[Samba] Permission denied while trying to setup share with RSAT

Peter Milesson miles at atmos.eu
Tue Dec 12 17:59:33 UTC 2023 


On 12.12.2023 18:42, Rowland Penny via samba wrote:
> On Tue, 12 Dec 2023 13:11:14 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD
>> DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in
>> the message.
>>
>> When trying to setup a share with RSAT as Administrator, every
>> operation fails with the error message:
>>
>> "An error occurred while applying security information to:"
>> \\DATASRV\groble$
>> Failed to enumerate objects in the container. Access is denied.
>>
>> The only operation that succeeds is changing ownership
>>
>> I setup the directory the usual way according to the Samba Wiki
>>
>> mkdir -p /data/groble
>> chown root:"Domain Admins" /data/groble
>> chmod 0770 /data/groble
>>
>> and defined it in smb.conf as
>>
>> [groble$]
>>           comment = Roaming profiles
>>           path = /data/groble/
>>           read only = no
>>           acl_xattr:ignore system acls = yes
>>           hide dot files = no
>>           csc policy = disable
>>
> That share appears to be for 'roaming profiles', so I suggest you read
> this wiki page and then follow it to the letter:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Follow the 'Using Windows ACLs' section.
>
> I also suggest you connect from Windows as a member of Domain Admins.
>
> Rowland
>   
>
Hi Rowland,

I have already done that, a zillion times. Still does not work. The 
basic problem is, that I cannot modify anything as Administrator. 
Whether the share will be used for roaming profiles or not, is 
secondary, and not the problem.

As I reported, if I set the owner on the directory I want to share as 
PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage the 
share properties as that user. If I create it as root:"Domain Admins", 
no way. Neither as PRIVATE\myadmin, nor as PRIVATE\Administrator.

Thanks for you advice,

Peter



Best regards,

More information about the samba mailing list