samba - Sep 2019 - Unable to use BUILTIN AD groups on a domain member

I have set up a share on a domain member server and am attempting to set the
ACLs from a domain-joined Windows 7 computer as per the
WiKi at https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I want to use one of the BUILTIN groups, Backup Operators to be able to have
Full Control on files in the share (as it will be used
for backups).   However, when trying to assign the group, Windows cannot find
it.   (If I perform that same on a share on one of the
DCs, it works OK).   I can set ACLs for the usual domain groups, eg Domain
Admins, Domain Users etc, but none of the BUILTIN groups
are found.

The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian.   The
sever knows about the groups as id test1 (an AD user) gives:

	uid=13101(test1) gid=10513(domain users) groups=10513(domain
users),13101(test1),2001(BUILTIN\users)

So I assume nsswitch is set up OK.

wbinfo -g and  getent group (when the two "winbind enum" lines in
smb.conf were active) lists all the Domain groups, but none of the
BUILTIN groups.

The smb.conf is:
[global]
        netbios name = pi4b
        security = ADS
        workgroup = MICROLYNX
        realm = MICROLYNX.ORG

       # disable smb1
       client min protocol = smb2_02
       server min protocol = smb2_02

        log file = /var/log/samba/%m.log
        log level = 1

        # to prevent "Address family not supported by protocol"
messages (ipv6)
        bind interfaces only = yes
        interfaces = lo eth0

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes

        winbind use default domain = yes

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        # idmap config for domain MICROLYNX
        idmap config MICROLYNX:backend = rid
        idmap config MICROLYNX:range = 10000-99999

        # next two lines for testing only - comment-out once working ok
#        winbind enum users = yes
#        winbind enum groups = yes

#       template shell = /bin/bash
#       template homedir = /srv/samba/users/%U

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        username map = /etc/samba/user.map

[images]
        # for backup images made by Macrium Reflect
        path = /srv/samba/images
        read only = no
        acl_xattr:ignore system acl = yes

In the meantime I have used Domain Admins.   getfacl shows:

getfacl /srv/samba/images
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/images
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:10512:rwx
user:10513:r-x
group::rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10513:r-x
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:---
default:group:domain\040users:r-x
default:mask::rwx
default:other::---

How do I assign the Backup Operators ACLs on the share?    If this isn't
possible, I guess I could use delegation or nested groups.
But I think I must have something set up incorrectly.   Appreciate any advice.

Thanks,

Roy

On 25/09/2019 16:25, Roy Eastwood via samba wrote:
> I have set up a share on a domain member server and am attempting to set
the ACLs from a domain-joined Windows 7 computer as per the
> WiKi at
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> I want to use one of the BUILTIN groups, Backup Operators to be able to
have Full Control on files in the share (as it will be used
> for backups).   However, when trying to assign the group, Windows cannot
find it.   (If I perform that same on a share on one of the
> DCs, it works OK).   I can set ACLs for the usual domain groups, eg Domain
Admins, Domain Users etc, but none of the BUILTIN groups
> are found.
>
> The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian.   The
sever knows about the groups as id test1 (an AD user) gives:
>
> 	uid=13101(test1) gid=10513(domain users) groups=10513(domain
users),13101(test1),2001(BUILTIN\users)
>
> So I assume nsswitch is set up OK.
>
> wbinfo -g and  getent group (when the two "winbind enum" lines in
smb.conf were active) lists all the Domain groups, but none of the
> BUILTIN groups.
>
> The smb.conf is:
> [global]
>          netbios name = pi4b
>          security = ADS
>          workgroup = MICROLYNX
>          realm = MICROLYNX.ORG
>
>         # disable smb1
>         client min protocol = smb2_02
>         server min protocol = smb2_02
>
>          log file = /var/log/samba/%m.log
>          log level = 1
>
>          # to prevent "Address family not supported by protocol"
messages (ipv6)
>          bind interfaces only = yes
>          interfaces = lo eth0
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          winbind refresh tickets = yes
>
>          winbind use default domain = yes
>
>          # Default idmap config used for BUILTIN and local accounts/groups
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-9999
>
>          # idmap config for domain MICROLYNX
>          idmap config MICROLYNX:backend = rid
>          idmap config MICROLYNX:range = 10000-99999
>
>          # next two lines for testing only - comment-out once working ok
> #        winbind enum users = yes
> #        winbind enum groups = yes
>
> #       template shell = /bin/bash
> #       template homedir = /srv/samba/users/%U
>
>          vfs objects = acl_xattr
>          map acl inherit = yes
>          store dos attributes = yes
>          username map = /etc/samba/user.map
>
> [images]
>          # for backup images made by Macrium Reflect
>          path = /srv/samba/images
>          read only = no
>          acl_xattr:ignore system acl = yes
>
> In the meantime I have used Domain Admins.   getfacl shows:
>
> getfacl /srv/samba/images
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/images
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:10512:rwx
> user:10513:r-x
> group::rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:domain\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:10513:r-x
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:---
> default:group:domain\040users:r-x
> default:mask::rwx
> default:other::---
>
> How do I assign the Backup Operators ACLs on the share?    If this
isn't possible, I guess I could use delegation or nested groups.
> But I think I must have something set up incorrectly.   Appreciate any
advice.
>
> Thanks,
>
> Roy
>
>
>
No, you haven't got anything set up incorrectly ;-)

Backup Operators is a Windows group, so you cannot use it anywhere but 
on Windows or a Samba DC.

I would just create a new group and make this group a member of Backup 
Operators.

Rowland

On 25 September 2019 17:25, Rowland penny wrote:
> On 25/09/2019 16:25, Roy Eastwood via samba wrote:
> > I have set up a share on a domain member server and am attempting to
set the ACLs from a domain-joined Windows 7 computer as
> per the
> > WiKi at
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > I want to use one of the BUILTIN groups, Backup Operators to be able
to have Full Control on files in the share (as it will be
used
> > for backups).   However, when trying to assign the group, Windows
cannot find it.   (If I perform that same on a share on one of
the
> > DCs, it works OK).   I can set ACLs for the usual domain groups, eg
Domain Admins, Domain Users etc, but none of the BUILTIN
> groups
> > are found.
> >
> > The server's OS is Rasbian Buster, Samba is Version 4.9.5-Debian. 
The sever knows about the groups as id test1 (an AD user)
gives:
> >
> > 	uid=13101(test1) gid=10513(domain users) groups=10513(domain
users),13101(test1),2001(BUILTIN\users)
> >
> > So I assume nsswitch is set up OK.
> >
> > wbinfo -g and  getent group (when the two "winbind enum"
lines in smb.conf were active) lists all the Domain groups, but none of
> the
> > BUILTIN groups.
> >
> > The smb.conf is:
> > [global]
> >          netbios name = pi4b
> >          security = ADS
> >          workgroup = MICROLYNX
> >          realm = MICROLYNX.ORG
> >
> >         # disable smb1
> >         client min protocol = smb2_02
> >         server min protocol = smb2_02
> >
> >          log file = /var/log/samba/%m.log
> >          log level = 1
> >
> >          # to prevent "Address family not supported by
protocol" messages (ipv6)
> >          bind interfaces only = yes
> >          interfaces = lo eth0
> >
> >          dedicated keytab file = /etc/krb5.keytab
> >          kerberos method = secrets and keytab
> >          winbind refresh tickets = yes
> >
> >          winbind use default domain = yes
> >
> >          # Default idmap config used for BUILTIN and local
accounts/groups
> >          idmap config * : backend = tdb
> >          idmap config * : range = 2000-9999
> >
> >          # idmap config for domain MICROLYNX
> >          idmap config MICROLYNX:backend = rid
> >          idmap config MICROLYNX:range = 10000-99999
> >
> >          # next two lines for testing only - comment-out once working
ok
> > #        winbind enum users = yes
> > #        winbind enum groups = yes
> >
> > #       template shell = /bin/bash
> > #       template homedir = /srv/samba/users/%U
> >
> >          vfs objects = acl_xattr
> >          map acl inherit = yes
> >          store dos attributes = yes
> >          username map = /etc/samba/user.map
> >
> > [images]
> >          # for backup images made by Macrium Reflect
> >          path = /srv/samba/images
> >          read only = no
> >          acl_xattr:ignore system acl = yes
> >
> > In the meantime I have used Domain Admins.   getfacl shows:
> >
> > getfacl /srv/samba/images
> > getfacl: Removing leading '/' from absolute path names
> > # file: srv/samba/images
> > # owner: root
> > # group: domain\040admins
> > user::rwx
> > user:root:rwx
> > user:10512:rwx
> > user:10513:r-x
> > group::rwx
> > group:NT\040Authority\\system:rwx
> > group:domain\040admins:rwx
> > group:domain\040users:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:10513:r-x
> > default:group::---
> > default:group:NT\040Authority\\system:rwx
> > default:group:domain\040admins:---
> > default:group:domain\040users:r-x
> > default:mask::rwx
> > default:other::---
> >
> > How do I assign the Backup Operators ACLs on the share?    If this
isn't possible, I guess I could use delegation or nested
groups.
> > But I think I must have something set up incorrectly.   Appreciate any
advice.
> >
> > Thanks,
> >
> > Roy
> >
> >
> >
> No, you haven't got anything set up incorrectly ;-)
> 
> Backup Operators is a Windows group, so you cannot use it anywhere but
> on Windows or a Samba DC.
> 
> I would just create a new group and make this group a member of Backup
> Operators.
> 
> Rowland
Thanks.   I think I understand.  In that case should I be able to assign a
BUILTIN group's permissions to a folder on the Windows
machine, which is joined to the domain, and I am logged on as a member of Domain
Admins?   But I get the same problem - cannot find
the group 'Backup Operators'.   Does this mean this will only work when
I am a member of a domain which has a Windows DC?   Or are
the BUILTIN groups only available on a DC (Windows or Samba flavour) itself?

Yes, either way, I'll create a new group as you say.   Once again many
thanks for your help.

Roy