[Samba] samba4 active directory - all permissions seem to be messed up

Rowland Penny rpenny at samba.org
Fri Nov 10 09:55:11 UTC 2023 

On Fri, 10 Nov 2023 09:44:14 +0000
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> Hi. Please reply to the list not to me.
> 
> passdb backend line is not needed in member server.

It is and it isn't :-)

You need it, but you do not need to actual have it in the smb.conf
because it is the default.

> 
> I don’t think you’ve mapped Administrator to root.

From what has been posted, I know the OP hasn't mapped Administrator to
root :-)

Rowland

> 
> See
> 
> http://samba.bigbird.es/doku.php?id=samba:file-server
> 
> Scroll down to “map administrator to root”. And try again
> 
> Regards.
> 
> LP
> On 10 Nov 2023 at 08:25 +0000, Jürgen Echter
> <j.echter at echter-kuechen-elektro.de>, wrote:
> > Hi Luis,
> >
> > here is my smb.conf for DC1:
> >
> > [global]
> >     netbios name = SMBADDC1
> >     realm = SAMDOM.DOMAIN.LOC
> >     server role = active directory domain controller
> >     workgroup = SAMDOM
> >     dns forwarder = 192.168.0.1
> >         tls keyfile  = tls/SMBADDC1.key
> >         tls certfile = tls/SMBADDC1.crt
> >
> > [sysvol]
> >     path = /usr/local/samba/var/locks/sysvol
> >     read only = No
> >
> > [netlogon]
> >     path =
> > /usr/local/samba/var/locks/sysvol/SAMDOM.DOMAIN.LOC/scripts read
> > only = No
> >
> > for DC2:
> >
> > [global]
> >     netbios name = SMBADDC2
> >     realm = SAMDON.DOMAIN.LOC
> >     server role = active directory domain controller
> >     workgroup = SAMDOM
> >     dns forwarder = 192.168.0.1
> >     tls keyfile = tls/SMBADDC2.key tls
> >     certfile = tls/SMBADDC2.crt
> >
> > [sysvol] path = /usr/local/samba/var/locks/sysvol
> >     read only = No
> >     acls = yes
> >
> > [netlogon]
> >     path =
> > /usr/local/samba/var/locks/sysvol/samdom.domain.loc/scripts read
> > only = No
> >
> > for DC3:
> >
> > [global]
> >     netbios name = SMBADDC3
> >     realm = SAMDOM.DOMAIN.LOC
> >     server role = active directory domain controller
> >     workgroup = SAMDOM
> >     dns forwarder = 192.168.0.1
> >
> >     tls enabled  = yes
> >     tls keyfile  = tls/SMBADDC3.key
> >     tls certfile = tls/SMBADDC3.crt
> >
> > [sysvol]
> >     path = /var/lib/samba/sysvol
> >     read only = No
> >
> > [netlogon]
> >     path = /var/lib/samba/sysvol/samdom.domain.loc/scripts
> >     read only = No
> >
> > and for the membver server with the shares:
> >
> > [global]
> > #log level = 10
> > #debug pid = yes
> >         security = ADS
> >         workgroup = SAMDOM
> >         realm = SAMDOM.DOMAIN.LOC
> >
> >         winbind refresh tickets = Yes
> >
> >         winbind nss info = template
> >         template shell = /bin/bash
> >         template homedir = /home/%U
> >         idmap config ELEMAY : backend = rid
> >         idmap config ELEMAY : range = 10000-999999
> >         idmap config * : backend = tdb
> >         idmap config * : range = 3000-7999
> >
> >     passdb backend = tdbsam
> >
> >     printing = cups
> >     printcap name = cups
> >     load printers = yes
> >     cups options = raw
> >
> >
> >         vfs objects = acl_xattr
> >         map acl inherit = yes
> >
> >     aio read size = 1
> >     aio write size = 1
> >
> > [share1]
> >    path = /srv/samba/share1
> >    browseable = yes
> >    read only = no
> >    guest ok = no
> >    vfs objects = acl_xattr recycle io_uring
> >    recycle:repository = .recycle
> >    recycle:keeptree = yes
> >    recycle:versions = yes
> >    recycle:directory_mode = 0770
> >    acl_xattr:ignore system acls = yes
> >
> > [share2]
> >    path = /srv/samba/share2
> >    browseable = Yes
> >    read only = no
> >    guest ok = no
> >    vfs objects = acl_xattr recycle io_uring
> >    recycle:repository = .recycle
> >    recycle:keeptree = yes
> >    recycle:versions = yes
> >    recycle:touch_mtime = yes
> >    recycle:directory_mode = 0770
> >    acl_xattr:ignore system acls = yes
> >
> >
> >
> > Am Freitag, November 10, 2023 07:55 CET, schrieb Luis Peromarta via
> > samba <samba at lists.samba.org>:
> >
> > > It would be easier if you shared your smb.conf file for DCs and
> > > member server.
> > >
> > > LP
> > > On 9 Nov 2023 at 22:12 +0000, Jürgen Echter via samba
> > > <samba at lists.samba.org>, wrote:
> > > >
> > > > Hi,
> > > >
> > > > i have a big issue here.
> > > >
> > > > I have 3 samba addc domain controllers (Version 4.19.2) and one
> > > > member server (Version 4.17.5).
> > > >
> > > > Out of the blue i cannot delete my own files anymore - access
> > > > denied - user DOMAIN/administrator has to give you permission
> > > > to do so.
> > > >
> > > > If i type in a windows cmd 'whoami' i get domain/administrator,
> > > > so i am the user which hold the permsissions on the files.
> > > > Security tab looks good to me - Domain Admins - Full Access,
> > > > Administrator - Full Access
> > > >
> > > > If i check the permissions on the share itself everything is
> > > > looking like i set it up (i check in windows on the security
> > > > tab). If i try to redo the permission from within windows i get
> > > > 'cannot enumerate objects in container - access denied.'
> > > >
> > > > ls -alh on the member server tells me root:"SAMDOM/Domain
> > > > Admins" is the owner of the directory.
> > > >
> > > > smb.conf on the member server:
> > > >
> > > > [share]
> > > > path = /srv/samba/share
> > > > acl_xattr:ignore system acls = yes
> > > >
> > > > Shares where created like this wiki entry tells me to do:
> > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > > >
> > > > Everything worked until today where i wanted to check why
> > > > another share isn't inheriting the permissions to subfolders.
> > > >
> > > > I only touched the share which didn't work as expected, so i
> > > > have no clue why out of the sudden all my permissions seem to
> > > > have messed up.
> > > >
> > > > I also removed an old DC 2 weeks ago and added a new one. So i
> > > > guess this has nothing to do with it either.
> > > >
> > > > I really would appreciate any helping hand here. I can provide
> > > > screenshots or whatever is needed. The error messages may be
> > > > not accurate as i translated the german error messages i got.
> > > >
> > > > Thanks for listening and hopefully some hints what could have
> > > > gone wrong with my setup.
> > > >
> > > > Juergen
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read
> > > > the instructions: https://lists.samba.org/mailman/options/samba
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list