[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Thu Sep 22 18:57:57 UTC 2022 


On 22/09/2022 19:38, Sonic via samba wrote:
> I'm trying to set up a new Samba install as a Domain Member to a
> Windows AD to act as a fileserver and am having little success
> following the Wiki in setting up a share using Windows ACLs.
> 
> First problem was even connecting to the system with the Administrator
> account as it was mapped to the root user via the user.map per the
> wiki. Setting "min domain uid = 0" solved that but this seems a bit
> counterintuitive and maybe dangerous.

It is the only thing that works.

> 
> All seems fine until I connect to the share via Computer Management as
> shown on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> under the heading "Setting Share Permissions and ACLs". When I right
> click share and select properties the properties box comes up but the
> smbd log does indicate NT_STATUS_PRIVILEGE_NOT_HELD. The Share
> Permissions tab looks fine but when I select the security tab the smbd
> log indicates NT_STATUS_BUFFER_TOO_SMALL and attempts to add
> permissions fail, the smbd log indicates NT_STATUS_ACCESS_DENIED.
> 
> smb.conf:
> ===================================
> [global]
>          log level = 3
>          min domain uid = 0
>          map to guest = Bad User
>          printcap name = /dev/null
>          realm = PIZZA.EXAMPLE.COM
>          security = ADS
>          server role = member server
>          server string = Quinine Data
>          username map = /etc/samba/user.map
>          workgroup = PIZZA3
>          idmap config pizza3 : backend = rid
>          idmap config pizza3 : range = 50000-89999
>          idmap config quinine : range = 5000-5999
>          idmap config quinine : backend = tdb
>          idmap config * : range = 10000-19999
>          idmap config * : backend = tdb

You need to reset the 'idmap config' lines, I presume 'quinine' is the 
hostname of the Unix domain member, if so, remove the two idmap config 
lines that mention 'quinine' and I suggest you use the ranges on the 
wiki (at least as a starting point) they are known to work.

Rowland

More information about the samba mailing list