[Samba] Windows ACLs
rpenny at samba.org
Thu Sep 22 18:57:57 UTC 2022
On 22/09/2022 19:38, Sonic via samba wrote:
> I'm trying to set up a new Samba install as a Domain Member to a
> Windows AD to act as a fileserver and am having little success
> following the Wiki in setting up a share using Windows ACLs.
> First problem was even connecting to the system with the Administrator
> account as it was mapped to the root user via the user.map per the
> wiki. Setting "min domain uid = 0" solved that but this seems a bit
> counterintuitive and maybe dangerous.
It is the only thing that works.
> All seems fine until I connect to the share via Computer Management as
> shown on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> under the heading "Setting Share Permissions and ACLs". When I right
> click share and select properties the properties box comes up but the
> smbd log does indicate NT_STATUS_PRIVILEGE_NOT_HELD. The Share
> Permissions tab looks fine but when I select the security tab the smbd
> log indicates NT_STATUS_BUFFER_TOO_SMALL and attempts to add
> permissions fail, the smbd log indicates NT_STATUS_ACCESS_DENIED.
> log level = 3
> min domain uid = 0
> map to guest = Bad User
> printcap name = /dev/null
> realm = PIZZA.EXAMPLE.COM
> security = ADS
> server role = member server
> server string = Quinine Data
> username map = /etc/samba/user.map
> workgroup = PIZZA3
> idmap config pizza3 : backend = rid
> idmap config pizza3 : range = 50000-89999
> idmap config quinine : range = 5000-5999
> idmap config quinine : backend = tdb
> idmap config * : range = 10000-19999
> idmap config * : backend = tdb
You need to reset the 'idmap config' lines, I presume 'quinine' is the
hostname of the Unix domain member, if so, remove the two idmap config
lines that mention 'quinine' and I suggest you use the ranges on the
wiki (at least as a starting point) they are known to work.
More information about the samba