Oliver
2022-Aug-03 12:33 UTC
[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
Hello Rowland, thanks for your reply on my message. I just could check your answers today. Am 29.07.2022 um 19:05 schrieb Rowland Penny:> You can get 4.16.1 from Debian 11 backportsThanks for the information. I will try this out in a few days. The reason why I choose a self-compiled installation is, that I will not get trouble when I run apt-get upgrade or other package installation tasks on the machines and get all the same versions on the machines.>> - getent group / user >> DOMAIN\domain users:x:10000: >> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001: >> DOMAIN\sec-file-home-administrator:x:11000: >> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash > No it isn't, so that is probably why it doesn't work. > > The user must be a member of the group that owns the directory and that > group must hold the SeDiskOperatorPrivilege > > RowlandYes thanks that's true.? I did not know that the getend group command also list member of domain groups.. I think that's the main problem here. But I realy don't know why. When I look up in the ADUC on my Windows Host, the user james.bond is member of the domain global group. And the domain global group is member of the domain local group, like that: - james.bond -> Member of: sec-admin-home-fileshare-administrato - sec-admin-home-fileshare-administrator -> Member of: - sec-file-home-administrator? -> Assigned as ownergroup of Fileshare Directory ( I also put the user directly inside the sec-file-home-administrator an tested the szenario) *All of them has an GID and can be find by getend, the output is:* # getent user "DOMAIN\james.bond" DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash #? getent group "DOMAIN\\james.bond-group" DOMAIN\james.bond-group:x:39999: # getent group "DOMAIN\sec-admin-home-fileshare-administrator" DOMAIN\sec-file-home-administrator:x:11000: # getent group "DOMAIN\sec-admin-home-fileshare-administrator" DOMAIN\sec-admin-home-fileshare-administrator:x:18888: But the group members are not showing.. There for, the user can't setup the ACL permissions for the file. He is not authorized. Also the Domain Users group and every other group I fill with users is not showing them up. Even not, when added enum winbind in global section of smb.conf: winbind enum users = yes winbind enum groups = yes winbind use default domain = yes Did I miss anything or is something destroyed? Can you give me some tips, how I can troubleshoot the issue in details. My nsswitch.conf is: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? files winbind systemd group:????????? files winbind systemd shadow:???????? files gshadow:??????? files hosts:????????? files dns winss networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis Thanks, Oliver
Oliver
2022-Aug-03 14:36 UTC
[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator
I check out this article, where you helped a member of askubuntu for the same problem: https://askubuntu.com/questions/1309659/samba-domain-member-not-pulling-ad-group-user-info I follow your introduction and set the winbind before systemd inside nsswitch.conf, like: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? files winbind systemd group:????????? files winbind systemd shadow:???????? files gshadow:??????? files hosts:????????? files dns winss networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis Am 03.08.2022 um 14:33 schrieb Oliver via samba:> Hello Rowland, > > thanks for your reply on my message. I just could check your answers > today. > > Am 29.07.2022 um 19:05 schrieb Rowland Penny: >> You can get 4.16.1 from Debian 11 backports > > Thanks for the information. I will try this out in a few days. > > The reason why I choose a self-compiled installation is, that I will > not get trouble when I run apt-get upgrade or other package > installation tasks on the machines and get all the same versions on > the machines. > >>> - getent group / user >>> DOMAIN\domain users:x:10000: >>> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001: >>> DOMAIN\sec-file-home-administrator:x:11000: >>> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash >> No it isn't, so that is probably why it doesn't work. >> >> The user must be a member of the group that owns the directory and that >> group must hold the SeDiskOperatorPrivilege >> >> Rowland > > Yes thanks that's true.? I did not know that the getend group command > also list member of domain groups.. > > I think that's the main problem here. But I realy don't know why. > > When I look up in the ADUC on my Windows Host, the user james.bond is > member of the domain global group. And the domain global group is > member of the domain local group, like that: > > - james.bond -> Member of: sec-admin-home-fileshare-administrato > > - sec-admin-home-fileshare-administrator -> Member of: > > - sec-file-home-administrator? -> Assigned as ownergroup of Fileshare > Directory > > ( I also put the user directly inside the sec-file-home-administrator > an tested the szenario) > > > *All of them has an GID and can be find by getend, the output is:* > > # getent user "DOMAIN\james.bond" > > DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash > > > #? getent group "DOMAIN\\james.bond-group" > > DOMAIN\james.bond-group:x:39999: > > > # getent group "DOMAIN\sec-admin-home-fileshare-administrator" > > DOMAIN\sec-file-home-administrator:x:11000: > > > # getent group "DOMAIN\sec-admin-home-fileshare-administrator" > > DOMAIN\sec-admin-home-fileshare-administrator:x:18888: > > > But the group members are not showing.. There for, the user can't > setup the ACL permissions for the file. He is not authorized. Also the > Domain Users group and every other group I fill with users is not > showing them up. Even not, when added enum winbind in global section > of smb.conf: > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > > Did I miss anything or is something destroyed? > > Can you give me some tips, how I can troubleshoot the issue in details. > > > My nsswitch.conf is: > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd:???????? files winbind systemd > group:????????? files winbind systemd > shadow:???????? files > gshadow:??????? files > > hosts:????????? files dns winss > networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > netgroup:?????? nis > > > Thanks, > > Oliver