Stephen
2019-Apr-01 14:12 UTC
[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
Hi Rowland, thanks for your suggestions. I have read and re-read the Samba docs to try and understand where I went wrong here. I added the uidNumber and gidNumber exactly as per your comments and that seems to improve the situation markedly. I can now at least see that the share exists from SAMDOM\stephenellwood which wasn't possible before. File access is now possible from SAMDOM/stephenellwood when I configure NTFS security permissions to allow read and write access for group Everyone. I am still seeing issues with fileshare access from custom AD groups though. For example, I removed the NTFS security permissions access to group Everyone on my share. I then created a group OgdenFilesUsers using the ADUC RSAT tool and added SAMDOM/stephenellwood to this. Even when security permissions are set for OgdenFilesUsers to allow read and write permissions it still won't seem to allow access. For good measure I then went and set the gidNumber attribute for my newly created OgdenFilesUsers group to 10001 but that didn't make any difference. Thanks Stephen Ellwood
Rowland Penny
2019-Apr-01 14:26 UTC
[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
On Mon, 1 Apr 2019 15:12:21 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Hi Rowland, thanks for your suggestions. I have read and re-read the > Samba docs to try and understand where I went wrong here. > > I added the uidNumber and gidNumber exactly as per your comments and > that seems to improve the situation markedly. I can now at least see > that the share exists from SAMDOM\stephenellwood which wasn't > possible before. File access is now possible from > SAMDOM/stephenellwood when I configure NTFS security permissions to > allow read and write access for group Everyone. > > I am still seeing issues with fileshare access from custom AD groups > though. For example, I removed the NTFS security permissions access > to group Everyone on my share.Put 'Everyone' back, you need it ;-)>I then created a group OgdenFilesUsers > using the ADUC RSAT tool and added SAMDOM/stephenellwood to this. > Even when security permissions are set for OgdenFilesUsers to allow > read and write permissions it still won't seem to allow access. For > good measure I then went and set the gidNumber attribute for my newly > created OgdenFilesUsers group to 10001 but that didn't make any > difference. >Try reading this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Stephen
2019-Apr-01 15:03 UTC
[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
Cheers, that fixed it! :O) So, if I may summarise what we have just discussed. 1) All newly created samba users need to have the uidNumber attribute set to a unique value (within the range specified in smb.conf for SAMDOM) when using ad backend with RFC2307. 2) All new groups need to have the gidNumber set to a unique value (within the range specified in smb.conf for SAMDOM) when using ad backend with RFC2307. 3) Don't delete group Everyone - even though the Windows UI will let you do this it will actually break your file permissions :( Could I possibly ask you a couple of further related questions about this uidnumber and gidnumber issue please? 1) Previously I found I could access the share I created as SAMDOM/Administrator. However when I checked using Windows RSAT ADUC there is apparently no uidNumber set for this Administrator account by default. Is that what you would expect to see, presumably I do not need to supply uidNumbers for built-in default accounts? 2) I originally created SAMDOM/stephenellwood at the the DC command-line like so: sudo samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user at tecmint.lan --login-shell=/bin/bash The Samba docs here https://wiki.samba.org/index.php/Idmap_config_ad appear to suggest that the syntax I have used for my account creation command above is essentially incomplete given that I have also specified winbind nss info = rfc2307 in my smb.conf. I am pretty sure that I need to add some extra command-line switches to my example above specify UID, home directory path, and primary group at account creation time as per the docs. Unfortunately though man samba-tool does not provide a full list of supported samba-tool user create command-line switches. What syntax would you recommend that I use for creating new users in my situation with samba-tool user create Rowland? I do realise creating users in this fashion means having to track the last-used uidNumber manually somehow and thus might not be regarded as best practice. 3) Related to point two, had I instead created user SAMDOM/stephenellwood using the Windows RSAT ADUC tools would sensible uidNumber and gidNumber values have been chosen automatically potentially avoiding this entire problem? The Samba docs here (https://wiki.samba.org/index.php/Idmap_config_ad) are a little unclear about this point. They say "When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group." The problem is I am unsure if userID == uidNumber, and likewise groupID = gidNumber or if these are actually different parameters. Thanks Stephen Ellwood On 01/04/2019 15:26, Rowland Penny via samba wrote:> On Mon, 1 Apr 2019 15:12:21 +0100 > Stephen via samba <samba at lists.samba.org> wrote: > >> Hi Rowland, thanks for your suggestions. I have read and re-read the >> Samba docs to try and understand where I went wrong here. >> >> I added the uidNumber and gidNumber exactly as per your comments and >> that seems to improve the situation markedly. I can now at least see >> that the share exists from SAMDOM\stephenellwood which wasn't >> possible before. File access is now possible from >> SAMDOM/stephenellwood when I configure NTFS security permissions to >> allow read and write access for group Everyone. >> >> I am still seeing issues with fileshare access from custom AD groups >> though. For example, I removed the NTFS security permissions access >> to group Everyone on my share. > Put 'Everyone' back, you need it ;-) > >> I then created a group OgdenFilesUsers >> using the ADUC RSAT tool and added SAMDOM/stephenellwood to this. >> Even when security permissions are set for OgdenFilesUsers to allow >> read and write permissions it still won't seem to allow access. For >> good measure I then went and set the gidNumber attribute for my newly >> created OgdenFilesUsers group to 10001 but that didn't make any >> difference. >> > Try reading this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland >
Apparently Analagous Threads
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.