#> ls -ld /server/shared
drwxrwx---+ 47 root CORP\domain users 4096 Feb 6 20:13 /server/shared
#> getfacl /server/shared
getfacl: Removing leading '/' from absolute path names
# file: server/shared
# owner: root
# group: CORP\\domain\040users
user::rwx
user:root:rwx
user:CORP\\domain\040admins:rwx
user:CORP\\domain\040users:rwx
group::rwx
group:CORP\\domain\040admins:rwx
group:CORP\\domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:CORP\\domain\040admins:rwx
default:user:CORP\\domain\040users:rwx
default:group::---
default:group:CORP\\domain\040admins:rwx
default:group:CORP\\domain\040users:rwx
default:mask::rwx
default:other::---
#> samba-tool ntacl get /server/shared --as-sddl
O:S-1-22-1-0G:DUD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001301bf;;;DU)
I originally had domain admins owning the directory but changed it to domain
users thinking that the user was not a member of domain admins so maybe that was
why they couldn't access it.
Rich
----- On Feb 10, 2023, at 3:08 PM, Rowland Penny via samba samba at
lists.samba.org wrote:
> On 10/02/2023 19:47, Rich Webb via samba wrote:
>> Hello,
>>
>> I just set up a new domain with a separate domain controller and a
samba domain
>> member for a file server.
>>
>> I am able to set share permissions and ACL permissions through a
windows client
>> on computer management OK. Looking at properties / security tab shows
the
>> proper permissions...
>>
>> Getfacl in linux shows the proper ACLs ... but when I try to access the
share
>> from a joined windows client I am getting access denied regardless that
the
>> user is in the proper group in ADUC. If I put that same user into
Domain Admins
>> group that user can then access all the shares.
>>
>> This is the first time I have seen this behavior .. My smb.conf is as
follows
>> for the DC:
>>
>> # Global parameters
>> [global]
>> dns forwarder = 8.8.8.8
>> netbios name = DC1
>> realm = CORP.EXAMPLE.COM
>> server role = active directory domain controller
>> workgroup = CORP
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/corp.example.com/scripts
>> read only = No
>>
>> Here is the smb.conf for the member server:
>>
>> [global]
>> security = ADS
>> workgroup = CORP
>> realm = CORP.EXAMPLE.COM
>>
>> username map = /etc/samba/user.map
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> # store dos attributes = Yes
>>
>> # Default ID mapping configuration using the autorid
>> # idmap backend. This will work out of the box for simple
setups
>> # as well as complex setups with trusted domains.
>> idmap config * : backend = autorid
>> idmap config * : range = 10000-9999999
>>
>>
>> [Shared]
>> writeable = yes
>> path=/server/shared
>>
>> [Installs]
>> writeable = yes
>> path=/server/installs
>>
>> ... rest of share definitions ...
>>
>> Samba version on the domain controller is: 4.15.13-Ubuntu
>> Samba version on the member server is: 4.15.13-Ubuntu
>>
>> Any help is greatly appreciated!
>>
>> Thanks,
>> Rich
>>
>
> Can you post the output of the following commands:
>
> ls -ld /server/shared
>
> getfacl /server/shared
>
> samba-tool ntacl get /server/shared --as-sddl
>
> Also, is apparmor running and possibly blocking things ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba