[Samba] Permission denied while trying to setup share with RSAT

Rowland Penny rpenny at samba.org
Tue Dec 12 18:12:16 UTC 2023


On Tue, 12 Dec 2023 18:59:33 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:

> 
> 
> On 12.12.2023 18:42, Rowland Penny via samba wrote:
> > On Tue, 12 Dec 2023 13:11:14 +0100
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi folks,
> >>
> >> AD Member server with Samba 4.19.3 from Debian Bookworm backports.
> >> AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf
> >> last in the message.
> >>
> >> When trying to setup a share with RSAT as Administrator, every
> >> operation fails with the error message:
> >>
> >> "An error occurred while applying security information to:"
> >> \\DATASRV\groble$
> >> Failed to enumerate objects in the container. Access is denied.
> >>
> >> The only operation that succeeds is changing ownership
> >>
> >> I setup the directory the usual way according to the Samba Wiki
> >>
> >> mkdir -p /data/groble
> >> chown root:"Domain Admins" /data/groble
> >> chmod 0770 /data/groble
> >>
> >> and defined it in smb.conf as
> >>
> >> [groble$]
> >>           comment = Roaming profiles
> >>           path = /data/groble/
> >>           read only = no
> >>           acl_xattr:ignore system acls = yes
> >>           hide dot files = no
> >>           csc policy = disable
> >>
> > That share appears to be for 'roaming profiles', so I suggest you
> > read this wiki page and then follow it to the letter:
> >
> > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >
> > Follow the 'Using Windows ACLs' section.
> >
> > I also suggest you connect from Windows as a member of Domain
> > Admins.
> >
> > Rowland
> >   
> >
> Hi Rowland,
> 
> I have already done that, a zillion times. Still does not work. The 
> basic problem is, that I cannot modify anything as Administrator. 
> Whether the share will be used for roaming profiles or not, is 
> secondary, and not the problem.
> 
> As I reported, if I set the owner on the directory I want to share as 
> PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage
> the share properties as that user. If I create it as root:"Domain
> Admins", no way. Neither as PRIVATE\myadmin, nor as
> PRIVATE\Administrator.
> 

From my testing, you no longer seem to need the user.map, try reading
this:

https://lists.samba.org/archive/samba/2023-November/247267.html

Rowland



More information about the samba mailing list