> DOMAIN\svc-linuxreader-krb
> DOMAIN\dns-kvaddc01
> DOMAIN\james.bond
> DOMAIN\guest
> DOMAIN\krbtgt
> DOMAIN\svc-linuxreader-ldap
> DOMAIN\svc-nextcloud-ldap
> -> I only create the svc-*'s and the james.bond user. Only the
> james.bond has an gid.

You are using the 'ad' idmap backend, so I take it that the gid is for
the 'sec-file-home-administrator' group.
 
>  
> - getent group / user
> DOMAIN\domain users:x:10000:
> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
> DOMAIN\sec-file-home-administrator:x:11000:
> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash

No it isn't, so that is probably why it doesn't work.

The user must be a member of the group that owns the directory and that
group must hold the SeDiskOperatorPrivilege

Rowland

More information about the samba mailing list