[Samba] permission denied with windows acls
Peter Carlson
peter at howudodat.com
Fri Jan 26 02:45:52 UTC 2024
I am getting a permission denied when trying to ls as a domain user a
samba mount with windows ACLs (sigh I thought I had this figured out).
I tried to include self descriptive server names and include them in the
info below (fs1: file server, nc: addc, u2gui: ubuntu desktop)
CARLSON\peter at u2gui:~$ ls -l /mnt
ls: cannot access '/mnt/test': Permission denied
total 0
d????????? ? ? ? ? ? test
I followed the wiki
here:https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
... well at least I think I did.
File Server smb.conf:
fs1:/data/test$ more /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
log level = 3
kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
apply group policies = yes
#======================= Share Definitions =======================
[Test]
path = /data/test
comment = test
writable = yes
then set SeDiskOperatorPrivilege
root at nc1:~# net rpc rights list privileges SeDiskOperatorPrivilege
-U carlson\\peter
Password for [CARLSON\peter]:
SeDiskOperatorPrivilege:
CARLSON\Domain Admins
CARLSON\peter at fs1:/data$ getfacl test
# file: test
# owner: root
# group: CARLSON\\videousers
user::rwx
user:root:rwx
user:CARLSON\\videousers:rwx
group::rwx
group:CARLSON\\domain\040admins:rwx
group:CARLSON\\videousers:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:CARLSON\\domain\040admins:r-x
default:mask::rwx
default:other::r-x
root at fs1:/data# samba-tool ntacl get /data/test --as-sddl
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
Processing section "[global]"
Processing section "[Test]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
load_module_absolute_path: Module
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
O:S-1-22-1-0G:S-1-5-21-33300784-995546578-3414580312-1121D:AI(A;OICI;FA;;;S-1-22-1-0)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;DA)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;DA)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)
The share mounts and I am a member of the correct groups
CARLSON\peter at u2gui:~$ cat /etc/fstab
//fs.carlson.lab/test /mnt/test cifs
credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0
//fs.carlson.lab/test on /mnt/test type cifs
(rw,relatime,vers=3.1.1,sec=ntlmssp,cache=strict,multiuser,domain=CARLSON.LAB,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.52,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,_netdev)
CARLSON\peter at u2gui:~$ id
uid=2001107(CARLSON\peter) gid=2000513(CARLSON\domain users)
groups=2000513(CARLSON\domain
users),10000(BUILTIN\administrators),10001(BUILTIN\users),2000512(CARLSON\domain
admins),2000572(CARLSON\denied rodc password replication
group),2001107(CARLSON\peter),2001108(CARLSON\linux
admins),2001120(CARLSON\videoadmin),2001121(CARLSON\videousers)
More information about the samba
mailing list