[Samba] Permission denied while trying to setup share with RSAT

Peter Milesson miles at atmos.eu
Tue Dec 12 12:11:14 UTC 2023


Hi folks,

AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD DC 
also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in the 
message.

When trying to setup a share with RSAT as Administrator, every operation 
fails with the error message:

"An error occurred while applying security information to:"
\\DATASRV\groble$
Failed to enumerate objects in the container. Access is denied.

The only operation that succeeds is changing ownership

I setup the directory the usual way according to the Samba Wiki

mkdir -p /data/groble
chown root:"Domain Admins" /data/groble
chmod 0770 /data/groble

and defined it in smb.conf as

[groble$]
         comment = Roaming profiles
         path = /data/groble/
         read only = no
         acl_xattr:ignore system acls = yes
         hide dot files = no
         csc policy = disable

When opening RSAT (Computer configuration, Shares, Security) I have got 
the following properties

Object name: \\DATASRV\groble$
Group or user names:
root (Unix User\root)
SYSTEM
Domain Admins (PRIVATE\Domain Admins)

Clicking on Advanced opens Advanced security settings

Name: \\DATASRV\groble$
Owner: root (Unix Users\root)

Under the permissions tab there are 3 entries in the list:

root (Unix Users\root), Full control, Inherited from None, Applies to 
This folder only
Domain Admins (PRIVATE\Domain Admins), Read, write & execute, Inherited 
from None, Applies to This folder only
SYSTEM, Full control, Inherited from None, Applies to This folder only

If I create the share directory and set ownership to

chown myadmin:"Domain Admins" /data/groble

where user PRIVATE\myadmin is a user belonging to the group 
PRIVATE\Domain Admins, I have no problems setting up the share if I'm 
logged on as this user

Neither the Administrator user, nor the myadmin exist locally in the 
member server. There are no uids or guids set for users in AD. Executing 
getent group or getent passwd display the correct users with correct 
uids and gids (for example Administrator 10500:10512, myadmin 11118:10512)

I have tried with and without

username map = /etc/samba/user.map
min domain uid = 0

but there is no difference.

I have configured folder redirection (which works perfectly), but it 
should not interfere here. The PRIVATE\administrator account is not in 
the user group for folder redirection anyway. The user PRIVATE\myadmin 
is however, member of the folder redirection group of users.

The behavior seriously baffles me, it did work once upon a time (if I 
remember correctly Samba 4.17.x), and now not at all according to any 
documentation. If somebody has got any idea how to correct this, I would 
be grateful.

Best regards,

Peter

smb.conf
=======

# Global parameters
[global]
         debug pid = yes
         debug uid = yes
         dedicated keytab file = /etc/krb5.keytab
         disable spoolss = yes
         disable netbios = yes
         smb ports = 445
         kerberos method = secrets and keytab
         log level = 1
         log file = /var/log/samba/%m.log
         printcap name = /dev/null
         realm = PRIVATE.TALPS
         security = ADS
         server role = member server
         restrict anonymous = 2
         template homedir = /home/%U
         template shell = /bin/bash
         timestamp logs = yes
         username map = /etc/samba/user.map
         min domain uid = 0
         winbind refresh tickets = yes
         winbind use default domain = yes
         workgroup = PRIVATE
         idmap config * : backend = tdb
         idmap config * : range = 3000-9999
         idmap config PRIVATE : backend = rid
         idmap config PRIVATE : range = 10000-99999
         idmap config PRIVATE : unix_primary_group = yes
         acl group control = yes
         inherit acls = yes
         map acl inherit = yes
         vfs objects = acl_xattr
         acl_xattr:ignore system acls = yes
         apply group policies = yes





More information about the samba mailing list