[Samba] Setting permissions on AD member file server

spindles seven spindles7 at gmail.com
Sun Mar 13 12:53:44 UTC 2022 

On 12 March 2022 09:22 Rowland Penny wrote:
> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote:
> > On 11 March 2022 22:26 Rowland Penny wrote:
> > > I take it you found that out from here:
> > >
> > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC
> > > Ls#Addi
> > > ng_a_Share
> >
> > Yes indeed.
> >
> > > That is what I was getting at, it used to work. A member of Domain
> > > Admins logged into Windows could change the permissions on a share,
> > > provided everything was set up correctly on the Unix domain member.
> > > I can now only do this with Administrator.
> > >
> > > Rowland
> > >
> > works for me (on version 4.15.5), so what's different?
> 
> I am using 4.15.5 and it doesn't work for me, it used to, but it doesn't any longer.
> 
> Rowland
> 
OK, so using a test installation of Debian Bullseye in a VM and Samba 4.15.5, I left the domain and cleaned up the samba database files as per the WiKi.   I deleted the existing folders ie /srv/samba and all sub folders.     Using that same page in the WiKi (https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) I joined the domain.    This is the smb.conf at that stage:

[global]

        security = ADS
        workgroup = MICROLYNX
        realm = MICROLYNX.ORG

        log file = /var/log/samba/%m.log
        log level = 1

        winbind use default domain = yes

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain MICROLYNX
        idmap config MICROLYNX:backend = rid
        idmap config MICROLYNX:range = 10000-99999

        # next two lines for testing only - comment-out once working ok
        winbind enum users = yes
        winbind enum groups = yes

        template shell = /bin/bash
        template homedir = /srv/samba/users/%U

        vfs objects = acl_xattr
        map acl inherit = yes
        username map = /etc/samba/user.map

        # allow administrator to access having been mapped to root (uid 0)
        min domain uid = 0
==========
I then added shares [users] and [test] as follows:

[users]
        # user homedirs
        path = /srv/samba/users
        read only = no
        acl_xattr:ignore system acls = yes

[test]
        path = /srv/samba/test
        read only = no

I set the Unix permissions as follows:
chown root:"Domain Admins" /srv/samba/users
chown root:"Domain Admins" /srv/samba/test
chmod 0770 /srv/samba/users
chmod 0770 /srv/samba/test

I granted Domain Admins the SeDiskOperatorPrivilege on the test server then attempted to set the permissions from Windows using the WiKi page: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I logged onto Windows 10 using a user who is a member of Domain Admins and was able to set permissions correctly using Computer Management on the [test] share, but not on the [users] share;   to allow the permissions to be applied from windows initially, I had to temporarily comment out the "acl_xattr:ignore system acls = yes" line and reload the smb config.  Once set, I removed the comment (#) from that line.

On the Users share I set:
Domain Admins	Full Control		This folder only
CREATOR OWNER	Full Control		Subfolders and files only
SYSTEM	Full Control		This folder, subfolders and files
Authenticated Users	Special*	This folder only

* Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create folders/append data, Read permissions

The folder looks like this as seen from Linux:
root at m2test:~# ls -l /srv/samba
total 16
drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test
drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users
root at m2test:~# getfacl /srv/samba/users
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
group::rwx
group:NT\040Authority\\authenticated\040users:rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:---
default:mask::rwx
default:other::---

So following the WiKi as close as possible, I am able to set permissions using a Domain Admins account, not sure why your system is preventing you?

Thanks for your invaluable help as always.

Roy

More information about the samba mailing list