samba - Jul 2019 - cannot set filesystem permissions on shares

> >>> Hi,
> >>>
> >>> I would like to set filesystem permissions on shares (users,
at the
> >>> moment) with Windows 10 (1809).
> >>> On the Samba side, the filesystem is ext4. I tested the
extended
> >>> attributes usability with setfattr/getfattr, and
setfacl/getfacl, and
> >>> they work.
> >>> I set the followings in smb.conf:
> >>> [global]
> >>> vfs objects = acl_xattr
> >>> map acl inherit = yes
> >>> store dos attributes = yes
> >>> ...
> >>>
> >>> [users]
> >>> path = /home/users
> >>> read only = no
> >>>
> >>> And:
> >>> chown root:"Domain Admins" /home/users
> >>> chmod 0770 /home/users
> >>>
> >>> I gave SeDiskOperatorPrivilege to the Administrator user (I
don't
> >>> understand, why he doesn't have it default) on dc1, and on
the file
> >>> server too.
> >>>
> >>> On Windows, I can connect to the Samba file server, with
computer
> >>> management (it connects immediately, but, when I click on the
system
> >>> tools, it gives me an error message: SRV cannot connect...
When I
> >>> click on the ok, it connects after all). I can see shares in
Shared
> >>> folders/Shares. I can set share permissions, but on the
security tab,
> >>> I see that I need read permission for the object. When I click
on
> >>> Special button, the situation is similar: I don't have
permission for
> >>> the object.
> >>> What additional settings I need, what should I check?
> >>>
> >> Can you start by posting your entire smb.conf
> > Yes:
> >
> > [global]
> > bind interfaces only = Yes
> > dos charset = CP852
> > interfaces = lo enp0s3
> > log file = /var/log/samba/%m.log
> > log level = 1
> > name resolve order = wins bcast
> > realm = A.B.HU
> > security = ADS
> > template homedir = /home/users/%U
> > template shell = /bin/bash
> > unix charset = UTF8
> > username map = /etc/samba/user.map
> > wins server = 192.168.0.4
> > workgroup = A
> > idmap config a : range = 10000-999999
> > idmap config a : backend = rid
> > idmap config * : range = 3000-7999
> > idmap config * : backend = tdb
> > create mask = 0770
> > csc policy = disable
> > directory mask = 0770
> > map acl inherit = Yes
> > store dos attributes = Yes
> > vfs objects = acl_xattr
> >
> > [users]
> > path = /home/users
> > read only = No
> >
> Have you read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Yes.
> Does '/etc/samba/user.map' contain this:
>
> !root = A\Administrator
Yes.
> The only thing 'wrong' with your smb.conf is the use of
'wins', this
> isn't used any more.
Thanks, I changed the necessary parameters.
Problem still exists.

On 02/07/2019 13:49, Pisch Tam?s via samba wrote:
> Thanks, I changed the necessary parameters.
> Problem still exists.
Who are you logged into the Windows PC as ?

You can ignore the error message, it occurs a lot, but goes away when 
you click 'OK'

Rowland

>Who are you logged into the Windows PC as ?
I log in az A\Administrator. I created an admin user, put in Domain
Admins group, but the result was the same (ok, it would be strange, if
it would work with it, instead of Administrator).

On 02/07/2019 14:44, Pisch Tam?s via samba wrote:
>> Who are you logged into the Windows PC as ?
> I log in az A\Administrator. I created an admin user, put in Domain
> Admins group, but the result was the same (ok, it would be strange, if
> it would work with it, instead of Administrator)
Then you need to ensure that 'Domain Admins' has the same privilege as 
'A\Administrator'

Rowland

> >> Who are you logged into the Windows PC as ?
> > I log in az A\Administrator. I created an admin user, put in Domain
> > Admins group, but the result was the same (ok, it would be strange, if
> > it would work with it, instead of Administrator)
> Then you need to ensure that 'Domain Admins' has the same privilege
as
> 'A\Administrator'
Ok, I granted the following privileges to Administrator, (and to
Domain Admins too) :
net rpc rights list "Administrator" -UAdministrator
Enter Administrator's password:
SeDiskOperatorPrivilege
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
But I still cannot change the permissions.