[Samba] Permission denied while trying to setup share with RSAT
Peter Milesson
miles at atmos.eu
Tue Dec 12 17:30:19 UTC 2023
Hi Luke,
The usermap file says:
!root = PRIVATE\administrator PRIVATE\Administrator
Best regards,
Peter
On 12.12.2023 17:59, Luke Barone wrote:
> What does your usermap file look like?
>
> On Tue, Dec 12, 2023 at 8:58 AM Peter Milesson via samba
> <samba at lists.samba.org> wrote:
>
> Hi Fab,
>
> Thanks for the advice. This server is setup a couple of years ago,
> and I
> followed the Samba Wiki to the letter. I have also reviewed the steps
> again, in case I have overlooked something.
>
> There are several existing shares, and previously (long ago) there
> were
> no problems setting up shares. During the time, the server has been
> upgraded from Debian Bullseye to Debian Bookworm and Samba was
> upgraded
> a week ago from 4.18.9 to the latest 4.19.3 from Debian Bookworm
> backports.
>
> What is strange is, that I can configure the share if I create the
> directory and set the ownership to myadmin:"Domain Admins" and
> 0770, but
> not as Administrator, only as myadmin. It seems that the mapping from
> root to PRIVATE\Administrator does not work somehow.
>
> I appreciate your input.
>
> Best regards,
>
> Peter
>
>
> On 12.12.2023 16:58, Fabrizio Rompani via samba wrote:
> > hi ,
> > did you followed this
> >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> >
> > particoulary :
> > Granting the SeDiskOperatorPrivilege Privilege
> >
> > I'm not expert , but following that wiki works like a charm for
> me in samba 4.16
> >
> >
> > fab
> >
> >
> >
> > ----- Messaggio originale -----
> > Da: "Peter Milesson via samba" <samba at lists.samba.org>
> > A: "samba" <samba at lists.samba.org>
> > Inviato: Martedì, 12 dicembre 2023 13:11:14
> > Oggetto: [Samba] Permission denied while trying to setup share
> with RSAT
> >
> > Hi folks,
> >
> > AD Member server with Samba 4.19.3 from Debian Bookworm
> backports. AD DC
> > also Samba 4.19.3 from Debian Bookworm backports. smb.conf last
> in the
> > message.
> >
> > When trying to setup a share with RSAT as Administrator, every
> operation
> > fails with the error message:
> >
> > "An error occurred while applying security information to:"
> > \\DATASRV\groble$
> > Failed to enumerate objects in the container. Access is denied.
> >
> > The only operation that succeeds is changing ownership
> >
> > I setup the directory the usual way according to the Samba Wiki
> >
> > mkdir -p /data/groble
> > chown root:"Domain Admins" /data/groble
> > chmod 0770 /data/groble
> >
> > and defined it in smb.conf as
> >
> > [groble$]
> > comment = Roaming profiles
> > path = /data/groble/
> > read only = no
> > acl_xattr:ignore system acls = yes
> > hide dot files = no
> > csc policy = disable
> >
> > When opening RSAT (Computer configuration, Shares, Security) I
> have got
> > the following properties
> >
> > Object name: \\DATASRV\groble$
> > Group or user names:
> > root (Unix User\root)
> > SYSTEM
> > Domain Admins (PRIVATE\Domain Admins)
> >
> > Clicking on Advanced opens Advanced security settings
> >
> > Name: \\DATASRV\groble$
> > Owner: root (Unix Users\root)
> >
> > Under the permissions tab there are 3 entries in the list:
> >
> > root (Unix Users\root), Full control, Inherited from None,
> Applies to
> > This folder only
> > Domain Admins (PRIVATE\Domain Admins), Read, write & execute,
> Inherited
> > from None, Applies to This folder only
> > SYSTEM, Full control, Inherited from None, Applies to This
> folder only
> >
> > If I create the share directory and set ownership to
> >
> > chown myadmin:"Domain Admins" /data/groble
> >
> > where user PRIVATE\myadmin is a user belonging to the group
> > PRIVATE\Domain Admins, I have no problems setting up the share
> if I'm
> > logged on as this user
> >
> > Neither the Administrator user, nor the myadmin exist locally in the
> > member server. There are no uids or guids set for users in AD.
> Executing
> > getent group or getent passwd display the correct users with correct
> > uids and gids (for example Administrator 10500:10512, myadmin
> 11118:10512)
> >
> > I have tried with and without
> >
> > username map = /etc/samba/user.map
> > min domain uid = 0
> >
> > but there is no difference.
> >
> > I have configured folder redirection (which works perfectly), but it
> > should not interfere here. The PRIVATE\administrator account is
> not in
> > the user group for folder redirection anyway. The user
> PRIVATE\myadmin
> > is however, member of the folder redirection group of users.
> >
> > The behavior seriously baffles me, it did work once upon a time
> (if I
> > remember correctly Samba 4.17.x), and now not at all according
> to any
> > documentation. If somebody has got any idea how to correct this,
> I would
> > be grateful.
> >
> > Best regards,
> >
> > Peter
> >
> > smb.conf
> > =======
> >
> > # Global parameters
> > [global]
> > debug pid = yes
> > debug uid = yes
> > dedicated keytab file = /etc/krb5.keytab
> > disable spoolss = yes
> > disable netbios = yes
> > smb ports = 445
> > kerberos method = secrets and keytab
> > log level = 1
> > log file = /var/log/samba/%m.log
> > printcap name = /dev/null
> > realm = PRIVATE.TALPS
> > security = ADS
> > server role = member server
> > restrict anonymous = 2
> > template homedir = /home/%U
> > template shell = /bin/bash
> > timestamp logs = yes
> > username map = /etc/samba/user.map
> > min domain uid = 0
> > winbind refresh tickets = yes
> > winbind use default domain = yes
> > workgroup = PRIVATE
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-9999
> > idmap config PRIVATE : backend = rid
> > idmap config PRIVATE : range = 10000-99999
> > idmap config PRIVATE : unix_primary_group = yes
> > acl group control = yes
> > inherit acls = yes
> > map acl inherit = yes
> > vfs objects = acl_xattr
> > acl_xattr:ignore system acls = yes
> > apply group policies = yes
> >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list