John Hixson
2014-Jul-16 02:48 UTC
[Samba] Changing ownership of files on Windows (net rpc rights?)
Hello,
I am unable to change ownership of Samba shares on Windows. It makes no
difference if Samba is a PDC or if it is a member server in an Active
Directory. I am running Samba 4.1.9 on FreeBSD 9.2 with ZFS. I can
easily change ownership locally on the FreeBSD box, however, when trying
to do it from Windows it errors out with access is denied. I've
attempted to use net rpc rights grant statements to give various users
and groups the SeTakeOwnershipPrivilege right ( I am not even sure if
this is the correct way to go ), but it also fails with
NT_STATUS_ACCESS_DENIED. I've pretty much exhausted every avenue trying
to figure out why this isn't possible and am hoping someone on this list
can help me. I'm attaching my smb.conf file. I can provide anything else
if necessary.
- John
-------------- next part --------------
[global]
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 11070
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
hostname lookups = yes
time server = yes
domain logons = no
acl allow execute always = true
idmap config *:backend = tdb
idmap config *:range = 90000000-100000000
server role = member server
netbios name = BUGFIX
workgroup = 2K3
realm = WIN2K3.DIVINIX.ORG
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
acl check permissions = true
acl map full control = true
dos filemode = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind nss info = rfc2307
idmap config 2K3: backend = ad
idmap config 2K3: schema_mode = rfc2307
idmap config 2K3: range = 10000-90000000
allow trusted domains = no
template shell = /bin/sh
template homedir = /home/%D/%U
pid directory = /var/run/samba
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1
[homes]
comment = Home Directories
valid users = %D\%U
writable = yes
browseable = no
path = /mnt/vol0/HOMES/%D/%U
[CHARTEST]
path = /mnt/vol0/CHARTEST
printable = no
veto files = /.snap/.windows/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
zfsacl:acesort = dontcare
[TESTME1]
path = /mnt/vol0/TESTME1
printable = no
veto files = /.snap/.windows/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
zfsacl:acesort = dontcare
[TESTME2]
path = /mnt/vol0/TESTME2
printable = no
veto files = /.snap/.windows/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
zfsacl:acesort = dontcare
[UFS]
path = /mnt/ufs0
printable = no
veto files = /.snap/.windows/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
zfsacl:acesort = dontcare
steve
2014-Jul-16 10:21 UTC
[Samba] Changing ownership of files on Windows (net rpc rights?)
On Tue, 2014-07-15 at 19:48 -0700, John Hixson wrote:> Hello, > > I am unable to change ownership of Samba shares on Windows.Hi smb.conf idmap ranges overlap I don't know what uidNumber nor gidNumber you have set in AD (you have set uidNumber and gidNumber in AD?) so I can't help with the ranges but they MUST NOT overlap. Even by 1! Fix the ranges, clear the cache and restart winbind. Still no good? Try the winbind checklist: http://linuxcostablanca.blogspot.com.es/2014/06/samba4-winbind-desperation.html HTH, Steve