[Samba] Member server permissions issue

Rich Webb rwebb at zylatech.com
Fri Feb 10 20:40:14 UTC 2023 

#> ls -ld /server/shared
drwxrwx---+ 47 root CORP\domain users 4096 Feb  6 20:13 /server/shared

#> getfacl /server/shared
getfacl: Removing leading '/' from absolute path names
# file: server/shared
# owner: root
# group: CORP\\domain\040users
user::rwx
user:root:rwx
user:CORP\\domain\040admins:rwx
user:CORP\\domain\040users:rwx
group::rwx
group:CORP\\domain\040admins:rwx
group:CORP\\domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:CORP\\domain\040admins:rwx
default:user:CORP\\domain\040users:rwx
default:group::---
default:group:CORP\\domain\040admins:rwx
default:group:CORP\\domain\040users:rwx
default:mask::rwx
default:other::---

#> samba-tool ntacl get /server/shared --as-sddl
O:S-1-22-1-0G:DUD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001301bf;;;DU)

I originally had domain admins owning the directory but changed it to domain users thinking that the user was not a member of domain admins so maybe that was why they couldn't access it. 

Rich
----- On Feb 10, 2023, at 3:08 PM, Rowland Penny via samba samba at lists.samba.org wrote:

> On 10/02/2023 19:47, Rich Webb via samba wrote:
>> Hello,
>> 
>> I just set up a new domain with a separate domain controller and a samba domain
>> member for a file server.
>> 
>> I am able to set share permissions and ACL permissions through a windows client
>> on computer management OK. Looking at properties / security tab shows the
>> proper permissions...
>> 
>> Getfacl in linux shows the proper ACLs ... but when I try to access the share
>> from a joined windows client I am getting access denied regardless that the
>> user is in the proper group in ADUC. If I put that same user into Domain Admins
>> group that user can then access all the shares.
>> 
>> This is the first time I have seen this behavior .. My smb.conf is as follows
>> for the DC:
>> 
>> # Global parameters
>> [global]
>>          dns forwarder = 8.8.8.8
>>          netbios name = DC1
>>          realm = CORP.EXAMPLE.COM
>>          server role = active directory domain controller
>>          workgroup = CORP
>> 
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> 
>> [netlogon]
>>          path = /var/lib/samba/sysvol/corp.example.com/scripts
>>          read only = No
>> 
>> Here is the smb.conf for the member server:
>> 
>> [global]
>>         security = ADS
>>         workgroup = CORP
>>         realm = CORP.EXAMPLE.COM
>> 
>>         username map = /etc/samba/user.map
>>         log file = /var/log/samba/%m.log
>>         log level = 1
>> 
>>         vfs objects = acl_xattr
>>         map acl inherit = Yes
>>         # store dos attributes = Yes
>> 
>>         # Default ID mapping configuration using the autorid
>>         # idmap backend. This will work out of the box for simple setups
>>         # as well as complex setups with trusted domains.
>>         idmap config * : backend = autorid
>>         idmap config * : range = 10000-9999999
>> 
>> 
>> [Shared]
>>          writeable = yes
>>          path=/server/shared
>> 
>> [Installs]
>>          writeable = yes
>>          path=/server/installs
>> 
>> ... rest of share definitions ...
>> 
>> Samba version on the domain controller is:  4.15.13-Ubuntu
>> Samba version on the member server is: 4.15.13-Ubuntu
>> 
>> Any help is greatly appreciated!
>> 
>> Thanks,
>> Rich
>> 
> 
> Can you post the output of the following commands:
> 
> ls -ld /server/shared
> 
> getfacl /server/shared
> 
> samba-tool ntacl get /server/shared --as-sddl
> 
> Also, is apparmor running and possibly blocking things ?
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list