Status: domain member server, Samba version 4.10.11-Debian [global] dedicated keytab file = /etc/krb5.keytab domain master = No kerberos method = secrets and keytab load printers = No local master = No preferred master = No printcap name = /dev/null realm = customer.INTRA security = ADS template homedir = /mnt/MSA2040/smb/Homes/%D/%U unix charset = iso8859-15 unix extensions = No username map = /etc/samba/samba_usermapping winbind cache time = 10 winbind refresh tickets = Yes winbind use default domain = Yes workgroup = customer full_audit:priority = notice full_audit:facility = local5 full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:failure = connect full_audit:prefix = %u|%I|%m|%S idmap config customer : backend = rid idmap config customer : range = 10000-20000 idmap config * : range = 3000-7999 idmap config * : backend = tdb acl allow execute always = Yes inherit acls = Yes map acl inherit = Yes vfs objects = acl_xattr full_audit wide links = Yes - multiple shares, one of them: [QM] path = /mnt/MSA2040/smb/QM read only = No Windows ACLs set on the shares, worked fine so far. I followed https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs ... The share "QM" gives us issues when we edit ACLs via RSAT on windows DC. access denied Tried to remove acls on linux with setfacl -bnR . Folder is owned by administrator:10513 etc etc - I don't know how to fix this and ask for help. So far I always was able to reset that by chowning the folder, chmod 770 ... and after that I could edit the ACLs via RSAT. thanks for pointers!
On 24/02/2020 08:52, Stefan G. Weichinger via samba wrote:> Status: > > domain member server, Samba version 4.10.11-Debian > > > username map = /etc/samba/samba_usermappingI take it that samba_usermapping contains something like this: !root = CUSTOMER\Administrator> The share "QM" gives us issues when we edit ACLs via RSAT on windows DC. > > access denied > > Folder is owned by > > administrator:10513 >So why does 'administrator' own the share and not root ? If 'Administrator' is used on a Unix domain member, then 'Administrator' will only be like any other Unix user and will only be able to do what a normal user can. Change the owner to 'root' and never use Administrator on a Unix domain member. Rowland
Am 24.02.20 um 10:34 schrieb Rowland penny via samba:> On 24/02/2020 08:52, Stefan G. Weichinger via samba wrote: >> Status: >> >> domain member server, Samba version 4.10.11-Debian >> >> >> ????username map = /etc/samba/samba_usermapping > > I take it that samba_usermapping contains something like this: > > !root = CUSTOMER\Administrator > >> The share "QM" gives us issues when we edit ACLs via RSAT on windows DC. >> >> access denied >> >> Folder is owned by >> >> administrator:10513 >> > So why does 'administrator' own the share and not root ? > > If 'Administrator' is used on a Unix domain member, then 'Administrator' > will only be like any other Unix user and will only be able to do what a > normal user can. > > Change the owner to 'root' and never use Administrator on a Unix domain > member.(solved it somehow inbetween) I won't touch it anymore today as things work right now. Thanks for the clarifiying hint, I will use "root" from now on ... thanks @Rowland
Am 24.02.20 um 10:34 schrieb Rowland penny via samba:> Change the owner to 'root' and never use Administrator on a Unix domain > member.wiki says: # chown root:"Unix Admins" /srv/samba/Demo/ # chmod 0770 /srv/samba/Demo/ I dont't have "Unix Admins" ... and the chown to root makes my Windows-connections fail with Administrator ... the users seem to stay connected, though