[Samba] Permission denied while trying to setup share with RSAT
Fabrizio Rompani
fabrizio.rompani at yetopen.com
Tue Dec 12 15:58:40 UTC 2023
hi ,
did you followed this
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
particoulary :
Granting the SeDiskOperatorPrivilege Privilege
I'm not expert , but following that wiki works like a charm for me in samba 4.16
fab
----- Messaggio originale -----
Da: "Peter Milesson via samba" <samba at lists.samba.org>
A: "samba" <samba at lists.samba.org>
Inviato: Martedì, 12 dicembre 2023 13:11:14
Oggetto: [Samba] Permission denied while trying to setup share with RSAT
Hi folks,
AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD DC
also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in the
message.
When trying to setup a share with RSAT as Administrator, every operation
fails with the error message:
"An error occurred while applying security information to:"
\\DATASRV\groble$
Failed to enumerate objects in the container. Access is denied.
The only operation that succeeds is changing ownership
I setup the directory the usual way according to the Samba Wiki
mkdir -p /data/groble
chown root:"Domain Admins" /data/groble
chmod 0770 /data/groble
and defined it in smb.conf as
[groble$]
comment = Roaming profiles
path = /data/groble/
read only = no
acl_xattr:ignore system acls = yes
hide dot files = no
csc policy = disable
When opening RSAT (Computer configuration, Shares, Security) I have got
the following properties
Object name: \\DATASRV\groble$
Group or user names:
root (Unix User\root)
SYSTEM
Domain Admins (PRIVATE\Domain Admins)
Clicking on Advanced opens Advanced security settings
Name: \\DATASRV\groble$
Owner: root (Unix Users\root)
Under the permissions tab there are 3 entries in the list:
root (Unix Users\root), Full control, Inherited from None, Applies to
This folder only
Domain Admins (PRIVATE\Domain Admins), Read, write & execute, Inherited
from None, Applies to This folder only
SYSTEM, Full control, Inherited from None, Applies to This folder only
If I create the share directory and set ownership to
chown myadmin:"Domain Admins" /data/groble
where user PRIVATE\myadmin is a user belonging to the group
PRIVATE\Domain Admins, I have no problems setting up the share if I'm
logged on as this user
Neither the Administrator user, nor the myadmin exist locally in the
member server. There are no uids or guids set for users in AD. Executing
getent group or getent passwd display the correct users with correct
uids and gids (for example Administrator 10500:10512, myadmin 11118:10512)
I have tried with and without
username map = /etc/samba/user.map
min domain uid = 0
but there is no difference.
I have configured folder redirection (which works perfectly), but it
should not interfere here. The PRIVATE\administrator account is not in
the user group for folder redirection anyway. The user PRIVATE\myadmin
is however, member of the folder redirection group of users.
The behavior seriously baffles me, it did work once upon a time (if I
remember correctly Samba 4.17.x), and now not at all according to any
documentation. If somebody has got any idea how to correct this, I would
be grateful.
Best regards,
Peter
smb.conf
=======
# Global parameters
[global]
debug pid = yes
debug uid = yes
dedicated keytab file = /etc/krb5.keytab
disable spoolss = yes
disable netbios = yes
smb ports = 445
kerberos method = secrets and keytab
log level = 1
log file = /var/log/samba/%m.log
printcap name = /dev/null
realm = PRIVATE.TALPS
security = ADS
server role = member server
restrict anonymous = 2
template homedir = /home/%U
template shell = /bin/bash
timestamp logs = yes
username map = /etc/samba/user.map
min domain uid = 0
winbind refresh tickets = yes
winbind use default domain = yes
workgroup = PRIVATE
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config PRIVATE : backend = rid
idmap config PRIVATE : range = 10000-99999
idmap config PRIVATE : unix_primary_group = yes
acl group control = yes
inherit acls = yes
map acl inherit = yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
apply group policies = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
More information about the samba
mailing list