[Samba] Windows ACLs

Sonic sonicsmith at gmail.com
Thu Sep 22 18:38:58 UTC 2022 

I'm trying to set up a new Samba install as a Domain Member to a
Windows AD to act as a fileserver and am having little success
following the Wiki in setting up a share using Windows ACLs.

First problem was even connecting to the system with the Administrator
account as it was mapped to the root user via the user.map per the
wiki. Setting "min domain uid = 0" solved that but this seems a bit
counterintuitive and maybe dangerous.

All seems fine until I connect to the share via Computer Management as
shown on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
under the heading "Setting Share Permissions and ACLs". When I right
click share and select properties the properties box comes up but the
smbd log does indicate NT_STATUS_PRIVILEGE_NOT_HELD. The Share
Permissions tab looks fine but when I select the security tab the smbd
log indicates NT_STATUS_BUFFER_TOO_SMALL and attempts to add
permissions fail, the smbd log indicates NT_STATUS_ACCESS_DENIED.

smb.conf:
===================================
[global]
        log level = 3
        min domain uid = 0
        map to guest = Bad User
        printcap name = /dev/null
        realm = PIZZA.EXAMPLE.COM
        security = ADS
        server role = member server
        server string = Quinine Data
        username map = /etc/samba/user.map
        workgroup = PIZZA3
        idmap config pizza3 : backend = rid
        idmap config pizza3 : range = 50000-89999
        idmap config quinine : range = 5000-5999
        idmap config quinine : backend = tdb
        idmap config * : range = 10000-19999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr

[data1]
        comment = Data1 on Quinine
        path = /srv/terra/terra1
        acl_xattr:ignore system acls = yes
===================================
SeDiskOperatorPrivilege:
  PIZZA3\Domain Admins
  PIZZA3\Administrator
  BUILTIN\Administrators
===================================
drwxrwx--- 2 root            PIZZA3\domain admins    6 Sep 19 23:42 terra1
===================================
Version 4.16.5-Debian
Debian GNU/Linux 11 \n \l

Please assist.
Thank you,
Chris

More information about the samba mailing list