[Samba] Setting permissions on AD member file server

Gregory Sloop gregs at sloop.net
Fri Mar 11 17:12:43 UTC 2022 

See replies below...
 
But an update.
I've logged in as administrator, and still can't manage perms. [Same error )
 
I'm glad to re-gather all the details like smb.conf, etc (though really nothing has changed.)
What do you want/need to see?
 
Also. Louis, see my inline replies below.  

> Hmm, found also something else.. 

> (* small hijack of this thread).. 
> When i run : 
> net rpc rights list privileges SeDiskOperatorPrivilege -U'ADDOM\Administrator'  
> On a Debian 10 with samba 4.15.5 with smbd and winbind installed/setup 
> I get back : 
> Password for [ADDOM\Administrator]:
> SeDiskOperatorPrivilege:
>   BUILTIN\Administrators 
> *( to Greg, yes, you can have ADDOM\Domain Admins) , 

> ADDOM\Domain Admins is member of  BUILTIN\Administrators  
> * this is how i setup, not how wiki tells me. 
> ** yeah, im bit strange..  ;-) 

> Now, im installing a new server, based on the setup of the one i showed above. 
> Only, i dont need smbd on it anymore so that now. 
> A Debian 11 with samba 4.15.5 with winbind installed/setup. 

> When i now run : 
> net rpc rights list privileges SeDiskOperatorPrivilege -U'ADDOM\Administrator'   
> Could not connect to server 127.0.0.1

> net rpc rights list privileges SeDiskOperatorPrivilege -S RTD-WEB2 -U'ADDOM\Administrator'   
> Could not connect to server RTD-WEB2

> Thinking about this, i "might" be locical, since i dont have smbd installed/configured, 
> Just, the error message is off in this case.. If im able i'll test that later on. 

> So that aside.. 
> Back to Greg's problem. 

>>>> getfacl shows:
>>>> # file: .
>>>> # owner: root
>>>> # group: AD\\domain\040admins
>>>> user::rwx
>>>> group::rwx
>>>> other::--- 

> This should fix it. 
> setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/
 
Do you mean -n/--no-mask [not -m - there is no -m switch]
 


> If you cant enter the folder as user after that.  
> Did you change the share security rights (* which is by default "everyone" ) 
> Then do check the current rights on : 

> getfacl /abc-zfs-01
 
> getfacl /abc-zfs-01/ad-shared-folders 
(I gave this in the OP, but here it is again. The getfacl of the folder I'm trying to manage permission on - among others)
 
# getfacl *
# file: shared-files
# owner: AD\\administrator
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---
 
The parent has this facl
 
# file: ad-shared-folders
# owner: root
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---
 
 
 
 


> Greetz, 

> Louis


>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Greg 
>> Sloop <gregs--- via samba
>> Verzonden: donderdag 10 maart 2022 20:32
>> CC: sambalist
>> Onderwerp: Re: [Samba] Setting permissions on AD member file server

>> No, that doesn't appear to resolve it.
>> (Not that it matters a ton, but what is that option - what 
>> does it even do?)

>> On Thu, Mar 10, 2022 at 10:55 AM Rowland Penny via samba <
>> samba at lists.samba.org> wrote:


>>> On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
>>> wrote:

>>>> So, this is kind of odd.

>>>> Samba member server;
>>>> Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
>>>> Went through setup as described in the wiki for member 

>> servers - all

>>>> seems
>>>> fine.
>>>> SeDiskOperatorPrivilege is granted to Domain Admins too.


>>>> Initially I chowned the dirs/files as root:domain admins
>>>> and chmod 0770
>>>> getfacl shows:
>>>> # file: .
>>>> # owner: root
>>>> # group: AD\\domain\040admins
>>>> user::rwx
>>>> group::rwx
>>>> other::---

>>>> However,
>>>> When I try to set permissions from a Windows 10 machine, using
>>>> windows file
>>>> explorer, I get this message:

>>>> "Failed to enumerate objects in the container. Access is denied."

>>>> I'm logged into the domain on the station where I'm trying to mod
>>>> permissions as a user that's a member of "Domain Admins"

>>>> ---
>>>> smb.conf from the member/file server
>>>> ---
>>>> [global]
>>>>         realm = AD.SAMDOM.LOCAL
>>>>         security = ADS
>>>>         server role = member server
>>>>         server string = FileServer
>>>>         username map = /etc/samba/user.map
>>>>         workgroup = AD
>>>>         idmap config ad : range = 10000-999999
>>>>         idmap config ad : backend = rid
>>>>         idmap config * : range = 3000-7999
>>>>         idmap config * : backend = tdb
>>>>         map acl inherit = Yes
>>>>         vfs objects = acl_xattr

>>>> [root-share]
>>>>         comment = root-share
>>>>         path = /abc-zfs-01/ad-shared-folders/
>>>>         read only = No

>>>> ---
>>>> Any good pointers?

>>> Try adding 'min domain uid = 0' to global and reload the config or
>>> restart Samba

>>> Rowland

>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list