I'm trying to set up a new Samba install as a Domain Member to a
Windows AD to act as a fileserver and am having little success
following the Wiki in setting up a share using Windows ACLs.
First problem was even connecting to the system with the Administrator
account as it was mapped to the root user via the user.map per the
wiki. Setting "min domain uid = 0" solved that but this seems a bit
counterintuitive and maybe dangerous.
All seems fine until I connect to the share via Computer Management as
shown on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
under the heading "Setting Share Permissions and ACLs". When I right
click share and select properties the properties box comes up but the
smbd log does indicate NT_STATUS_PRIVILEGE_NOT_HELD. The Share
Permissions tab looks fine but when I select the security tab the smbd
log indicates NT_STATUS_BUFFER_TOO_SMALL and attempts to add
permissions fail, the smbd log indicates NT_STATUS_ACCESS_DENIED.
smb.conf:
==================================[global]
log level = 3
min domain uid = 0
map to guest = Bad User
printcap name = /dev/null
realm = PIZZA.EXAMPLE.COM
security = ADS
server role = member server
server string = Quinine Data
username map = /etc/samba/user.map
workgroup = PIZZA3
idmap config pizza3 : backend = rid
idmap config pizza3 : range = 50000-89999
idmap config quinine : range = 5000-5999
idmap config quinine : backend = tdb
idmap config * : range = 10000-19999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[data1]
comment = Data1 on Quinine
path = /srv/terra/terra1
acl_xattr:ignore system acls = yes
==================================SeDiskOperatorPrivilege:
PIZZA3\Domain Admins
PIZZA3\Administrator
BUILTIN\Administrators
==================================drwxrwx--- 2 root PIZZA3\domain
admins 6 Sep 19 23:42 terra1
==================================Version 4.16.5-Debian
Debian GNU/Linux 11 \n \l
Please assist.
Thank you,
Chris
On 22/09/2022 19:38, Sonic via samba wrote:> I'm trying to set up a new Samba install as a Domain Member to a > Windows AD to act as a fileserver and am having little success > following the Wiki in setting up a share using Windows ACLs. > > First problem was even connecting to the system with the Administrator > account as it was mapped to the root user via the user.map per the > wiki. Setting "min domain uid = 0" solved that but this seems a bit > counterintuitive and maybe dangerous.It is the only thing that works.> > All seems fine until I connect to the share via Computer Management as > shown on https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > under the heading "Setting Share Permissions and ACLs". When I right > click share and select properties the properties box comes up but the > smbd log does indicate NT_STATUS_PRIVILEGE_NOT_HELD. The Share > Permissions tab looks fine but when I select the security tab the smbd > log indicates NT_STATUS_BUFFER_TOO_SMALL and attempts to add > permissions fail, the smbd log indicates NT_STATUS_ACCESS_DENIED. > > smb.conf: > ==================================> [global] > log level = 3 > min domain uid = 0 > map to guest = Bad User > printcap name = /dev/null > realm = PIZZA.EXAMPLE.COM > security = ADS > server role = member server > server string = Quinine Data > username map = /etc/samba/user.map > workgroup = PIZZA3 > idmap config pizza3 : backend = rid > idmap config pizza3 : range = 50000-89999 > idmap config quinine : range = 5000-5999 > idmap config quinine : backend = tdb > idmap config * : range = 10000-19999 > idmap config * : backend = tdbYou need to reset the 'idmap config' lines, I presume 'quinine' is the hostname of the Unix domain member, if so, remove the two idmap config lines that mention 'quinine' and I suggest you use the ranges on the wiki (at least as a starting point) they are known to work. Rowland