[Samba] Setting permissions on AD member file server

Gregory Sloop gregs at sloop.net
Fri Mar 11 15:31:27 UTC 2022

> On Thu, 2022-03-10 at 11:32 -0800, Greg Sloop <gregs--- via samba
> wrote:

>> No, that doesn't appear to resolve it.
>> (Not that it matters a ton, but what is that option - what does it
>> even do?)

> It allows Administrator to set permissions (in conjunction with a
> user.map) on a Unix share from Windows

> I can now confirm that a member of Domain Admins is denied changing
> permissions from Windows:

> 'Failed to enumerate objects in the container. Access is denied.'

> Looking in the logs (log.smbd to be precise), I found this:

> [2022/03/11 14:31:09.597911, 10, pid=3567, effective(11107, 10513),
> real(11107, 0)] ../../source3/smbd/open.c:6254(create_file_default)
>   create_file: NT_STATUS_ACCESS_DENIED

> Rowland

I'm feeling really stupid this AM - lets use small words to make sure I understand this properly - I need to add the users that need to edit permissions to the BUILTIN/Administrators group, because "Domain Admins" won't cut it. Right?
Is that normal? ...I.E. It's been a while and I don't have a native Windows setup to tinker on handy, but IIRC, each admin group is a super-set of the previous. So Domain Admins has all the rights/privs of Admins, plus some. And Enterprise Admins is a superset of Domain Admins. So, this seems like odd Samba behavior.

More information about the samba mailing list