[Samba] Issue creating share on Windows domain-joined Debian 12 Server

Rowland Penny rpenny at samba.org
Tue Oct 17 18:12:17 UTC 2023 

On Tue, 17 Oct 2023 11:34:35 -0600
Joel R Smith via samba <samba at lists.samba.org> wrote:

> Environment:
> New install of Debian 12 (Physical Server)
> Latest Samba via apt (4.17.12)
> 
> So I am most of the way there getting this to work. I have
> successfully joined the Debian server to our windows domain. I have
> created a "Unix Admins" windows security group with the
> "SeDiskOperatorPrivilege" enabled. The file share exists although I
> am not yet able to open it. The problem I am having is when
> attempting to manage the share by connecting to the Linux server in
> Windows using Computer Management > Shared Folders > Shares > "Share
> Name" > Properties. In the properties of the share when I go to the
> "Security" tab, the following message appears: "You must have read
> permissions to view the properties of this object". I am unable to
> take ownership through the interface.
> 
> Some strange behavior I also noticed that may be related: When I
> attempt to map the domain account I am using to the local root
> account (user.map: !root = NETWORK\Admin) I am unable to connect to
> the Debian server using computer management. It immediately gives an
> error and the Computer Management MMC opens up blank. Immediately
> after commenting out the user.map line and running  smbcontrol all
> reload-config I can again connect to the server with Computer
> Management.
> 
> Here are the guides I have been referencing:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Did you miss the part about 'Setting up a Basic smb.conf File',
particular the part about selecting an idmap backend ?

> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> 
> contents of smb.conf:
> 
> workgroup = network
> password server = dc.network.domain.ca

You shouldn't set the 'password server', you should allow Samba to find
the best DC to use.

> realm = NETWORK.DOMAIN.CA
> security = ads
> idmap config * : range = 16777216-33554431

There aren't enough 'idmap config' lines, also that is a strange range,
could you also be running sssd ?

> template homedir = /home/%D/%U

That is the default.

> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> min protocol = SMB3
> passdb backend = smbpasswd

Why ? The default is the much newer tdbsam

> vfs objects = acl_xattr
> map acl inherit = yes
> username map = /etc/samba/user.map

What are the contents of the user.map ?

> 
> [storage]
>         path = /Backup/Backuptest
>         comment = Backup Share
>         read only = no

Rowland

More information about the samba mailing list