thr3ads.net - samba - [Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator [Aug 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Aug-10 06:38 UTC

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

On Wed, 2022-08-10 at 08:20 +0200, Oliver via samba
wrote:> Am 09.08.2022 um 17:35 schrieb Rowland Penny via samba:
> > On Tue, 2022-08-09 at 17:15 +0200, Oliver via samba wrote:
> > > Can I do some test, if there is winbind implemented corretcly in
> > > my
> > > machine?
> > > 
> > > 
> > > Am 04.08.2022 um 20:05 schrieb Rowland Penny via samba:
> > > > If you do not have secrets.ldb and sam.ldb on a DC, then you
> > > > have
> > > > really big problems. Have you checked if they exist or not ?
> > > Yes, they are not existing:
> > > 
> > > ls -ll /usr/local/samba/private/
> > > insgesamt 1012
> > > drwx------ 2 root root   4096  4. Aug 17:20 msg.sock
> > > -rw------- 1 root root  32768  3. Aug 14:27
> > > netlogon_creds_cli.tdb
> > > -rw------- 1 root root 421888  4. Jul 17:11 passdb.tdb
> > > -rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb
> > You appear to have a major problem if a run a similar command on
> > one of
> > my DC's, I get this:
> > 
> > pi at rpidc1:~ $ ls -ll /var/lib/samba/private/
> > total 20320
> > -rw-r----- 2 root bind     544 Mar 26  2021 dns.keytab
> > -rw------- 1 root root    2211 Jun 10  2021 dns_update_cache
> > -rw-r--r-- 1 root root    3663 Mar 26  2021 dns_update_list
> > -rw------- 1 root root      16 Mar 26  2021 encrypted_secrets.key
> > -rw------- 1 root root 1286144 Mar 26  2021 hklm.ldb
> > -rw------- 1 root root 4927488 Jul 23 12:07 idmap.ldb
> > -rw-r--r-- 1 root root     216 Mar 26  2021 krb5.conf
> > srwxrwxrwx 1 root root       0 Jul 30 14:34 ldapi
> > drwxr-x--- 2 root root    4096 Jul 30 14:34 ldap_priv
> > drwx------ 2 root root    4096 Aug  9 16:21 msg.sock
> > -rw------- 1 root root    4792 Jul 30 14:34 netlogon_creds_cli.tdb
> > -rw------- 1 root root  421888 Mar 26  2021 passdb.tdb
> > -rw------- 1 root root 1286144 May  7  2021 privilege.ldb
> > -rw------- 1 root root 4694016 Mar 26  2021 sam.ldb
> > drwx------ 2 root root    4096 Apr 24  2021 sam.ldb.d
> > -rw------- 1 root root   12288 Aug  5 10:16 schannel_store.tdb
> > -rw------- 1 root root     785 Mar 26  2021 secrets.keytab
> > -rw------- 1 root root 1286144 Mar 26  2021 secrets.ldb
> > -rw------- 1 root root  430080 Mar 26  2021 secrets.tdb
> > -rw------- 1 root root 1286144 Mar 26  2021 share.ldb
> > drwxr-xr-x 2 root root    4096 Mar 26  2021 smbd.tmp
> > -rw-r--r-- 1 root root     955 Mar 26  2021 spn_update_list
> > drwxr-xr-x 2 root root    4096 Apr 15  2021 tls
> > 
> > Was this DC provisioned, or another DC you have joined to an
> > existing
> > domain ?
> > 
> > Rowland
> 
> I only have got DC1, DC2 and DC3, all of them are build by myself.
> 
> I got the same files as you, but only on my DC1, which holds the
> FSMO 
> Roles.
> 
> DC2 + DC3 which have to work for filesharing are getting this files:
> 
> ls -ll /usr/local/samba/private/
> insgesamt 1012
> drwx------ 2 root root   4096  4. Aug 17:20 msg.sock
> -rw------- 1 root root  32768  3. Aug 14:27 netlogon_creds_cli.tdb
> -rw------- 1 root root 421888  4. Jul 17:11 passdb.tdb
> -rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb
> 
> 
> May I did understand something wrong?:
> - DC1 has an total other and shorter smb.conf than DC2 and DC3
> - Only the DC2 + DC3 has security = ADS  with the hole options of
> idmap and usermap in smb.conf
Sorry to be the bearer of bad news, but if 'security = ADS' is set in
smb.conf on DC2 and DC3, then they are not DC's, they are Unix domain
members, how did you join them ?
> - DC1 has BIND 9.18 DLZ Backend for DNS integraded.
> 
> Can I add my .conf files as an attachmend if needed?
No, you would have to post them inline, this list strips attachments.

Rowland

Oliver

2022-Aug-10 08:43 UTC

head link

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

Am 10.08.2022 um 08:38 schrieb Rowland Penny via samba:> Sorry to be the bearer of bad news, but if 'security = ADS' is set
in
> smb.conf on DC2 and DC3, then they are not DC's, they are Unix domain
> members, how did you join them ?
I joined both members with :

# net ads join -U administrator

Cause of static ip in network adapter settings, I manuel created the 
reverse-PTR Record in the reverse dns zone via RSAT.

When i run testjoin, also getting error on ldb. files...

root at member1:~#? net ads testjoin -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.188.24 bcast=192.168.188.255 
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.188.24 bcast=192.168.188.255 
netmask=255.255.255.0
ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex: could 
not open file /usr/local/samba/private/secrets.ldb: Datei oder 
Verzeichnis nicht gefunden

ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb': Datei 
oder Verzeichnis nicht gefunden
ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' with 
backend 'tdb': Unable to open tdb 
'/usr/local/samba/private/secrets.ldb': Datei oder Verzeichnis nicht 
gefunden
Failed to create cldap tsocket_address for? - NT_STATUS_ACCESS_DENIED
ads_try_connect: CLDAP request? failed.
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.188.5
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Failed to create cldap tsocket_address for? - 
NT_STATUS_OBJECT_NAME_COLLISION
ads_try_connect: CLDAP request? failed.
Failed to create cldap tsocket_address for? - 
NT_STATUS_OBJECT_NAME_COLLISION
ads_try_connect: CLDAP request? failed.
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.188.5
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.188.5
Connecting to 192.168.188.5 at port 389
Connected to LDAP server dc1.domain.home
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Join is OK
return code = 0

Oliver

samba - Aug 2022 - Cannot set Windows ACL on Sharefolder with other user than Administrator

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator

[Samba] Cannot set Windows ACL on Sharefolder with other user than Administrator