On Thu, 13 Apr 2017 14:18:16 -0400 Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:> > I can change the permissions of share and I can change and add (or > remove) the owners of that share using the Share permissions tab, but > when try to change something with the Security tab there is when > happen the Access denied. I work in that tab, When I open it the user > and group listed are: All root (Unix User\root) > root (Unix Group\root) > CREATOR OWNER > CREATOR GROUP > > All of then just with Specials permissions set. > > When I try to add some other user or group, in the moment of Accept > or Aply the system say: > > "Error trying to apply the security information to:" > "\\GTMPVE.GTM.ONAT.GOB.CU\compartir" > "Access denied" > > And then any change happens. >If the change occurs, but you get the 'error' message before, then you can ignore the error, it is being caused by the differences between Samba AD and windows AD. If the changes don't work, can you try the following: Run the 'net rpc rights list privileges' command on the Unix machine that holds the share, this will confirm that 'Domain Admins' has the required privilege. Change the group ownership of the share i.e. from the wiki page: chgrp 'Domain Admins' /srv/samba/Demo Now try again from windows. Rowland
Rommel Rodriguez Toirac
2017-Apr-13 21:10 UTC
[Samba] Access denied to change share security staff
El 13 de abril de 2017 15:15:50 GMT-04:00, Rowland Penny <rpenny at samba.org> escribió:>On Thu, 13 Apr 2017 14:18:16 -0400 >Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote: > >> >> I can change the permissions of share and I can change and add (or >> remove) the owners of that share using the Share permissions tab, but >> when try to change something with the Security tab there is when >> happen the Access denied. I work in that tab, When I open it the user >> and group listed are: All root (Unix User\root) >> root (Unix Group\root) >> CREATOR OWNER >> CREATOR GROUP >> >> All of then just with Specials permissions set. >> >> When I try to add some other user or group, in the moment of Accept >> or Aply the system say: >> >> "Error trying to apply the security information to:" >> "\\GTMPVE.GTM.ONAT.GOB.CU\compartir" >> "Access denied" >> >> And then any change happens. >> > >If the change occurs, but you get the 'error' message before, then you >can ignore the error, it is being caused by the differences between >Samba AD and windows AD. > >If the changes don't work, can you try the following: > >Run the 'net rpc rights list privileges' command on the Unix machine >that holds the share, this will confirm that 'Domain Admins' has the >required privilege. > >Change the group ownership of the share i.e. from the wiki page: > >chgrp 'Domain Admins' /srv/samba/Demo > >Now try again from windows. > >Rowland >Thank Rowland for write me; I run the comands, this are the result: [root at gtmpve nagios]# net rpc rights list privileges -Uadministrator Enter administrator's password: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeSecurityPrivilege System security [root at gtmpve nagios]# net rpc rights list accounts -U'ATGTM00\administrator' Enter ATGTM00\administrator's password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned ATGTM00\Domain Admins SeDiskOperatorPrivilege BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned It look like the Domain admins yes have the 'SeDiskOperatorPrivilege' privilege. I change the group of the share with chgrp and try from Windows RSAT. I saw the Doamin admins group with Special permissions set; but can chage anything in Secutiry tab. In Share permissions tab yes. Now I get this: [root at gtmpve nagios]# getfacl /test/compartir/ getfacl: Eliminando '/' inicial en nombres de ruta absolutos # file: test/compartir/ # owner: root # group: ATGTM00\134domain\040admins user::rwx group::r-x other::r-x [root at gtmpve nagios]# ls -lda /test/compartir/ drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13 08:29 /test/compartir/ The group ATGTM00\134domain\040admins have not permissions to write in this directory. Is that right? Rommel Rodriguez Toirac rommelrt at nauta.cu
On Thu, 13 Apr 2017 17:10:16 -0400 Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:> > [root at gtmpve nagios]# net rpc rights list accounts > ATGTM00\Domain Admins > SeDiskOperatorPrivilege > > It look like the Domain admins yes have the > 'SeDiskOperatorPrivilege' privilege. I change the group of the share > with chgrp and try from Windows RSAT. I saw the Doamin admins group > with Special permissions set; but can chage anything in Secutiry tab. > In Share permissions tab yes. > > Now I get this: > > > [root at gtmpve nagios]# getfacl /test/compartir/ > getfacl: Eliminando '/' inicial en nombres de ruta absolutos > # file: test/compartir/ > # owner: root > # group: ATGTM00\134domain\040admins > user::rwx > group::r-x > other::r-x > > [root at gtmpve nagios]# ls -lda /test/compartir/ > drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13 > 08:29 /test/compartir/ > > The group ATGTM00\134domain\040admins have not permissions to write > in this directory. Is that right?Yes, that is your problem now, try 'chmod 0770 /test/compartir' This will then give 'root' and members of 'Domain Admin' full control of the directory, but you should then be able to add other users & groups from windows. Rowland