[Samba] clients not connecting to samba shares
Gary Dale
gary at extremeground.com
Tue Apr 11 18:05:54 UTC 2023
On 2023-04-11 10:12, Rowland Penny via samba wrote:
>
>
> On 11/04/2023 13:36, Gary Dale via samba wrote:
>> On 2023-04-11 04:15, Rowland Penny via samba wrote:
>>>
>>>
>>> What 'Debian distribution-specific' installation did you follow ?
>> The one linked to in AD DC wiki.
>
> Where abouts is this link ?
> I checked here:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
>
> But couldn't see one.
> If you can supply a link, I will check it it.
The link is on that page in the section Installing Samba.
>
>>>
>> OK. Now it passes the DNS test (again):
>>
>>> # host -t SRV _ldap._tcp.home.rahim-dale.org
>>> _ldap._tcp.home.rahim-dale.org has SRV record 0 100 389
>>> dc1.home.rahim-dale.org.
>> and
>>> # host -t A dc1.home.rahim-dale.org
>>> dc1.home.rahim-dale.org has address 192.168.1.13
>>>
>> But when I use my Windows 10 VM (logged in as HOME\Administrator) to
>> run Active Directory Users and Computers I get a pop-up saying
>> "Naming information cannot be located for the following reason: The
>> server is not operational." It goes on to suggest something about a
>> service pack & Windows 2000 in relation to the tools....
>>
>> I also have to manually change to the DC1 domain controller to access
>> the domain accounts.
>>
>> However once I get past that, I seem to be able to manipulate the
>> domain accounts.
>>
>> Unfortunately I still can't access the shares. I can connect and
>> disconnect but I can't actually see the files. I get an error message
>> when I connect that says "Windows cannot access
>> \\TheLibrarian\Archives\ You do not have permission to access
>> \\TheLibrarian\Archives\. Contact your network administrator to
>> request access."
>>
>> The share permissions are:
>>
>>> drwxrwx---+ 39 root HOME\domain admins 4096 Nov 23 16:32 archives
>
> I will say it again, you are using a Samba AD DC as a fileserver, this
> means that you must set the permissions from a Windows machine and
> those permissions are stored in an EA, what you see from 'ls' is
> irrelevant
> I will say this again, you will be better off running a separate
> fileserver (Unix domain member).
That's what I am doing. However the permissions set from Linux are what
the wiki on setting up file shares says to use.
>
>>>
>> while the file permissions are (sample):
>>
>>> # ls -l /home/shares/archives/
>>> total 480
>>>
>> ....
>>
>>> drwxrwx---+ 12 garydale HOME\domain admins 4096 Nov 2 2021 2021
>>> drwxrwx---+ 15 garydale HOME\domain admins 4096 Nov 27 11:10 2022
>>> drwxrwx---+ 10 garydale HOME\domain admins 4096 Feb 25 15:30 2023
>> This is the same whether I am logged in as the Domain Administrator
>> or myself (also in the Domain Admins group).
>
> If you notice, there is a '+' sign at the end of the permissions, this
> denotes that there are further permissions that you can read with
> getfacl, but these are not the ones set from Windows, you need to use
> 'samba-tool ntacl' to read those.
>
> Rowland
>
What is this telling me?
> # samba-tool ntacl get /home/shares/archives
> security_descriptor: struct security_descriptor
> revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
> type : 0x9004 (36868)
> 0: SEC_DESC_OWNER_DEFAULTED
> 0: SEC_DESC_GROUP_DEFAULTED
> 1: SEC_DESC_DACL_PRESENT
> 0: SEC_DESC_DACL_DEFAULTED
> 0: SEC_DESC_SACL_PRESENT
> 0: SEC_DESC_SACL_DEFAULTED
> 0: SEC_DESC_DACL_TRUSTED
> 0: SEC_DESC_SERVER_SECURITY
> 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_DACL_AUTO_INHERITED
> 0: SEC_DESC_SACL_AUTO_INHERITED
> 1: SEC_DESC_DACL_PROTECTED
> 0: SEC_DESC_SACL_PROTECTED
> 0: SEC_DESC_RM_CONTROL_VALID
> 1: SEC_DESC_SELF_RELATIVE
> owner_sid : *
> owner_sid : S-1-22-1-1000
> group_sid : *
> group_sid :
> S-1-5-21-337654209-2357861877-656557748-512
> sacl : NULL
> dacl : *
> dacl: struct security_acl
> revision : SECURITY_ACL_REVISION_NT4 (2)
> size : 0x0098 (152)
> num_aces : 0x00000006 (6)
> aces: ARRAY(6)
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x03 (3)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x00000000 (0)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-1-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-1-1000
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-337654209-2357861877-656557748-512
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-3-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x00000000 (0)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-3-1
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-2-100
>
Or a folder in the share:
> # samba-tool ntacl get /home/shares/archives/2023
> security_descriptor: struct security_descriptor
> revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
> type : 0x9004 (36868)
> 0: SEC_DESC_OWNER_DEFAULTED
> 0: SEC_DESC_GROUP_DEFAULTED
> 1: SEC_DESC_DACL_PRESENT
> 0: SEC_DESC_DACL_DEFAULTED
> 0: SEC_DESC_SACL_PRESENT
> 0: SEC_DESC_SACL_DEFAULTED
> 0: SEC_DESC_DACL_TRUSTED
> 0: SEC_DESC_SERVER_SECURITY
> 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_DACL_AUTO_INHERITED
> 0: SEC_DESC_SACL_AUTO_INHERITED
> 1: SEC_DESC_DACL_PROTECTED
> 0: SEC_DESC_SACL_PROTECTED
> 0: SEC_DESC_RM_CONTROL_VALID
> 1: SEC_DESC_SELF_RELATIVE
> owner_sid : *
> owner_sid : S-1-22-1-1000
> group_sid : *
> group_sid :
> S-1-5-21-337654209-2357861877-656557748-512
> sacl : NULL
> dacl : *
> dacl: struct security_acl
> revision : SECURITY_ACL_REVISION_NT4 (2)
> size : 0x0098 (152)
> num_aces : 0x00000006 (6)
> aces: ARRAY(6)
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x03 (3)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-2-100
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x03 (3)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x00000000 (0)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-1-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-1-1000
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x00000000 (0)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-337654209-2357861877-656557748-512
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-3-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x00000000 (0)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-3-1
>
I'm maintaining Linux access by owning the folders with my Linux account
but using the Windows group to allow Windows users to access them. I've
tried propagating the ownership of the folder I'm most interested in to
both :HOME\Domain Admins and also :HOME\Domain Users but neither is
allowing me to see the folders in Windows. Nor can I grab access rights
through the Windows Properties Security tab on the share.
I get the same results when I follow the letter of the file server wiki
and set the share ownership to root.
More information about the samba
mailing list