[Samba] Setting permissions on AD member file server
spindles seven
spindles7 at gmail.com
Sun Mar 13 12:53:44 UTC 2022
On 12 March 2022 09:22 Rowland Penny wrote:
> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote:
> > On 11 March 2022 22:26 Rowland Penny wrote:
> > > I take it you found that out from here:
> > >
> > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC
> > > Ls#Addi
> > > ng_a_Share
> >
> > Yes indeed.
> >
> > > That is what I was getting at, it used to work. A member of Domain
> > > Admins logged into Windows could change the permissions on a share,
> > > provided everything was set up correctly on the Unix domain member.
> > > I can now only do this with Administrator.
> > >
> > > Rowland
> > >
> > works for me (on version 4.15.5), so what's different?
>
> I am using 4.15.5 and it doesn't work for me, it used to, but it doesn't any longer.
>
> Rowland
>
OK, so using a test installation of Debian Bullseye in a VM and Samba 4.15.5, I left the domain and cleaned up the samba database files as per the WiKi. I deleted the existing folders ie /srv/samba and all sub folders. Using that same page in the WiKi (https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) I joined the domain. This is the smb.conf at that stage:
[global]
security = ADS
workgroup = MICROLYNX
realm = MICROLYNX.ORG
log file = /var/log/samba/%m.log
log level = 1
winbind use default domain = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain MICROLYNX
idmap config MICROLYNX:backend = rid
idmap config MICROLYNX:range = 10000-99999
# next two lines for testing only - comment-out once working ok
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /srv/samba/users/%U
vfs objects = acl_xattr
map acl inherit = yes
username map = /etc/samba/user.map
# allow administrator to access having been mapped to root (uid 0)
min domain uid = 0
==========
I then added shares [users] and [test] as follows:
[users]
# user homedirs
path = /srv/samba/users
read only = no
acl_xattr:ignore system acls = yes
[test]
path = /srv/samba/test
read only = no
I set the Unix permissions as follows:
chown root:"Domain Admins" /srv/samba/users
chown root:"Domain Admins" /srv/samba/test
chmod 0770 /srv/samba/users
chmod 0770 /srv/samba/test
I granted Domain Admins the SeDiskOperatorPrivilege on the test server then attempted to set the permissions from Windows using the WiKi page: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
I logged onto Windows 10 using a user who is a member of Domain Admins and was able to set permissions correctly using Computer Management on the [test] share, but not on the [users] share; to allow the permissions to be applied from windows initially, I had to temporarily comment out the "acl_xattr:ignore system acls = yes" line and reload the smb config. Once set, I removed the comment (#) from that line.
On the Users share I set:
Domain Admins Full Control This folder only
CREATOR OWNER Full Control Subfolders and files only
SYSTEM Full Control This folder, subfolders and files
Authenticated Users Special* This folder only
* Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create folders/append data, Read permissions
The folder looks like this as seen from Linux:
root at m2test:~# ls -l /srv/samba
total 16
drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test
drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users
root at m2test:~# getfacl /srv/samba/users
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
group::rwx
group:NT\040Authority\\authenticated\040users:rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:---
default:mask::rwx
default:other::---
So following the WiKi as close as possible, I am able to set permissions using a Domain Admins account, not sure why your system is preventing you?
Thanks for your invaluable help as always.
Roy
More information about the samba
mailing list