I'm having trouble with my new fileserver, I can't make the shares viewable by windows clients. I had the same problems with the first file server I built and cannot remember what I did to "fix" it. I have gone through the page "Setting up a share using Windows ACL's" on the Samba Wiki ( https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) but when I get to the step where I am actually setting the ACL's, when I click OK, it tries to apply the ACL's to all the files in the folder and comes back saying that it has failed to enumerate the files and access is denied. Since there are already files in the share, I used chown -R and chmod -R to apply the owner/group and file permissions to all files, but that didn't help. I have also tried it with both root as the owner and "domain admins". Since these files are not sensitive, I even tried setting the permissions to 777. I have rebooted also. The user I am logged in to my Windows machine with is a member of the domain admins group. Here's my smb.conf [global] workgroup = INTERNAL security = ADS realm = INTERNAL.KCS winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes disable netbios = yes dns proxy = no idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config INTERNAL : backend = rid idmap config INTERNAL : range = 10000-999999 template shell = /bin/bash template homedir = /home/users/%U # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map vfs objects = acl_xattr map acl inherit = Yes # Comment the following 4 lines to act as a print server # printcap name = /dev/null # load printers = no # disable spoolss = yes # printing = bsd [data] path = /hdd/shares read only = no [home] path = /home/users/%U read only = no [old-profiles] path = /hdd/roaming read only = no [archive] path = /hdd/archive read only = no and here's the getfacl of the folder in question: itadmin at john:~$ getfacl /hdd/roaming getfacl: Removing leading '/' from absolute path names # file: hdd/roaming # owner: domain\040admins # group: domain\040admins user::rwx user:root:rwx group::rwx group:adm:rwx group:domain\040admins:rwx mask::rwx other::rwx default:user::rwx default:user:root:rwx default:user:domain\040admins:rwx default:group::rwx default:group:adm:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::---
On 04/11/2020 18:13, Peter Pollock via samba wrote:> I'm having trouble with my new fileserver, I can't make the shares viewable > by windows clients. > > I had the same problems with the first file server I built and cannot > remember what I did to "fix" it. > > I have gone through the page "Setting up a share using Windows ACL's" on > the Samba Wiki ( > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) but > when I get to the step where I am actually setting the ACL's, when I click > OK, it tries to apply the ACL's to all the files in the folder and comes > back saying that it has failed to enumerate the files and access is denied. > > Since there are already files in the share, I used chown -R and chmod -R to > apply the owner/group and file permissions to all files, but that didn't > help. > > I have also tried it with both root as the owner and "domain admins". > > Since these files are not sensitive, I even tried setting the permissions > to 777. > > I have rebooted also. > > The user I am logged in to my Windows machine with is a member of the > domain admins group. > > Here's my smb.conf > > [global] > workgroup = INTERNAL > security = ADS > realm = INTERNAL.KCS > > winbind use default domain = yes > winbind expand groups = 2 > winbind refresh tickets = Yes > disable netbios = yes > dns proxy = no > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config INTERNAL : backend = rid > idmap config INTERNAL : range = 10000-999999 > > template shell = /bin/bash > template homedir = /home/users/%U > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/user.map > > vfs objects = acl_xattr > map acl inherit = Yes > > # Comment the following 4 lines to act as a print server > # printcap name = /dev/null > # load printers = no > # disable spoolss = yes > # printing = bsd > > [data] > path = /hdd/shares > read only = no > > [home] > path = /home/users/%U > read only = no > > [old-profiles] > path = /hdd/roaming > read only = no > > [archive] > path = /hdd/archive > read only = no > > > > and here's the getfacl of the folder in question: > > itadmin at john:~$ getfacl /hdd/roaming > getfacl: Removing leading '/' from absolute path names > # file: hdd/roaming > # owner: domain\040admins > # group: domain\040admins > user::rwx > user:root:rwx > group::rwx > group:adm:rwx > group:domain\040admins:rwx > mask::rwx > other::rwx > default:user::rwx > default:user:root:rwx > default:user:domain\040admins:rwx > default:group::rwx > default:group:adm:rwx > default:group:domain\040admins:rwx > default:mask::rwx > default:other::---OK, you are using the winbind 'rid' backend, so it is okay to use 'Domain Admins', so start again and follow that wikipage: Ensure you have the 'acl' & 'attr' packages installed (this is what they are called on Debian based distros) Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege' privilege, this must be granted on the Unix domain member, or to put it another way, the command must be run on the Unix domain member that holds the share. Ensure the share directory belongs to 'root:Domain Admins' with 0770 permissions Now go to a Windows PC, log in as Administrator or as a member of the 'Domain Admins' group. Follow 'Setting Share Permissions and ACLs' Do not run chmod against the share directory once the shares are set from Windows. If it still doesn't work, suspect something like Apparmor or Selinux. Rowland
> > > > OK, you are using the winbind 'rid' backend, so it is okay to use > 'Domain Admins', so start again and follow that wikipage: > > Ensure you have the 'acl' & 'attr' packages installed (this is what they > are called on Debian based distros) >They are installed. I built the server using the walk through you gave me.> Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege' privilege, > this must be granted on the Unix domain member, or to put it another > way, the command must be run on the Unix domain member that holds the > share. >itadmin at john:~$ net rpc rights list privileges SeDiskOperatorPrivilege -U "INTERNAL\administrator" Enter INTERNAL\administrator's password: SeDiskOperatorPrivilege: INTERNAL\Domain Admins BUILTIN\Administrators> Ensure the share directory belongs to 'root:Domain Admins' with 0770 > permissions >itadmin at john:~$ ls -l /hdd drwxrwx---+ 192 root domain admins 12288 Sep 4 12:02 roaming> > Now go to a Windows PC, log in as Administrator or as a member of the > 'Domain Admins' group. >Logged in as peterpollock itadmin at john:~$ getent group "domain admins" domain admins:x:10512:backupadmin,administrator,kevindalafu,peterpollock,domainadmin> > Follow 'Setting Share Permissions and ACLs' >Followed the instructions again. Got through to the second to last line, clicked OK to close the permissions window and a "Windows Security Setting security information on:" window popped up and immediately an error window popped up telling me that it could not enumerate objects in the container and access was denied.> > Do not run chmod against the share directory once the shares are set > from Windows. > > If it still doesn't work, suspect something like Apparmor or Selinux. >I have uninstalled Apparmor because it has only ever caused me issues. Selinux is installed but not activated. I'm at a loss.> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >