samba - Apr 2017 - Access denied to change share security staff

On Thu, 13 Apr 2017 09:28:09 -0400
Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:
> 
> I follow step by step Setting up a Share Using Windows ACLs from
> wiki, but still I have an Access denied when try to change the
> permissions of share or when try to change Security ACL. As sugesst
> Rowland I do not change the permissions using Unix, just create the
> directory/subdirectory and add the entry in /etc/smb.conf as:
> 
>  [compartir]
>       path = /test/compartir/
>       read only = no
> 
This sounds like a possible firewall or selinux/apparmor getting in the
way problem.

Rowland

El 13 de abril de 2017 9:56:00 GMT-04:00, Rowland Penny via samba <samba at
lists.samba.org> escribió:
>On Thu, 13 Apr 2017 09:28:09 -0400
>Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:
>
>> 
>> I follow step by step Setting up a Share Using Windows ACLs from
>> wiki, but still I have an Access denied when try to change the
>> permissions of share or when try to change Security ACL. As sugesst
>> Rowland I do not change the permissions using Unix, just create the
>> directory/subdirectory and add the entry in /etc/smb.conf as:
>> 
>>  [compartir]
>>       path = /test/compartir/
>>       read only = no
>> 
>
>This sounds like a possible firewall or selinux/apparmor getting in the
>way problem.
>
>Rowland
Thank Rowland for answer me;
 
 I stop the SELinux and the firewall is not running:

[root at gtmpve selinux]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are
protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

[root at gtmpve selinux]# setenforce 0
setenforce: SELinux is disabled

[root at gtmpve /]# systemctl --all |grep iptables
● iptables.service                                                              
not-found inactive dead      iptables.service


 I can change the permissions of share and I can change and add (or remove) the
owners of that share using the Share permissions tab, but when try to change
something with the Security tab there is when happen the Access denied.
 I work in that tab, When I open it the user and group listed are: 
 
All
root (Unix User\root)
root (Unix Group\root)
CREATOR OWNER 
CREATOR GROUP

All of then just with Specials permissions set.

 When I try to add some other user or group, in the moment of Accept or Aply the
system say:

 "Error trying to apply the security information to:"
 "\\GTMPVE.GTM.ONAT.GOB.CU\compartir"
 "Access denied"

And then any change happens.


Rommel Rodriguez Toirac
rommelrt at nauta.cu

On Thu, 13 Apr 2017 14:18:16 -0400
Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:
> 
>  I can change the permissions of share and I can change and add (or
> remove) the owners of that share using the Share permissions tab, but
> when try to change something with the Security tab there is when
> happen the Access denied. I work in that tab, When I open it the user
> and group listed are: All root (Unix User\root)
> root (Unix Group\root)
> CREATOR OWNER 
> CREATOR GROUP
> 
> All of then just with Specials permissions set.
> 
>  When I try to add some other user or group, in the moment of Accept
> or Aply the system say:
> 
>  "Error trying to apply the security information to:"
>  "\\GTMPVE.GTM.ONAT.GOB.CU\compartir"
>  "Access denied"
> 
> And then any change happens.
> 
If the change occurs, but you get the 'error' message before, then you
can ignore the error, it is being caused by the differences between
Samba AD and windows AD.

If the changes don't work, can you try the following:

Run the 'net rpc rights list privileges' command on the Unix machine
that holds the share, this will confirm that 'Domain Admins' has the
required privilege.

Change the group ownership of the share i.e. from the wiki page:

chgrp 'Domain Admins' /srv/samba/Demo

Now try again from windows.

Rowland