samba - Feb 2008 - Access denied when setting permissions

I have a windows 2003 AD domain and a server joined to that domain.  
Winbind is being used as an idmap.  Most everything seems to work fine. 

Winbind gets user info correctly:

[root@samba ~]# wbinfo -u
TESTDOMAIN\administrator
TESTDOMAIN\guest
TESTDOMAIN\support_388945a0
TESTDOMAIN\krbtgt
TESTDOMAIN\swhaley
TESTDOMAIN\test

[root@samba ~]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
TESTDOMAIN\domain computers
TESTDOMAIN\domain controllers
TESTDOMAIN\schema admins
TESTDOMAIN\enterprise admins
TESTDOMAIN\domain admins
TESTDOMAIN\domain users
TESTDOMAIN\domain guests
TESTDOMAIN\group policy creator owners
TESTDOMAIN\dnsupdateproxy


[root@samba ~]# wbinfo -a 'TESTDOMAIN\swhaley%password'
plaintext password authentication succeeded
challenge/response password authentication succeeded

Domain functionality seems to work fine.

[root@samba ~]# net ads testjoin
Join is OK

[root@samba ~]# net ads info
LDAP server: 192.168.222.84
LDAP server name: server.TESTDOMAIN.COM
Realm: TESTDOMAIN.COM
Bind Path: dc=TESTDOMAIN,dc=COM
LDAP port: 389
Server time: Wed, 13 Feb 2008 11:19:09 CST
KDC server: 192.168.222.84
Server time offset: -29

My user can connect to the samba share from a windows host without 
entering credentials, so kerberos and authentication is working 
properly.  But whenever I try to set permissions on the share, with a 
member of the Domain Admins group, from the Computer Management snap in 
I always get access denied errors.  I have nt acl support turned on for 
the share.

Here's my samba config:

[global]
security = ads
encrypt passwords = yes
realm = TESTDOMAIN.COM
workgroup = TESTDOMAIN
idmap uid = 200000 - 300000
idmap gid = 200000 - 300000
server string = Samba Server Version 3
netbios name = SAMBA
interfaces = lo eth0 192.168.222.110/24

[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
valid users = TESTDOMAIN.COM\swhaley
nt acl support = yes
map acl inherit = yes
inherit acls = yes

I've also assigned the SeDiskOperatorPrivilege to the Domain Admins group

[root@samba ~]# net rpc rights list accounts -Uswhaley
Password:
TESTDOMAIN\swhaley
SeDiskOperatorPrivilege

BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

TESTDOMAIN\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned

I'm running CentOS5, so POSIX acl support is on by default.  I tested it 
by setting and removing some ACLs just to be sure, and they worked 
properly. 

As mentioned, I'm running CentOS5.  Samba is version 3.0.25b. 

Can anyone shed some light on this?  It's been driving me crazy.

I may be totally wrong but for what it is worth.
 
Looking at this it looks like your workstation time and server time are out of
sync.  Check to make sure your timezone is correct and run the following
command.
 
net time set /S server
 
 
 
[root@samba ~]# net ads info
LDAP server: 192.168.222.84
LDAP server name: server.TESTDOMAIN.COM
Realm: TESTDOMAIN.COM
Bind Path: dc=TESTDOMAIN,dc=COM
LDAP port: 389
Server time: Wed, 13 Feb 2008 11:19:09 CST
KDC server: 192.168.222.84
Server time offset: -29

________________________________

From: samba-bounces+rstewart=iccpartners.com@lists.samba.org on behalf of Steven
Whaley
Sent: Wed 2/13/2008 12:26 PM
To: samba@lists.samba.org
Subject: [Samba] Access denied when setting permissions



I have a windows 2003 AD domain and a server joined to that domain. 
Winbind is being used as an idmap.  Most everything seems to work fine.

Winbind gets user info correctly:

[root@samba ~]# wbinfo -u
TESTDOMAIN\administrator
TESTDOMAIN\guest
TESTDOMAIN\support_388945a0
TESTDOMAIN\krbtgt
TESTDOMAIN\swhaley
TESTDOMAIN\test

[root@samba ~]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
TESTDOMAIN\domain computers
TESTDOMAIN\domain controllers
TESTDOMAIN\schema admins
TESTDOMAIN\enterprise admins
TESTDOMAIN\domain admins
TESTDOMAIN\domain users
TESTDOMAIN\domain guests
TESTDOMAIN\group policy creator owners
TESTDOMAIN\dnsupdateproxy


[root@samba ~]# wbinfo -a 'TESTDOMAIN\swhaley%password'
plaintext password authentication succeeded
challenge/response password authentication succeeded

Domain functionality seems to work fine.

[root@samba ~]# net ads testjoin
Join is OK

[root@samba ~]# net ads info
LDAP server: 192.168.222.84
LDAP server name: server.TESTDOMAIN.COM
Realm: TESTDOMAIN.COM
Bind Path: dc=TESTDOMAIN,dc=COM
LDAP port: 389
Server time: Wed, 13 Feb 2008 11:19:09 CST
KDC server: 192.168.222.84
Server time offset: -29

My user can connect to the samba share from a windows host without
entering credentials, so kerberos and authentication is working
properly.  But whenever I try to set permissions on the share, with a
member of the Domain Admins group, from the Computer Management snap in
I always get access denied errors.  I have nt acl support turned on for
the share.

Here's my samba config:

[global]
security = ads
encrypt passwords = yes
realm = TESTDOMAIN.COM
workgroup = TESTDOMAIN
idmap uid = 200000 - 300000
idmap gid = 200000 - 300000
server string = Samba Server Version 3
netbios name = SAMBA
interfaces = lo eth0 192.168.222.110/24

[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
valid users = TESTDOMAIN.COM\swhaley
nt acl support = yes
map acl inherit = yes
inherit acls = yes

I've also assigned the SeDiskOperatorPrivilege to the Domain Admins group

[root@samba ~]# net rpc rights list accounts -Uswhaley
Password:
TESTDOMAIN\swhaley
SeDiskOperatorPrivilege

BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

TESTDOMAIN\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned

I'm running CentOS5, so POSIX acl support is on by default.  I tested it
by setting and removing some ACLs just to be sure, and they worked
properly.

As mentioned, I'm running CentOS5.  Samba is version 3.0.25b.

Can anyone shed some light on this?  It's been driving me crazy.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

"Steven Whaley" <steven@puryear-it.com> wrote in message
news:47B32834.4030400@puryear-it.com...
> I have a windows 2003 AD domain and a server joined to that domain.
> Winbind is being used as an idmap.  Most everything seems to work fine.
> My user can connect to the samba share from a windows host without
> entering credentials, so kerberos and authentication is working
> properly.  But whenever I try to set permissions on the share, with a
> member of the Domain Admins group, from the Computer Management snap in
> I always get access denied errors.  I have nt acl support turned on for
> the share.
Perhaps this article will shed some light on the issue.  It explains how
Samba works with Windows ACL's.

http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1080966,00.html