Hi, witch command
getent group Domain\ Admins
I optaing domain admins:x:10512:
It's correct?
Il 12/02/2019 12:57, Rowland Penny via samba ha scritto:> On Tue, 12 Feb 2019 11:13:56 +0100
> marco pirola via samba <samba at lists.samba.org> wrote:
>
>> I obtaing this resulta. Imposible enumerated the object in the
>> container: access negated.
>>
> Hi Marco, you posted this as your smb.conf:
>
> [global]
> security = ADS
> workgroup = ROBINOOD
> realm = ROBINOOD.TST
> log file = /var/log/samba/%m.log
> log level = 1
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the ROBINOOD domain
> idmap config ROBINOOD : backend = rid
> idmap config ROBINOOD : range = 10000-999999
> winbind use default domain = yes
> username map = /etc/samba/user.map
>
> [samba]
> path = /home/samba/samba/
> read only = no
>
> So I added your share to an existing Unix domain member, that also uses
> the 'rid' backend, these are my notes, they prove it works.
>
> Log into the Samba Unix domain member that holds the share
>
> Some commands will be run as root
>
> Running the following command:
>
> getent group Domain\ Admins
>
> Should produce output similar to this:
>
> domain_admins:x:10512:administrator,rowland
>
> If you do not get output, then nothing is going to work.
>
> List the existing SeDiskOperatorPrivilege owners
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U
"ROBINOOD\administrator"
> Enter ROBINOOD\administrator's password:
> SeDiskOperatorPrivilege:
> BUILTIN\Administrators
>
> If 'Domain Admins' isn't shown (as above), you need to add the
group:
>
> net rpc rights grant "ROBINOOD\Domain Admins"
SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
> Enter ROBINOOD\administrator's password:
> Successfully granted rights.
>
> Check the privelege owners again
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U
"ROBINOOD\administrator"
> Enter ROBINOOD\administrator's password:
> SeDiskOperatorPrivilege:
> ROBINOOD\Domain_Admins
> BUILTIN\Administrators
>
> Now create the share directory (if it doesn't already exist):
>
> sudo mkdir -p /home/samba/samba/
>
> sudo chown root:Domain\ Admins /home/samba/samba/
> sudo chmod 0770 /home/samba/samba/
>
> Check the ownership:
>
> ls -lad /home/samba/samba/
> drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
>
> Reload Samba:
>
> sudo smbcontrol all reload-config
>
> Now goto a Windows machine (in my case win10) and log on using an account
that is a member of Domain Admins.
>
> Click Start, enter Computer Management, and start the application.
>
> Select Action --> Connect to another computer.
>
> Enter the name of the Samba host and click OK to connect the console
to the host.
>
> Open System Tools
> NOTE: You may get an error box, just click 'OK' and it will
connect.
>
> Open Shared Folders --> Shares menu entry.
>
> Right-click the 'samba' share and select Properties.
>
> Select the Security tab.
>
> Click the Edit button and then the 'Add' button
>
> Click 'Advanced' button
>
> Click 'Find Now'
>
> Select a user or group from the list, I will use 'Domain
Users'
>
> Click 'OK'
>
> Click 'OK'
>
> Select permissions to grant, I will grant 'Full control'
>
> A windows security box should open, asking if you want to continue
> Click 'Yes'
>
> If you now check the list of 'Group or user names', you should
find 'Domain Users' listed
>
> Click OK to close the Properties box.
>
>
> Back to the Samba share machine:
>
> If you check the ownership of the share directory, you should see that
something has been added:
>
> ls -lad /home/samba/samba/
> drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
> ^
> |--- This
>
> If you now run:
>
> getfacl /home/samba/samba/
> getfacl: Removing leading '/' from absolute path names
> # file: home/samba/samba/
> # owner: root
> # group: domain_admins
> user::rwx
> user:root:rwx
> user:10512:rwx
> user:10513:rwx
> group::rwx
> group:domain_admins:rwx
> group:domain_users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:10513:rwx
> default:group::r-x
> default:group:domain_admins:r-x
> default:group:domain_users:rwx
> default:mask::rwx
> default:other::r-x
>
> You can now see that members of 'Domain Users' can Read, Write and
enter the directory.
>
> Hope this helps
>
> Rowland
>
>
>