[Samba] Member server permissions issue
Rich Webb
rwebb at zylatech.com
Fri Feb 10 19:47:08 UTC 2023
Hello,
I just set up a new domain with a separate domain controller and a samba domain member for a file server.
I am able to set share permissions and ACL permissions through a windows client on computer management OK. Looking at properties / security tab shows the proper permissions...
Getfacl in linux shows the proper ACLs ... but when I try to access the share from a joined windows client I am getting access denied regardless that the user is in the proper group in ADUC. If I put that same user into Domain Admins group that user can then access all the shares.
This is the first time I have seen this behavior .. My smb.conf is as follows for the DC:
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = CORP.EXAMPLE.COM
server role = active directory domain controller
workgroup = CORP
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/corp.example.com/scripts
read only = No
Here is the smb.conf for the member server:
[global]
security = ADS
workgroup = CORP
realm = CORP.EXAMPLE.COM
username map = /etc/samba/user.map
log file = /var/log/samba/%m.log
log level = 1
vfs objects = acl_xattr
map acl inherit = Yes
# store dos attributes = Yes
# Default ID mapping configuration using the autorid
# idmap backend. This will work out of the box for simple setups
# as well as complex setups with trusted domains.
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
[Shared]
writeable = yes
path=/server/shared
[Installs]
writeable = yes
path=/server/installs
... rest of share definitions ...
Samba version on the domain controller is: 4.15.13-Ubuntu
Samba version on the member server is: 4.15.13-Ubuntu
Any help is greatly appreciated!
Thanks,
Rich
More information about the samba
mailing list