samba - Mar 2022 - Setting permissions on AD member file server

No, that doesn't appear to resolve it.
(Not that it matters a ton, but what is that option - what does it even do?)

On Thu, Mar 10, 2022 at 10:55 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
> wrote:
> > So, this is kind of odd.
> >
> > Samba member server;
> > Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
> > Went through setup as described in the wiki for member servers - all
> > seems
> > fine.
> > SeDiskOperatorPrivilege is granted to Domain Admins too.
> >
> > Initially I chowned the dirs/files as root:domain admins
> > and chmod 0770
> > getfacl shows:
> > # file: .
> > # owner: root
> > # group: AD\\domain\040admins
> > user::rwx
> > group::rwx
> > other::---
> >
> > However,
> > When I try to set permissions from a Windows 10 machine, using
> > windows file
> > explorer, I get this message:
> >
> > "Failed to enumerate objects in the container. Access is
denied."
> >
> > I'm logged into the domain on the station where I'm trying to
mod
> > permissions as a user that's a member of "Domain Admins"
> >
> > ---
> > smb.conf from the member/file server
> > ---
> > [global]
> >         realm = AD.SAMDOM.LOCAL
> >         security = ADS
> >         server role = member server
> >         server string = FileServer
> >         username map = /etc/samba/user.map
> >         workgroup = AD
> >         idmap config ad : range = 10000-999999
> >         idmap config ad : backend = rid
> >         idmap config * : range = 3000-7999
> >         idmap config * : backend = tdb
> >         map acl inherit = Yes
> >         vfs objects = acl_xattr
> >
> >
> > [root-share]
> >         comment = root-share
> >         path = /abc-zfs-01/ad-shared-folders/
> >         read only = No
> >
> > ---
> > Any good pointers?
>
> Try adding 'min domain uid = 0' to global and reload the config or
> restart Samba
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 2022-03-10 at 11:32 -0800, Greg Sloop <gregs--- via samba
wrote:
> No, that doesn't appear to resolve it.
> (Not that it matters a ton, but what is that option - what does it
> even do?)
It allows Administrator to set permissions (in conjunction with a
user.map) on a Unix share from Windows

I can now confirm that a member of Domain Admins is denied changing
permissions from Windows:

'Failed to enumerate objects in the container. Access is denied.'

Looking in the logs (log.smbd to be precise), I found this:

[2022/03/11 14:31:09.597911, 10, pid=3567, effective(11107, 10513),
real(11107, 0)] ../../source3/smbd/open.c:6254(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED

Rowland