samba - Jul 2022 - Cannot set Windows ACL on Sharefolder with other user than Administrator

Dear all,
 
I setup my Debian 11.1 and Ubuntu 22.04 as Domain Members (ADS) with Samba
4.15.5, connected to my quiete new Samba 4.15.5 PDC and want to use them as
Fileserver with Windows ACLs. For all of them, I compiled them by myself.
 
Hope you can give me some tips to get my new environment to work.
 
You will find my error log, troubleshooting steps and smb config at the end of
this message.
 
The error message in windows, when I not used the Administrator Account:
"Error applying security
An error occurred while applying security information to:
\\kvstorage01\Demo-01
Failed to enumerate objects in the container. Access is denied."
 
The problem is
- that I can't setup the ACL permissions on the top of the share via the
windows compmgmt.msc in the security tab from my Windows 10 Domain Member as
another user than Domain\\Administrator.
- I can change / add share permissions to myself created domainlocal security
groups when use the Domain Administrator
- I didn't test to create or add folders to / inside the share yet.
- Later, I will try to symlink directories from another mountpoint inside the
sharing folder.
 
The domain has an full A-G-DL-P structure for future experiences on my side.
- The user james.bond is member of global group and has got an own uid 49999 and
gid 39999
- The global group sec-admin-home-fileshare-administrator is member of domain
local group
- The domain local group sec-file-home-administrator has a gid 11000 and is
assigned for filepermission of the sharefolder in linux
- There is an created domain global group
sec-admin-home-unix-domain-administrators, this
has gid 10001 and is member Domain\\Administrators
 
 
##########################################
My errors in /var/log/samba/192.168.188.91.log
 
[2022/07/29 13:50:01.941609, 3]
../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
smbd_do_query_security_desc: sd_size = 108.
[2022/07/29 13:50:01.943333, 3]
../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
smbd_do_query_security_desc: sd_size = 64.
[2022/07/29 13:50:01.945291, 3]
../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
smbd_dirptr_get_entry mask=[*] found . fname=. (.)
[2022/07/29 13:50:01.946070, 3]
../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)
[2022/07/29 13:50:01.946522, 3]
../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[STATUS_NO_MORE_FILES] || at ../../source3/smbd/smb2_query_directory.c:160
[2022/07/29 13:50:01.953769, 1]
../../source3/smbd/posix_acls.c:2962(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file on file [.]: (Die Operation ist nicht
erlaubt)
[2022/07/29 13:50:01.953947, 3] ../../source3/smbd/posix_acls.c:3689(set_nt_acl)
set_nt_acl: failed to set file acl on file . (Die Operation ist nicht erlaubt).
[2022/07/29 13:50:01.954098, 3]
../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_setinfo.c:137
 
##########################################
My troubleshooting steps:
 
- SeDiskOperatorPrivilege
net rpc rights list privileges SeDiskOperatorPrivilege -U
"Administrator"
Password for [DOMAIN\Administrator]:
SeDiskOperatorPrivilege:
DOMAIN\sec-file-home-administrator
BUILTIN\Administrators
DOMAIN\sec-admin-home-unix-domain-administrators
DOMAIN\james.bond
 
- wbinfo -u
DOMAIN\administrator
DOMAIN\svc-linuxreader-krb
DOMAIN\dns-kvaddc01
DOMAIN\james.bond
DOMAIN\guest
DOMAIN\krbtgt
DOMAIN\svc-linuxreader-ldap
DOMAIN\svc-nextcloud-ldap
-> I only create the svc-*'s and the james.bond user. Only the james.bond
has an gid.
 
- getent group / user
DOMAIN\domain users:x:10000:
DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
DOMAIN\sec-file-home-administrator:x:11000:
DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
DOMAIN\james.bond-group:x:39999:

- smbd -b | grep HAVE_LIBACL
HAVE_LIBACL
 
- testparm -sv | grep acl
Load smb config files from /usr/local/samba/etc/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
acl allow execute always = No
acl check permissions = Yes
acl flag inherited canonicalization = Yes
acl group control = No
acl map full control = Yes
force unknown acl user = No
inherit acls = No
map acl inherit = No
nt acl support = Yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes

- ls -ll /media/fileshare/
drwxrwx--- 2 root Domain\sec-file-home-administrator 4096 29. Jul 06:03 Demo-01
 
- set and get acl in the filesystem
setfacl -m u:root:-,g:"DOMAIN\\sec-file-home-administrator":rw
/media/fileshare/test.txt
getfacl /media/fileshare/test.txt
# file: media/fileshare/test.txt
# owner: root
# group: root
user::rw-
user:root:---
group::r--
group:DOMAIN\\sec-file-home-administrator:rw-
mask::rw-
other::r--
 
##########################################
My smb.conf
 
[global]
netbios name = KVSTORAGE01
security = ADS
workgroup = DOMAIN
realm = DOMAIN.HOME
log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5
bind interfaces only = yes
interfaces = lo enp2s0f0

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the DOMAIN domain
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-49999
idmap config DOMAIN:unix_nss_info = yes
idmap config DOMAIN:unix_primary_group = yes
 
# Enable Winbindd ENUM for Full NSSwitch Lookups by "getent passwd" or
# "getent groups"
# - Slowsdown the lookups by large users and groups
# - Only for testing and troubleshooting
# winbind enum users = yes
# winbind enum groups = yes
# - default domain = yes enable as last try to fix things..
# winbind use default domain = yes
# User Mapping for Overwriting Dom Users to
# Local System Users such as root!
username map = /usr/local/samba/etc/user.map
 
# Workaroud for Bug:
# Enable local root UID for Administrator User Mapping
# Set Min UID = 0, cause of an Bug in Samba
#
https://community.spiceworks.com/topic/2339542-samba-file-sharing-stopped-working-nt-error-315-invalid-token
min domain uid = 0
 
# Enable ACL Support by setting on a Windows Network Client.
# Helps users to set permissions on new folders and files through Windows
vfs objects = acl_xattr
map acl inherit = Yes
 
# Allow Symlinks
# unix extensions = no
# follow symlinks = yes
# wide links = yes
 
#======================= Share Definitions ======================[Demo-01]
# comment = Demo Share f?r authorisierte Benutzer
path = /media/fileshare/Demo-01/
read only = no
acl_xattr:ignore system acls = yes
# hide unreadable = Yes
# access based share enum = Yes
# browseable = yes
vfs objects = full_audit

On Fri, 2022-07-29 at 18:08 +0200, Development Kleinevogel.de via samba
wrote:
> Dear all,
>  
> I setup my Debian 11.1 
You can get 4.16.1 from Debian 11 backports
 
> and Ubuntu 22.04 as Domain Members (ADS) with Samba 4.15.5, connected
> to my quiete new Samba 4.15.5 PDC 
I could say 'that is your problem' but I think you mean 'first
DC', all
DC's are equal except for the FSMO roles.
> and want to use them as Fileserver with Windows ACLs. For all of
> them, I compiled them by myself.
Why ?
>  
> Hope you can give me some tips to get my new environment to work.
>  
> You will find my error log, troubleshooting steps and smb config at
> the end of this message.
>  
> The error message in windows, when I not used the Administrator
> Account:
> "Error applying security
> An error occurred while applying security information to:
> \\kvstorage01\Demo-01
> Failed to enumerate objects in the container. Access is denied."
The Linux for that is 'You do not have the required permissions'
>  
> The problem is
> - that I can't setup the ACL permissions on the top of the share via
> the windows compmgmt.msc in the security tab from my Windows 10
> Domain Member as another user than Domain\\Administrator.
> - I can change / add share permissions to myself created domainlocal
> security groups when use the Domain Administrator
> - I didn't test to create or add folders to / inside the share yet.
> - Later, I will try to symlink directories from another mountpoint
> inside the sharing folder.
>  
> The domain has an full A-G-DL-P structure for future experiences on
> my side.
> - The user james.bond is member of global group and has got an own
> uid 49999 and gid 39999
> - The global group sec-admin-home-fileshare-administrator is member
> of domain local group
> - The domain local group sec-file-home-administrator has a gid 11000
> and is assigned for filepermission of the sharefolder in linux
> - There is an created domain global group sec-admin-home-unix-domain-
> administrators, this
> has gid 10001 and is member Domain\\Administrators
>  
>  
> ##########################################
> My errors in /var/log/samba/192.168.188.91.log
>  
> [2022/07/29 13:50:01.941609, 3]
> ../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
> smbd_do_query_security_desc: sd_size = 108.
> [2022/07/29 13:50:01.943333, 3]
> ../../source3/smbd/nttrans.c:2224(smbd_do_query_security_desc)
> smbd_do_query_security_desc: sd_size = 64.
> [2022/07/29 13:50:01.945291, 3]
> ../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found . fname=. (.)
> [2022/07/29 13:50:01.946070, 3]
> ../../source3/smbd/dir.c:1031(smbd_dirptr_get_entry)
> smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)
> [2022/07/29 13:50:01.946522, 3]
> ../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
> status[STATUS_NO_MORE_FILES] || at
> ../../source3/smbd/smb2_query_directory.c:160
> [2022/07/29 13:50:01.953769, 1]
> ../../source3/smbd/posix_acls.c:2962(set_canon_ace_list)
> set_canon_ace_list: sys_acl_set_file on file [.]: (Die Operation ist
> nicht erlaubt)
> [2022/07/29 13:50:01.953947, 3]
> ../../source3/smbd/posix_acls.c:3689(set_nt_acl)
> set_nt_acl: failed to set file acl on file . (Die Operation ist nicht
> erlaubt).
> [2022/07/29 13:50:01.954098, 3]
> ../../source3/smbd/smb2_server.c:3953(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at
> ../../source3/smbd/smb2_setinfo.c:137
>  
> ##########################################
> My troubleshooting steps:
>  
> - SeDiskOperatorPrivilege
> net rpc rights list privileges SeDiskOperatorPrivilege -U
> "Administrator"
> Password for [DOMAIN\Administrator]:
> SeDiskOperatorPrivilege:
> DOMAIN\sec-file-home-administrator
> BUILTIN\Administrators
> DOMAIN\sec-admin-home-unix-domain-administrators
> DOMAIN\james.bond
>  
> - wbinfo -u
> DOMAIN\administrator
> DOMAIN\svc-linuxreader-krb
> DOMAIN\dns-kvaddc01
> DOMAIN\james.bond
> DOMAIN\guest
> DOMAIN\krbtgt
> DOMAIN\svc-linuxreader-ldap
> DOMAIN\svc-nextcloud-ldap
> -> I only create the svc-*'s and the james.bond user. Only the
> james.bond has an gid.
You are using the 'ad' idmap backend, so I take it that the gid is for
the 'sec-file-home-administrator' group.
 
>  
> - getent group / user
> DOMAIN\domain users:x:10000:
> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
> DOMAIN\sec-file-home-administrator:x:11000:
> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
No it isn't, so that is probably why it doesn't work.

The user must be a member of the group that owns the directory and that
group must hold the SeDiskOperatorPrivilege

Rowland

Hello Rowland,

thanks for your reply on my message. I just could check your answers today.

Am 29.07.2022 um 19:05 schrieb Rowland Penny:
> You can get 4.16.1 from Debian 11 backports
Thanks for the information. I will try this out in a few days.

The reason why I choose a self-compiled installation is, that I will not 
get trouble when I run apt-get upgrade or other package installation 
tasks on the machines and get all the same versions on the machines.
>> - getent group / user
>> DOMAIN\domain users:x:10000:
>> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
>> DOMAIN\sec-file-home-administrator:x:11000:
>> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
> No it isn't, so that is probably why it doesn't work.
>
> The user must be a member of the group that owns the directory and that
> group must hold the SeDiskOperatorPrivilege
>
> Rowland
Yes thanks that's true.? I did not know that the getend group command 
also list member of domain groups..

I think that's the main problem here. But I realy don't know why.

When I look up in the ADUC on my Windows Host, the user james.bond is 
member of the domain global group. And the domain global group is member 
of the domain local group, like that:

- james.bond -> Member of: sec-admin-home-fileshare-administrato

- sec-admin-home-fileshare-administrator -> Member of:

- sec-file-home-administrator? -> Assigned as ownergroup of Fileshare 
Directory

( I also put the user directly inside the sec-file-home-administrator an 
tested the szenario)


*All of them has an GID and can be find by getend, the output is:*

# getent user "DOMAIN\james.bond"

DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash


#? getent group "DOMAIN\\james.bond-group"

DOMAIN\james.bond-group:x:39999:


# getent group "DOMAIN\sec-admin-home-fileshare-administrator"

DOMAIN\sec-file-home-administrator:x:11000:


# getent group "DOMAIN\sec-admin-home-fileshare-administrator"

DOMAIN\sec-admin-home-fileshare-administrator:x:18888:


But the group members are not showing.. There for, the user can't setup 
the ACL permissions for the file. He is not authorized. Also the Domain 
Users group and every other group I fill with users is not showing them 
up. Even not, when added enum winbind in global section of smb.conf:

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes


Did I miss anything or is something destroyed?

Can you give me some tips, how I can troubleshoot the issue in details.


My nsswitch.conf is:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? files winbind systemd
group:????????? files winbind systemd
shadow:???????? files
gshadow:??????? files

hosts:????????? files dns winss
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis


Thanks,

Oliver