Roberto Greiner
2019-Sep-06 16:00 UTC
[Samba] Unable to set attributes in a samba share (error 0x00000005)
Hi, I've set a share using samba, connected it to my Active Directory, and now I'm having problems when I copy files into this share. To setup the AD connection I've followed https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, and installed it into my Debian 9 install using APT, after https://wiki.samba.org/index.php/Distribution-specific_Package_Installation. With the AD connection working, I've set my file share and connected to it from a Windows 2008 server. Then I started copying files from my old share using robocopy. If I use (z: is the old share, w: is the new one): robocopy /s /copy:DT /r:2 /w:1 z: w: It works. but if I use robocopy /s /copy:DATS /r:2 /w:1 z: w: The copy fails with error: 2019/09/06 10:18:40 ERROR 5 (0x00000005) Creating Destination Directory W:\<DESTINATION FOLDER> Access is denied. Since the share is used by different people with different privileges to the files, I need those additional attributes in /copy:DATS. Could somebody help me? My current setup is the following: Debian 9 VM, samba installed from APT smb.conf (comments removed): [global] security = ADS workgroup = DOMAIN realm = DOMAIN.FQDNFULLDOMAIN log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-999999 template shell = /bin/bash template homedir = /home/%U winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes ?? dns proxy = no ?? log file = /var/log/samba/log.%m ?? max log size = 1000 ?? panic action = /usr/share/samba/panic-action %d ?? server role = standalone server ?? passdb backend = tdbsam ?? obey pam restrictions = yes ?? unix password sync = yes ?? passwd program = /usr/bin/passwd %u ?? passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . ?? pam password change = yes ?? map to guest = bad user ?? usershare allow guests = yes [Users] ??????? browseable = yes ??????? writable = yes ??????? guest ok = no ??????? path = /share/Users ??????? directory mode = 770 ??????? create mode = 0770 ??????? force create mode = 0770 ??????? inherit acls = yes ??????? inherit permissions = yes ??????? inherit owner = yes /etc/krb5.conf: [libdefaults] ?default_realm = DOMAIN.FQDNDOMAIN ?dns_lookup_realm = false ?dns_lookup_kdc = true /etc/nsswitch.conf passwd:???????? compat winbind group:????????? compat winbind shadow:???????? compat gshadow:??????? files hosts:????????? files dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis wbinfo --ping-dc indicates a sucessfull connection. 'getent passwd' and 'getent group' list users and groups from windows correctly. Following https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, I added the 'SeDiskOperatorPrivilege' privilege to my 'DOMAIN\domain admins' group, and /share/Users folder in the server was given the owner and attributes indicated in the same document. Am I missing something? Is there anything else that would be needed for understanding the problem? Thank you, Roberto Greiner --
Rowland penny
2019-Sep-09 07:34 UTC
[Samba] Unable to set attributes in a samba share (error 0x00000005)
On 06/09/2019 17:00, Roberto Greiner via samba wrote:> Hi, > > I've set a share using samba, connected it to my Active Directory, and > now I'm having problems when I copy files into this share. > > To setup the AD connection I've followed > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, > and installed it into my Debian 9 install using APT, afterThat would get you Samba 4.5.16, this is EOL as far as Samba is concerned, can you upgrade to Buster ? This will get you Samba 4.9.5> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation. > > With the AD connection working, I've set my file share and connected to > it from a Windows 2008 server.Whoa, Windows 2000 ???? this went EOL in 2010 If you upgrade to 2003, this will get you to another EOL OS, this went EOL in 2015 If you upgrade to 2008, this will go EOL in January of next year Do not think of adding a Samba AD DC into the mix, the Windows 2000 dns server (if it is running one) is incompatible with the Samba dns server. You would need to upgrade (if you can) your 2000 to 2003 and ensure it is running the dns server as a 2003 dns server and then, maybe, it might work.> Then I started copying files from my old > share using robocopy. If I use (z: is the old share, w: is the new one): > > robocopy /s /copy:DT /r:2 /w:1 z: w: > > It works. but if I use > > robocopy /s /copy:DATS /r:2 /w:1 z: w: > > The copy fails with error: > > 2019/09/06 10:18:40 ERROR 5 (0x00000005) Creating Destination Directory > W:\<DESTINATION FOLDER> > Access is denied. > > Since the share is used by different people with different privileges to > the files, I need those additional attributes in /copy:DATS. > > Could somebody help me? My current setup is the following: > > Debian 9 VM, samba installed from APT >Try this smb.conf: [global] ??? workgroup = DOMAIN ??? security = ADS ??? realm = DOMAIN.FQDNFULLDOMAIN ??? winbind use default domain = yes ??? winbind expand groups = 2 ??? winbind refresh tickets = Yes ??? winbind offline logon = yes ??? idmap config * : backend = tdb ??? idmap config * : range = 3000-7999 ??? idmap config DOMAIN : backend = rid ??? idmap config DOMAIN : range = 10000-999999 ??? template shell = /bin/bash ??? template homedir = /home/%U ??? domain master = no ??? local master = no ??? preferred master = no ??? # user Administrator workaround, without it you are unable to set privileges ??? username map = /etc/samba/user.map ??? # For ACL support on domain member ??? vfs objects = acl_xattr ??? map acl inherit = Yes ??? store dos attributes = Yes ??? log file = /var/log/samba/%m.log ??? log level = 1 [Users] ??? read only = no ??? path = /share/Users create the /etc/samba/user.map with this content: !root = DOMAIN\Administrator Restart Samba and then reread this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Roberto Greiner
2019-Sep-09 13:11 UTC
[Samba] Unable to set attributes in a samba share (error 0x00000005)
On 09/09/2019 04:34, Rowland penny via samba wrote:> On 06/09/2019 17:00, Roberto Greiner via samba wrote: >> Hi, >> >> I've set a share using samba, connected it to my Active Directory, and >> now I'm having problems when I copy files into this share. >> >> To setup the AD connection I've followed >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, >> and installed it into my Debian 9 install using APT, after > That would get you Samba 4.5.16, this is EOL as far as Samba is > concerned, can you upgrade to Buster ? This will get you Samba 4.9.5Yes, I've rebuild the whole thing with Buster. I've found the actual error. While I followed the wiki for installing everything, I was copying the [Share] section from our current server (running samba 3.6.23, from a Centos 6). Whoever created that share was bonkers. I remade the share using only: [Share_name] ??????? comment = Explanation of the share ??????? read only = no ??????? path = /folder And with that it worked fine. Sorry....>> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation. >> >> >> With the AD connection working, I've set my file share and connected to >> it from a Windows 2008 server. > > Whoa, Windows 2000 ???? this went EOL in 2010Nope, not 2000. 2008....Yes, I will upgrade it as soon as possible.> ? Try this smb.conf: > > [global] > ??? workgroup = DOMAIN > ??? security = ADS > ? ..... > RowlandAs I said, it worked when I corrected that completely insane [share] setup. For some reason it worked in that ancient Samba 3.6, but with 4.5 and 4.9 (which I'm using now in Debian Buster), it does not work. Tks a lot Roberto Greiner --
Roberto Greiner
2019-Sep-11 11:33 UTC
[Samba] Unable to set attributes in a samba share (error 0x00000005)
On 09/09/2019 04:34, Rowland penny via samba wrote:> On 06/09/2019 17:00, Roberto Greiner via samba wrote: >> Hi, >> >> I've set a share using samba, connected it to my Active Directory, and >> now I'm having problems when I copy files into this share. >> >> To setup the AD connection I've followed >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, >> and installed it into my Debian 9 install using APT, after > That would get you Samba 4.5.16, this is EOL as far as Samba is > concerned, can you upgrade to Buster ? This will get you Samba 4.9.5 > Then I started copying files from my old >> share using robocopy. If I use (z: is the old share, w: is the new one): >> >> robocopy /s /copy:DT /r:2 /w:1 z: w: >> >> It works. but if I use >> >> robocopy /s /copy:DATS /r:2 /w:1 z: w: >> >> The copy fails with error: >> >> 2019/09/06 10:18:40 ERROR 5 (0x00000005) Creating Destination Directory >> W:\<DESTINATION FOLDER> >> Access is denied. >> >> Since the share is used by different people with different privileges to >> the files, I need those additional attributes in /copy:DATS. >> >> Could somebody help me? My current setup is the following: >> >> Debian 9 VM, samba installed from APT >> > Try this smb.conf: > > [global] > ??? workgroup = DOMAIN > ??? security = ADS > ??? realm = DOMAIN.FQDNFULLDOMAIN > > ??? winbind use default domain = yes > ??? winbind expand groups = 2 > ??? winbind refresh tickets = Yes > ??? winbind offline logon = yes > > ??? idmap config * : backend = tdb > ??? idmap config * : range = 3000-7999 > ??? idmap config DOMAIN : backend = rid > ??? idmap config DOMAIN : range = 10000-999999 > ??? template shell = /bin/bash > ??? template homedir = /home/%U > > ??? domain master = no > ??? local master = no > ??? preferred master = no > > ??? # user Administrator workaround, without it you are unable to set > privileges > ??? username map = /etc/samba/user.map > > ??? # For ACL support on domain member > ??? vfs objects = acl_xattr > ??? map acl inherit = Yes > ??? store dos attributes = Yes > > ??? log file = /var/log/samba/%m.log > ??? log level = 1 > > [Users] > ??? read only = no > ??? path = /share/UsersAsa I reported earlier, The problem was in the settings used in the [share] sections. Replacing them with the default settings from the wiki, made it work. But later I hit in another problem: Only users with admin rights managed to access the share. So I added the other differences you included above (the winbind lines and xxxx master = no lines), and tested again. It worked and now all users have proper access. Tks Rowland, you saved my day ^_^ Roberto Greiner --