I have created a [home] share: user at jupiter:~$ sudo ls -l /srv/samba/ total 24 drwxrwxr-x 2 root domain admins 4096 Nov 22 21:38 Demo drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home drwxrwxr-x+ 9 root domain admins 4096 Nov 24 21:06 Printer_drivers When i try to set the ACLs in Windows I get "Permission Denied" In Windows I am logged in as "administrator" who is a member of "Domain Admins" user at jupiter:~$ getfacl /srv/samba/home getfacl: Removing leading '/' from absolute path names # file: srv/samba/home # owner: root # group: domain\040admins user::rwx user:root:rwx group::r-x group:domain\040admins:r-x mask::rwx other::r-x default:user::rwx default:group::r-x default:group:domain\040admins:rwx default:mask::rwx default:other::r-x Domain Admins does have the correct privileges: user at jupiter:~$ net rpc rights list accounts -U'ABC\administrator' Enter ABC\administrator's password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned ABC\Domain Admins SePrintOperatorPrivilege SeDiskOperatorPrivilege BUILTIN\Administrators SeMachineAccountPrivilege ... SeEnableDelegationPrivilege Everyone No privileges assigned
Hi, You should post your smb.conf of that file server. You should also tell us what kind of domain it is, in case of domain. That should help people to help you. Cheers, mathias 2015-11-25 0:00 GMT+01:00 Henry McLaughlin <henry at incred.com.au>:> I have created a [home] share: > > user at jupiter:~$ sudo ls -l /srv/samba/ > total 24 > drwxrwxr-x 2 root domain admins 4096 Nov 22 21:38 Demo > drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home > drwxrwxr-x+ 9 root domain admins 4096 Nov 24 21:06 Printer_drivers > > When i try to set the ACLs in Windows I get "Permission Denied" > > In Windows I am logged in as "administrator" who is a member of "Domain > Admins" > > user at jupiter:~$ getfacl /srv/samba/home > getfacl: Removing leading '/' from absolute path names > > # file: srv/samba/home > # owner: root > # group: domain\040admins > user::rwx > user:root:rwx > group::r-x > group:domain\040admins:r-x > mask::rwx > other::r-x > default:user::rwx > default:group::r-x > default:group:domain\040admins:rwx > default:mask::rwx > default:other::r-x > > > Domain Admins does have the correct privileges: > > user at jupiter:~$ net rpc rights list accounts -U'ABC\administrator' > Enter ABC\administrator's password: > BUILTIN\Print Operators > No privileges assigned > > BUILTIN\Account Operators > No privileges assigned > > BUILTIN\Backup Operators > No privileges assigned > > BUILTIN\Server Operators > No privileges assigned > > ABC\Domain Admins > SePrintOperatorPrivilege > SeDiskOperatorPrivilege > > BUILTIN\Administrators > SeMachineAccountPrivilege > ... > SeEnableDelegationPrivilege > > Everyone > No privileges assigned > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 25 November 2015 at 20:27, mathias dufresne <infractory at gmail.com> wrote:> Hi, > > You should post your smb.conf of that file server. You should also tell us > what kind of domain it is, in case of domain. That should help people to > help you. > > Cheers, > > mathias > > Hi and thank you for the help.I think I have solved this however my solution is not pure. When I create a share in Linux the owner & group is: root:root I had thought that this was my problem as I did not have permission to write to the folder and had to change the group to "Domain Admins" however this still caused the error. What I have discovered this that regardless of the Linux permissions, when I create a share the Windows share owner is: "root (Unix User\root)". As long as this is the share owner in Windows I receive the permission denied error. I have simply change the share owner to "Domain Users" in Windows and the error goes away.> 2015-11-25 0:00 GMT+01:00 Henry McLaughlin <henry at incred.com.au>: > > > I have created a [home] share: > > > > user at jupiter:~$ sudo ls -l /srv/samba/ > > total 24 > > drwxrwxr-x 2 root domain admins 4096 Nov 22 21:38 Demo > > drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance > > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home > > drwxrwxr-x+ 9 root domain admins 4096 Nov 24 21:06 Printer_drivers > > > > When i try to set the ACLs in Windows I get "Permission Denied" > > > > In Windows I am logged in as "administrator" who is a member of "Domain > > Admins" > > > > user at jupiter:~$ getfacl /srv/samba/home > > getfacl: Removing leading '/' from absolute path names > > > > # file: srv/samba/home > > # owner: root > > # group: domain\040admins > > user::rwx > > user:root:rwx > > group::r-x > > group:domain\040admins:r-x > > mask::rwx > > other::r-x > > default:user::rwx > > default:group::r-x > > default:group:domain\040admins:rwx > > default:mask::rwx > > default:other::r-x > > > > > > Domain Admins does have the correct privileges: > > > > user at jupiter:~$ net rpc rights list accounts -U'ABC\administrator' > > Enter ABC\administrator's password: > > BUILTIN\Print Operators > > No privileges assigned > > > > BUILTIN\Account Operators > > No privileges assigned > > > > BUILTIN\Backup Operators > > No privileges assigned > > > > BUILTIN\Server Operators > > No privileges assigned > > > > ABC\Domain Admins > > SePrintOperatorPrivilege > > SeDiskOperatorPrivilege > > > > BUILTIN\Administrators > > SeMachineAccountPrivilege > > ... > > SeEnableDelegationPrivilege > > > > Everyone > > No privileges assigned > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 24/11/15 23:00, Henry McLaughlin wrote:> I have created a [home] share: > > user at jupiter:~$ sudo ls -l /srv/samba/ > total 24 > drwxrwxr-x 2 root domain admins 4096 Nov 22 21:38 Demo > drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home > drwxrwxr-x+ 9 root domain admins 4096 Nov 24 21:06 Printer_drivers > > When i try to set the ACLs in Windows I get "Permission Denied" > > In Windows I am logged in as "administrator" who is a member of "Domain > Admins" > > user at jupiter:~$ getfacl /srv/samba/home > getfacl: Removing leading '/' from absolute path names > > # file: srv/samba/home > # owner: root > # group: domain\040admins > user::rwx > user:root:rwx > group::r-x > group:domain\040admins:r-x > mask::rwx > other::r-x > default:user::rwx > default:group::r-x > default:group:domain\040admins:rwx > default:mask::rwx > default:other::r-x > > >OK, the unix permissions are: drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home But getfacl shows two group permissions: # group: domain\040admins group::r-x group:domain\040admins:r-x Both of which shows that the group has *no* write permissions, fix this and it should work as expected. Rowland
If this is about problems on a member server, read on. If its on a ADDC, then i dont know, but good info below. ;-) ( Rowland, maybe a thing to put on the wiki also, read on.. ) If you only use the share from windows machines, make your life easy. Add : acl_xattr:ignore system acls = yes to the share. And set the correct rights from within windows. If you do use the shares /folders also from within linux. Set UID/GID for all (needed) users/groups. Use the user_mapping in samba to map root to the domain administrator, And/or set user Administrator on the folder now set the correct rights from withing windows. Above can be done on ADDC or member server but there is a big differens. Regarding.. ( more explained )> sudo ls -l /srv/samba/ > > drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance > > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home> When i try to set the ACLs in Windows I get "Permission Denied"Yes, totaly correct, i assum you did read: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs which says, # chmod g=rwx /srv/samba/Demo/ # chgrp "Domain Admins" /srv/samba/Demo/ But this example is done on a addc server, and not on a member server. On a ADDC user Administrator is automaticly mapped to root, id administrator on addc results in UID 0 and imo most important info, is missing on the wiki. I also assume your doing this on a member server. Which is ok also, but in the 2 ls example above. drwxrwxr-x 2 root domain admins does not work an a member server without the user mapping or a bit different rights. So set Adminstrator:"domain admins" on this folder OR use the user mapping. And make user that /srv/samba at least has 2775 rights. And maybe a chgrp "Domain Admins" /srv/samba Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: woensdag 25 november 2015 11:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Permission Denied > > On 24/11/15 23:00, Henry McLaughlin wrote: > > I have created a [home] share: > > > > user at jupiter:~$ sudo ls -l /srv/samba/ > > total 24 > > drwxrwxr-x 2 root domain admins 4096 Nov 22 21:38 Demo > > drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance > > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home > > drwxrwxr-x+ 9 root domain admins 4096 Nov 24 21:06 Printer_drivers > > > > When i try to set the ACLs in Windows I get "Permission Denied" > > > > In Windows I am logged in as "administrator" who is a member of "Domain > > Admins" > > > > user at jupiter:~$ getfacl /srv/samba/home > > getfacl: Removing leading '/' from absolute path names > > > > # file: srv/samba/home > > # owner: root > > # group: domain\040admins > > user::rwx > > user:root:rwx > > group::r-x > > group:domain\040admins:r-x > > mask::rwx > > other::r-x > > default:user::rwx > > default:group::r-x > > default:group:domain\040admins:rwx > > default:mask::rwx > > default:other::r-x > > > > > > > > OK, the unix permissions are: > > drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home > > But getfacl shows two group permissions: > > # group: domain\040admins > group::r-x > group:domain\040admins:r-x > > Both of which shows that the group has *no* write permissions, fix this > and it should work as expected. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 25/11/15 11:51, L.P.H. van Belle wrote:> If this is about problems on a member server, read on. > If its on a ADDC, then i dont know, but good info below. ;-) > > ( Rowland, maybe a thing to put on the wiki also, read on.. )The thing is, it was on the wiki and Marc decided it would be better to go down the 'Domain Admins' line. He doesn't seem to like the username map way of doing things. I think it needs to be put back. Hopefully Marc will pick-up on this and comment.> > > If you only use the share from windows machines, make your life easy. > Add : acl_xattr:ignore system acls = yes to the share. > And set the correct rights from within windows. > > If you do use the shares /folders also from within linux. > Set UID/GID for all (needed) users/groups. > Use the user_mapping in samba to map root to the domain administrator, > And/or set user Administrator on the folder > now set the correct rights from withing windows. > > Above can be done on ADDC or member server but there is a big differens. > > Regarding.. ( more explained ) >> sudo ls -l /srv/samba/ >>> drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance >>> drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home >> When i try to set the ACLs in Windows I get "Permission Denied" > Yes, totaly correct, i assum you did read: > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > which says, > # chmod g=rwx /srv/samba/Demo/ > # chgrp "Domain Admins" /srv/samba/Demo/ > > But this example is done on a addc server, and not on a member server. > On a ADDC user Administrator is automaticly mapped to root, > id administrator on addc results in UID 0 and imo most important info, > is missing on the wiki. > > I also assume your doing this on a member server. > Which is ok also, but in the 2 ls example above. > > drwxrwxr-x 2 root domain admins > does not work an a member server without the user mapping or a bit different rights. > So set Adminstrator:"domain admins" on this folder OR use the user mapping.This would mean that you would have to give Administrator a uidNumber, breaking the link between 'root' and 'Administrator'. Not saying this is a bad idea, just that you should be aware of it. Rowland> > And make user that /srv/samba at least has 2775 rights. > And maybe a chgrp "Domain Admins" /srv/samba > > > Greetz, > > Louis > > >