[Samba] access "claim types"

Stefan G. Weichinger lists at xunil.at
Fri Feb 10 07:44:00 UTC 2023 

Am 10.02.23 um 07:50 schrieb Stefan G. Weichinger via samba:
> 
> Samba 4.17.3 on Debian 11.6
> 
> [global]
> unix charset = iso8859-15
> 
> security = ads
> realm = COMP.INTRA
> workgroup = COMP
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> 
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> 
> domain master = no
> local master = no
> preferred master = no
> 
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config NORAS : range = 10000-20000
> idmap config NORAS : backend = rid
> 
> # user Administrator workaround, without it you are unable to set 
> privileges
> username map = /etc/samba/samba_usermapping
> 
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> inherit acls = yes
> 
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> 
> load printers = no
> printcap name = /dev/null
> 
> acl allow execute always = True
> 
> # Audit settings
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = mkdirat read pread write pwrite renameat unlinkat
> full_audit:facility = local5
> full_audit:priority = notice
> 
> log level = 1
> 
> min domain uid=0
> 
> ---
> 
> (I even noticed that this config was improved in 2019 after some thread 
> in here ;-))
> 
> issues:
> 
> Their external windows admin tries to edit ACLs etc by accessing them 
> from their DC, a Windows 2016 server.
> 
> And in editing Security Settings he gets something like
> 
> no connection to AD to access or check claim types
> 
> (I translated this from the german error text ... not the exact english 
> text)

Maybe this is the same issue I already had at another customer.

The thread was named "editing samba-share ACLs etc from Windows"

and it was that "Administrator" vs. "root" issue.

-

Now I am investigating ... trying not to break things.

For sure there is a bit of a mess: some shares are owned by 
Administrator, some by root (also shares where I get the same error 
messages).

More information about the samba mailing list