[Samba] Setting permissions on AD member file server
Gregory Sloop
gregs at sloop.net
Fri Mar 11 17:12:43 UTC 2022
See replies below...
But an update.
I've logged in as administrator, and still can't manage perms. [Same error )
I'm glad to re-gather all the details like smb.conf, etc (though really nothing has changed.)
What do you want/need to see?
Also. Louis, see my inline replies below.
> Hmm, found also something else..
> (* small hijack of this thread)..
> When i run :
> net rpc rights list privileges SeDiskOperatorPrivilege -U'ADDOM\Administrator'
> On a Debian 10 with samba 4.15.5 with smbd and winbind installed/setup
> I get back :
> Password for [ADDOM\Administrator]:
> SeDiskOperatorPrivilege:
> BUILTIN\Administrators
> *( to Greg, yes, you can have ADDOM\Domain Admins) ,
> ADDOM\Domain Admins is member of BUILTIN\Administrators
> * this is how i setup, not how wiki tells me.
> ** yeah, im bit strange.. ;-)
> Now, im installing a new server, based on the setup of the one i showed above.
> Only, i dont need smbd on it anymore so that now.
> A Debian 11 with samba 4.15.5 with winbind installed/setup.
> When i now run :
> net rpc rights list privileges SeDiskOperatorPrivilege -U'ADDOM\Administrator'
> Could not connect to server 127.0.0.1
> net rpc rights list privileges SeDiskOperatorPrivilege -S RTD-WEB2 -U'ADDOM\Administrator'
> Could not connect to server RTD-WEB2
> Thinking about this, i "might" be locical, since i dont have smbd installed/configured,
> Just, the error message is off in this case.. If im able i'll test that later on.
> So that aside..
> Back to Greg's problem.
>>>> getfacl shows:
>>>> # file: .
>>>> # owner: root
>>>> # group: AD\\domain\040admins
>>>> user::rwx
>>>> group::rwx
>>>> other::---
> This should fix it.
> setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/
Do you mean -n/--no-mask [not -m - there is no -m switch]
> If you cant enter the folder as user after that.
> Did you change the share security rights (* which is by default "everyone" )
> Then do check the current rights on :
> getfacl /abc-zfs-01
> getfacl /abc-zfs-01/ad-shared-folders
(I gave this in the OP, but here it is again. The getfacl of the folder I'm trying to manage permission on - among others)
# getfacl *
# file: shared-files
# owner: AD\\administrator
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---
The parent has this facl
# file: ad-shared-folders
# owner: root
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Greg
>> Sloop <gregs--- via samba
>> Verzonden: donderdag 10 maart 2022 20:32
>> CC: sambalist
>> Onderwerp: Re: [Samba] Setting permissions on AD member file server
>> No, that doesn't appear to resolve it.
>> (Not that it matters a ton, but what is that option - what
>> does it even do?)
>> On Thu, Mar 10, 2022 at 10:55 AM Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>> On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
>>> wrote:
>>>> So, this is kind of odd.
>>>> Samba member server;
>>>> Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
>>>> Went through setup as described in the wiki for member
>> servers - all
>>>> seems
>>>> fine.
>>>> SeDiskOperatorPrivilege is granted to Domain Admins too.
>>>> Initially I chowned the dirs/files as root:domain admins
>>>> and chmod 0770
>>>> getfacl shows:
>>>> # file: .
>>>> # owner: root
>>>> # group: AD\\domain\040admins
>>>> user::rwx
>>>> group::rwx
>>>> other::---
>>>> However,
>>>> When I try to set permissions from a Windows 10 machine, using
>>>> windows file
>>>> explorer, I get this message:
>>>> "Failed to enumerate objects in the container. Access is denied."
>>>> I'm logged into the domain on the station where I'm trying to mod
>>>> permissions as a user that's a member of "Domain Admins"
>>>> ---
>>>> smb.conf from the member/file server
>>>> ---
>>>> [global]
>>>> realm = AD.SAMDOM.LOCAL
>>>> security = ADS
>>>> server role = member server
>>>> server string = FileServer
>>>> username map = /etc/samba/user.map
>>>> workgroup = AD
>>>> idmap config ad : range = 10000-999999
>>>> idmap config ad : backend = rid
>>>> idmap config * : range = 3000-7999
>>>> idmap config * : backend = tdb
>>>> map acl inherit = Yes
>>>> vfs objects = acl_xattr
>>>> [root-share]
>>>> comment = root-share
>>>> path = /abc-zfs-01/ad-shared-folders/
>>>> read only = No
>>>> ---
>>>> Any good pointers?
>>> Try adding 'min domain uid = 0' to global and reload the config or
>>> restart Samba
>>> Rowland
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list