Peter Milesson
2023-Dec-12 17:59 UTC
[Samba] Permission denied while trying to setup share with RSAT
On 12.12.2023 18:42, Rowland Penny via samba wrote:> On Tue, 12 Dec 2023 13:11:14 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> Hi folks, >> >> AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD >> DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in >> the message. >> >> When trying to setup a share with RSAT as Administrator, every >> operation fails with the error message: >> >> "An error occurred while applying security information to:" >> \\DATASRV\groble$ >> Failed to enumerate objects in the container. Access is denied. >> >> The only operation that succeeds is changing ownership >> >> I setup the directory the usual way according to the Samba Wiki >> >> mkdir -p /data/groble >> chown root:"Domain Admins" /data/groble >> chmod 0770 /data/groble >> >> and defined it in smb.conf as >> >> [groble$] >> ??????? comment = Roaming profiles >> ??????? path = /data/groble/ >> ??????? read only = no >> ??????? acl_xattr:ignore system acls = yes >> ??????? hide dot files = no >> ??????? csc policy = disable >> > That share appears to be for 'roaming profiles', so I suggest you read > this wiki page and then follow it to the letter: > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Follow the 'Using Windows ACLs' section. > > I also suggest you connect from Windows as a member of Domain Admins. > > Rowland > >Hi Rowland, I have already done that, a zillion times. Still does not work. The basic problem is, that I cannot modify anything as Administrator. Whether the share will be used for roaming profiles or not, is secondary, and not the problem. As I reported, if I set the owner on the directory I want to share as PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage the share properties as that user. If I create it as root:"Domain Admins", no way. Neither as PRIVATE\myadmin, nor as PRIVATE\Administrator. Thanks for you advice, Peter Best regards,
Rowland Penny
2023-Dec-12 18:12 UTC
[Samba] Permission denied while trying to setup share with RSAT
On Tue, 12 Dec 2023 18:59:33 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 12.12.2023 18:42, Rowland Penny via samba wrote: > > On Tue, 12 Dec 2023 13:11:14 +0100 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> AD Member server with Samba 4.19.3 from Debian Bookworm backports. > >> AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf > >> last in the message. > >> > >> When trying to setup a share with RSAT as Administrator, every > >> operation fails with the error message: > >> > >> "An error occurred while applying security information to:" > >> \\DATASRV\groble$ > >> Failed to enumerate objects in the container. Access is denied. > >> > >> The only operation that succeeds is changing ownership > >> > >> I setup the directory the usual way according to the Samba Wiki > >> > >> mkdir -p /data/groble > >> chown root:"Domain Admins" /data/groble > >> chmod 0770 /data/groble > >> > >> and defined it in smb.conf as > >> > >> [groble$] > >> ??????? comment = Roaming profiles > >> ??????? path = /data/groble/ > >> ??????? read only = no > >> ??????? acl_xattr:ignore system acls = yes > >> ??????? hide dot files = no > >> ??????? csc policy = disable > >> > > That share appears to be for 'roaming profiles', so I suggest you > > read this wiki page and then follow it to the letter: > > > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > > > Follow the 'Using Windows ACLs' section. > > > > I also suggest you connect from Windows as a member of Domain > > Admins. > > > > Rowland > > > > > Hi Rowland, > > I have already done that, a zillion times. Still does not work. The > basic problem is, that I cannot modify anything as Administrator. > Whether the share will be used for roaming profiles or not, is > secondary, and not the problem. > > As I reported, if I set the owner on the directory I want to share as > PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage > the share properties as that user. If I create it as root:"Domain > Admins", no way. Neither as PRIVATE\myadmin, nor as > PRIVATE\Administrator. >From my testing, you no longer seem to need the user.map, try reading this: https://lists.samba.org/archive/samba/2023-November/247267.html Rowland