[Samba] Samba share not quite working on Domain Controller

spindles seven spindles7 at gmail.com
Sun Dec 17 10:38:37 UTC 2023


On December 17, 2023 6:23 AM Mark Foley wrote: 
> On Sat Dec 16 15:49:27 2023 Mark Foley via samba <samba at lists.samba.org>
> wrote:
> [deleted]
> I got this fixed! Nothing like a little lotus-position medidatation and navel-
> contemplation to gain enlightenment.
> 
> Since sysvol and netlogin folders didn't crash when I selected their Properties >
> Security, I reasoned there must be something about permissions or ownership afoot.
> Sure enough:
> 
> # ls -ld /var/lib/samba/sysvol/
> drwxrwx---+ 3 root 3000000 4096 2023-11-29 21:16 /var/lib/samba/sysvol/
> 
> Both of those directories, created by provisioning, are members of group 3000000
> which I presume is some administrative group (although 'getent group 3000000' on
> the DC returns nothing, so I'm not sure).
> 
> I could have probably just set the group for Users to 3000000, but there are some
> extended attributes (designated by the '+' sign), so I cloned sysvol to
> Users:
> 
> # rmdir /redirectedFolders/Users/
> # cp -rp /var/lib/samba/sysvol/ /redirectedFolders/ 
> # cd /redirectedFolders/ 
> # mv sysvol/ Users 
> # cd Users/ 
> # rm -r hprs.locl/ 
> # cd ..> # ls -l
> drwxrwx---+ 2 root 3000000 4096 2023-12-17 00:13 Users/
> 
> Voila! Same permission, complete with extended attributes.

That's not the recommended way to add Extended ACL permissions to a users' share.   You have copied the extended ACLs from the sysvol share to the users share and these will not be the correct permissions.   For the Users share where the users' home folder eg Documents etc are redirected, the permissions required are as follows:

File system permissions on the root of the users share:
Principal:Access:Applies to
====================
CREATOR OWNER:Full control:Subfolders and files only 
Domain Admins:Full control:This folder, subfolders and files 
Authenticated Users:Traverse Folder/Execute file,List folder/read data,Read Attributes,	Create folders/append data:This folder only
SYSTEM:Full Control:This folder, subfolders and files 

These should be set using the procedure described here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs


Hope that helps,

Spindles7




More information about the samba mailing list