[Samba] Setting permissions on AD member file server
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 11 09:14:50 UTC 2022
Hmm, found also something else..
(* small hijack of this thread)..
When i run :
net rpc rights list privileges SeDiskOperatorPrivilege -U'ADDOM\Administrator'
On a Debian 10 with samba 4.15.5 with smbd and winbind installed/setup
I get back :
Password for [ADDOM\Administrator]:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
*( to Greg, yes, you can have ADDOM\Domain Admins) ,
ADDOM\Domain Admins is member of BUILTIN\Administrators
* this is how i setup, not how wiki tells me.
** yeah, im bit strange.. ;-)
Now, im installing a new server, based on the setup of the one i showed above.
Only, i dont need smbd on it anymore so that now.
A Debian 11 with samba 4.15.5 with winbind installed/setup.
When i now run :
net rpc rights list privileges SeDiskOperatorPrivilege -U'ADDOM\Administrator'
Could not connect to server 127.0.0.1
net rpc rights list privileges SeDiskOperatorPrivilege -S RTD-WEB2 -U'ADDOM\Administrator'
Could not connect to server RTD-WEB2
Thinking about this, i "might" be locical, since i dont have smbd installed/configured,
Just, the error message is off in this case.. If im able i'll test that later on.
So that aside..
Back to Greg's problem.
> > > getfacl shows:
> > > # file: .
> > > # owner: root
> > > # group: AD\\domain\040admins
> > > user::rwx
> > > group::rwx
> > > other::---
This should fix it.
setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/
If you cant enter the folder as user after that.
Did you change the share security rights (* which is by default "everyone" )
Then do check the current rights on :
getfacl /abc-zfs-01
getfacl /abc-zfs-01/ad-shared-folders
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Greg
> Sloop <gregs--- via samba
> Verzonden: donderdag 10 maart 2022 20:32
> CC: sambalist
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
>
> No, that doesn't appear to resolve it.
> (Not that it matters a ton, but what is that option - what
> does it even do?)
>
> On Thu, Mar 10, 2022 at 10:55 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
> > wrote:
> > > So, this is kind of odd.
> > >
> > > Samba member server;
> > > Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
> > > Went through setup as described in the wiki for member
> servers - all
> > > seems
> > > fine.
> > > SeDiskOperatorPrivilege is granted to Domain Admins too.
> > >
> > > Initially I chowned the dirs/files as root:domain admins
> > > and chmod 0770
> > > getfacl shows:
> > > # file: .
> > > # owner: root
> > > # group: AD\\domain\040admins
> > > user::rwx
> > > group::rwx
> > > other::---
> > >
> > > However,
> > > When I try to set permissions from a Windows 10 machine, using
> > > windows file
> > > explorer, I get this message:
> > >
> > > "Failed to enumerate objects in the container. Access is denied."
> > >
> > > I'm logged into the domain on the station where I'm trying to mod
> > > permissions as a user that's a member of "Domain Admins"
> > >
> > > ---
> > > smb.conf from the member/file server
> > > ---
> > > [global]
> > > realm = AD.SAMDOM.LOCAL
> > > security = ADS
> > > server role = member server
> > > server string = FileServer
> > > username map = /etc/samba/user.map
> > > workgroup = AD
> > > idmap config ad : range = 10000-999999
> > > idmap config ad : backend = rid
> > > idmap config * : range = 3000-7999
> > > idmap config * : backend = tdb
> > > map acl inherit = Yes
> > > vfs objects = acl_xattr
> > >
> > >
> > > [root-share]
> > > comment = root-share
> > > path = /abc-zfs-01/ad-shared-folders/
> > > read only = No
> > >
> > > ---
> > > Any good pointers?
> >
> > Try adding 'min domain uid = 0' to global and reload the config or
> > restart Samba
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list