[Samba] Permission denied while trying to setup share with RSAT
Peter Milesson
miles at atmos.eu
Tue Dec 12 16:58:15 UTC 2023
Hi Fab,
Thanks for the advice. This server is setup a couple of years ago, and I
followed the Samba Wiki to the letter. I have also reviewed the steps
again, in case I have overlooked something.
There are several existing shares, and previously (long ago) there were
no problems setting up shares. During the time, the server has been
upgraded from Debian Bullseye to Debian Bookworm and Samba was upgraded
a week ago from 4.18.9 to the latest 4.19.3 from Debian Bookworm backports.
What is strange is, that I can configure the share if I create the
directory and set the ownership to myadmin:"Domain Admins" and 0770, but
not as Administrator, only as myadmin. It seems that the mapping from
root to PRIVATE\Administrator does not work somehow.
I appreciate your input.
Best regards,
Peter
On 12.12.2023 16:58, Fabrizio Rompani via samba wrote:
> hi ,
> did you followed this
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>
> particoulary :
> Granting the SeDiskOperatorPrivilege Privilege
>
> I'm not expert , but following that wiki works like a charm for me in samba 4.16
>
>
> fab
>
>
>
> ----- Messaggio originale -----
> Da: "Peter Milesson via samba" <samba at lists.samba.org>
> A: "samba" <samba at lists.samba.org>
> Inviato: Martedì, 12 dicembre 2023 13:11:14
> Oggetto: [Samba] Permission denied while trying to setup share with RSAT
>
> Hi folks,
>
> AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD DC
> also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in the
> message.
>
> When trying to setup a share with RSAT as Administrator, every operation
> fails with the error message:
>
> "An error occurred while applying security information to:"
> \\DATASRV\groble$
> Failed to enumerate objects in the container. Access is denied.
>
> The only operation that succeeds is changing ownership
>
> I setup the directory the usual way according to the Samba Wiki
>
> mkdir -p /data/groble
> chown root:"Domain Admins" /data/groble
> chmod 0770 /data/groble
>
> and defined it in smb.conf as
>
> [groble$]
> comment = Roaming profiles
> path = /data/groble/
> read only = no
> acl_xattr:ignore system acls = yes
> hide dot files = no
> csc policy = disable
>
> When opening RSAT (Computer configuration, Shares, Security) I have got
> the following properties
>
> Object name: \\DATASRV\groble$
> Group or user names:
> root (Unix User\root)
> SYSTEM
> Domain Admins (PRIVATE\Domain Admins)
>
> Clicking on Advanced opens Advanced security settings
>
> Name: \\DATASRV\groble$
> Owner: root (Unix Users\root)
>
> Under the permissions tab there are 3 entries in the list:
>
> root (Unix Users\root), Full control, Inherited from None, Applies to
> This folder only
> Domain Admins (PRIVATE\Domain Admins), Read, write & execute, Inherited
> from None, Applies to This folder only
> SYSTEM, Full control, Inherited from None, Applies to This folder only
>
> If I create the share directory and set ownership to
>
> chown myadmin:"Domain Admins" /data/groble
>
> where user PRIVATE\myadmin is a user belonging to the group
> PRIVATE\Domain Admins, I have no problems setting up the share if I'm
> logged on as this user
>
> Neither the Administrator user, nor the myadmin exist locally in the
> member server. There are no uids or guids set for users in AD. Executing
> getent group or getent passwd display the correct users with correct
> uids and gids (for example Administrator 10500:10512, myadmin 11118:10512)
>
> I have tried with and without
>
> username map = /etc/samba/user.map
> min domain uid = 0
>
> but there is no difference.
>
> I have configured folder redirection (which works perfectly), but it
> should not interfere here. The PRIVATE\administrator account is not in
> the user group for folder redirection anyway. The user PRIVATE\myadmin
> is however, member of the folder redirection group of users.
>
> The behavior seriously baffles me, it did work once upon a time (if I
> remember correctly Samba 4.17.x), and now not at all according to any
> documentation. If somebody has got any idea how to correct this, I would
> be grateful.
>
> Best regards,
>
> Peter
>
> smb.conf
> =======
>
> # Global parameters
> [global]
> debug pid = yes
> debug uid = yes
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = yes
> disable netbios = yes
> smb ports = 445
> kerberos method = secrets and keytab
> log level = 1
> log file = /var/log/samba/%m.log
> printcap name = /dev/null
> realm = PRIVATE.TALPS
> security = ADS
> server role = member server
> restrict anonymous = 2
> template homedir = /home/%U
> template shell = /bin/bash
> timestamp logs = yes
> username map = /etc/samba/user.map
> min domain uid = 0
> winbind refresh tickets = yes
> winbind use default domain = yes
> workgroup = PRIVATE
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config PRIVATE : backend = rid
> idmap config PRIVATE : range = 10000-99999
> idmap config PRIVATE : unix_primary_group = yes
> acl group control = yes
> inherit acls = yes
> map acl inherit = yes
> vfs objects = acl_xattr
> acl_xattr:ignore system acls = yes
> apply group policies = yes
>
>
>
More information about the samba
mailing list