[Samba] Permission denied while trying to setup share with RSAT
Peter Milesson
miles at atmos.eu
Tue Dec 12 12:11:14 UTC 2023
Hi folks,
AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD DC
also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in the
message.
When trying to setup a share with RSAT as Administrator, every operation
fails with the error message:
"An error occurred while applying security information to:"
\\DATASRV\groble$
Failed to enumerate objects in the container. Access is denied.
The only operation that succeeds is changing ownership
I setup the directory the usual way according to the Samba Wiki
mkdir -p /data/groble
chown root:"Domain Admins" /data/groble
chmod 0770 /data/groble
and defined it in smb.conf as
[groble$]
comment = Roaming profiles
path = /data/groble/
read only = no
acl_xattr:ignore system acls = yes
hide dot files = no
csc policy = disable
When opening RSAT (Computer configuration, Shares, Security) I have got
the following properties
Object name: \\DATASRV\groble$
Group or user names:
root (Unix User\root)
SYSTEM
Domain Admins (PRIVATE\Domain Admins)
Clicking on Advanced opens Advanced security settings
Name: \\DATASRV\groble$
Owner: root (Unix Users\root)
Under the permissions tab there are 3 entries in the list:
root (Unix Users\root), Full control, Inherited from None, Applies to
This folder only
Domain Admins (PRIVATE\Domain Admins), Read, write & execute, Inherited
from None, Applies to This folder only
SYSTEM, Full control, Inherited from None, Applies to This folder only
If I create the share directory and set ownership to
chown myadmin:"Domain Admins" /data/groble
where user PRIVATE\myadmin is a user belonging to the group
PRIVATE\Domain Admins, I have no problems setting up the share if I'm
logged on as this user
Neither the Administrator user, nor the myadmin exist locally in the
member server. There are no uids or guids set for users in AD. Executing
getent group or getent passwd display the correct users with correct
uids and gids (for example Administrator 10500:10512, myadmin 11118:10512)
I have tried with and without
username map = /etc/samba/user.map
min domain uid = 0
but there is no difference.
I have configured folder redirection (which works perfectly), but it
should not interfere here. The PRIVATE\administrator account is not in
the user group for folder redirection anyway. The user PRIVATE\myadmin
is however, member of the folder redirection group of users.
The behavior seriously baffles me, it did work once upon a time (if I
remember correctly Samba 4.17.x), and now not at all according to any
documentation. If somebody has got any idea how to correct this, I would
be grateful.
Best regards,
Peter
smb.conf
=======
# Global parameters
[global]
debug pid = yes
debug uid = yes
dedicated keytab file = /etc/krb5.keytab
disable spoolss = yes
disable netbios = yes
smb ports = 445
kerberos method = secrets and keytab
log level = 1
log file = /var/log/samba/%m.log
printcap name = /dev/null
realm = PRIVATE.TALPS
security = ADS
server role = member server
restrict anonymous = 2
template homedir = /home/%U
template shell = /bin/bash
timestamp logs = yes
username map = /etc/samba/user.map
min domain uid = 0
winbind refresh tickets = yes
winbind use default domain = yes
workgroup = PRIVATE
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config PRIVATE : backend = rid
idmap config PRIVATE : range = 10000-99999
idmap config PRIVATE : unix_primary_group = yes
acl group control = yes
inherit acls = yes
map acl inherit = yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
apply group policies = yes
More information about the samba
mailing list