I obtaing this resulta. Imposible enumerated the object in the container: access negated. Il 11/02/2019 17:35, Rowland Penny via samba ha scritto:> On Mon, 11 Feb 2019 17:21:13 +0100 > marco pirola via samba <samba at lists.samba.org> wrote: > >> Not firewall and selinux policy runningĀ on the domain member; At the >> directory samba I used chown root:"Domain User" /home/samba. This >> command it'ok? >> >> Il 11/02/2019 17:02, Rowland Penny via samba ha scritto: >>> On Mon, 11 Feb 2019 16:43:48 +0100 >>> marco pirola via samba <samba at lists.samba.org> wrote: >>> >>>> How should I behave? >>> Is there a firewall running on the Samba machine ? >>> Is Apparmor or Selinux running on the Samba machine ? >>> >>> If you follow the wiki page it should work. >>> > As I said, if you follow the wiki page it should work, you are not > following the wiki page, particularly this part: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege > > Do not give 'Domain Users' any privileges, use either 'Administrators' > or 'Domain Admins' or a group you have created that is a member of > 'Administrators' or 'Domain Admins'. Whichever you group you use, it > must produce output from 'getent group <THE_GROUP_NAME>' on the > computer holding the Samba share. you must also run the 'net rpc rights > grant' command on the computer that holds the share. > > Rowland >
On Tue, 12 Feb 2019 11:13:56 +0100 marco pirola via samba <samba at lists.samba.org> wrote:> I obtaing this resulta. Imposible enumerated the object in the > container: access negated. >Hi Marco, you posted this as your smb.conf: [global] security = ADS workgroup = ROBINOOD realm = ROBINOOD.TST log file = /var/log/samba/%m.log log level = 1 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the ROBINOOD domain idmap config ROBINOOD : backend = rid idmap config ROBINOOD : range = 10000-999999 winbind use default domain = yes username map = /etc/samba/user.map [samba] path = /home/samba/samba/ read only = no So I added your share to an existing Unix domain member, that also uses the 'rid' backend, these are my notes, they prove it works. Log into the Samba Unix domain member that holds the share Some commands will be run as root Running the following command: getent group Domain\ Admins Should produce output similar to this: domain_admins:x:10512:administrator,rowland If you do not get output, then nothing is going to work. List the existing SeDiskOperatorPrivilege owners net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator" Enter ROBINOOD\administrator's password: SeDiskOperatorPrivilege: BUILTIN\Administrators If 'Domain Admins' isn't shown (as above), you need to add the group: net rpc rights grant "ROBINOOD\Domain Admins" SeDiskOperatorPrivilege -U "ROBINOOD\administrator" Enter ROBINOOD\administrator's password: Successfully granted rights. Check the privelege owners again net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator" Enter ROBINOOD\administrator's password: SeDiskOperatorPrivilege: ROBINOOD\Domain_Admins BUILTIN\Administrators Now create the share directory (if it doesn't already exist): sudo mkdir -p /home/samba/samba/ sudo chown root:Domain\ Admins /home/samba/samba/ sudo chmod 0770 /home/samba/samba/ Check the ownership: ls -lad /home/samba/samba/ drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/ Reload Samba: sudo smbcontrol all reload-config Now goto a Windows machine (in my case win10) and log on using an account that is a member of Domain Admins. Click Start, enter Computer Management, and start the application. Select Action --> Connect to another computer. Enter the name of the Samba host and click OK to connect the console to the host. Open System Tools NOTE: You may get an error box, just click 'OK' and it will connect. Open Shared Folders --> Shares menu entry. Right-click the 'samba' share and select Properties. Select the Security tab. Click the Edit button and then the 'Add' button Click 'Advanced' button Click 'Find Now' Select a user or group from the list, I will use 'Domain Users' Click 'OK' Click 'OK' Select permissions to grant, I will grant 'Full control' A windows security box should open, asking if you want to continue Click 'Yes' If you now check the list of 'Group or user names', you should find 'Domain Users' listed Click OK to close the Properties box. Back to the Samba share machine: If you check the ownership of the share directory, you should see that something has been added: ls -lad /home/samba/samba/ drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/ ^ |--- This If you now run: getfacl /home/samba/samba/ getfacl: Removing leading '/' from absolute path names # file: home/samba/samba/ # owner: root # group: domain_admins user::rwx user:root:rwx user:10512:rwx user:10513:rwx group::rwx group:domain_admins:rwx group:domain_users:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:10513:rwx default:group::r-x default:group:domain_admins:r-x default:group:domain_users:rwx default:mask::rwx default:other::r-x You can now see that members of 'Domain Users' can Read, Write and enter the directory. Hope this helps Rowland
Hi, witch command getent group Domain\ Admins I optaing domain admins:x:10512: It's correct? Il 12/02/2019 12:57, Rowland Penny via samba ha scritto:> On Tue, 12 Feb 2019 11:13:56 +0100 > marco pirola via samba <samba at lists.samba.org> wrote: > >> I obtaing this resulta. Imposible enumerated the object in the >> container: access negated. >> > Hi Marco, you posted this as your smb.conf: > > [global] > security = ADS > workgroup = ROBINOOD > realm = ROBINOOD.TST > log file = /var/log/samba/%m.log > log level = 1 > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the ROBINOOD domain > idmap config ROBINOOD : backend = rid > idmap config ROBINOOD : range = 10000-999999 > winbind use default domain = yes > username map = /etc/samba/user.map > > [samba] > path = /home/samba/samba/ > read only = no > > So I added your share to an existing Unix domain member, that also uses > the 'rid' backend, these are my notes, they prove it works. > > Log into the Samba Unix domain member that holds the share > > Some commands will be run as root > > Running the following command: > > getent group Domain\ Admins > > Should produce output similar to this: > > domain_admins:x:10512:administrator,rowland > > If you do not get output, then nothing is going to work. > > List the existing SeDiskOperatorPrivilege owners > > net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator" > Enter ROBINOOD\administrator's password: > SeDiskOperatorPrivilege: > BUILTIN\Administrators > > If 'Domain Admins' isn't shown (as above), you need to add the group: > > net rpc rights grant "ROBINOOD\Domain Admins" SeDiskOperatorPrivilege -U "ROBINOOD\administrator" > Enter ROBINOOD\administrator's password: > Successfully granted rights. > > Check the privelege owners again > > net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator" > Enter ROBINOOD\administrator's password: > SeDiskOperatorPrivilege: > ROBINOOD\Domain_Admins > BUILTIN\Administrators > > Now create the share directory (if it doesn't already exist): > > sudo mkdir -p /home/samba/samba/ > > sudo chown root:Domain\ Admins /home/samba/samba/ > sudo chmod 0770 /home/samba/samba/ > > Check the ownership: > > ls -lad /home/samba/samba/ > drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/ > > Reload Samba: > > sudo smbcontrol all reload-config > > Now goto a Windows machine (in my case win10) and log on using an account that is a member of Domain Admins. > > Click Start, enter Computer Management, and start the application. > > Select Action --> Connect to another computer. > > Enter the name of the Samba host and click OK to connect the console to the host. > > Open System Tools > NOTE: You may get an error box, just click 'OK' and it will connect. > > Open Shared Folders --> Shares menu entry. > > Right-click the 'samba' share and select Properties. > > Select the Security tab. > > Click the Edit button and then the 'Add' button > > Click 'Advanced' button > > Click 'Find Now' > > Select a user or group from the list, I will use 'Domain Users' > > Click 'OK' > > Click 'OK' > > Select permissions to grant, I will grant 'Full control' > > A windows security box should open, asking if you want to continue > Click 'Yes' > > If you now check the list of 'Group or user names', you should find 'Domain Users' listed > > Click OK to close the Properties box. > > > Back to the Samba share machine: > > If you check the ownership of the share directory, you should see that something has been added: > > ls -lad /home/samba/samba/ > drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/ > ^ > |--- This > > If you now run: > > getfacl /home/samba/samba/ > getfacl: Removing leading '/' from absolute path names > # file: home/samba/samba/ > # owner: root > # group: domain_admins > user::rwx > user:root:rwx > user:10512:rwx > user:10513:rwx > group::rwx > group:domain_admins:rwx > group:domain_users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:10513:rwx > default:group::r-x > default:group:domain_admins:r-x > default:group:domain_users:rwx > default:mask::rwx > default:other::r-x > > You can now see that members of 'Domain Users' can Read, Write and enter the directory. > > Hope this helps > > Rowland > > >