Viktor Trojanovic
2020-May-31 16:20 UTC
[Samba] Cannot change NTACL for share from Windows
On Sun, 31 May 2020 at 16:04, Rowland penny via samba <samba at lists.samba.org> wrote:> On 31/05/2020 16:37, Viktor Trojanovic via samba wrote: > > I just joined a freshly installed Linux machine with Samba 4.11.6 to my > > Windows AD, as a domain member. Followed the Wiki to a T, domain join > > without errors, I can enumerate users/groups, I can create shares and > work > > with them from Windows (all that matters to me). > > > > Unfortunately, however, I don't seem to be able to change share security > > settings, i.e. ACL from Windows. Whenever I do so, I get the error > message > > that "access is denied". Creating folders within the share and changing > > ACLs for these works without issues, it's just the root folder of the > share > > I have problems with. > > > > I chose to go with the ad IDMAP backend. Of course, all recommendations > are > > followed: > > > > - Administrator and Domain Admins have no uidNumber/gidNumer set, all > > others do. Though that shouldn't be relevant at this point since I'm only > > accessing the shares from Windows. > > - Administrator is mapped to root in user.map > > - SeDiskOperatorPrivilege was given to new group "Unix Admins" which owns > > the shares, together with root. Which still shouldn't matter here because > > up to now everything was done using the Administrator account, mapped to > > root. > > - All shares are chmodded to 0770 > > - Share definitions in smb.conf are just 3 lines, as recommended in the > > Wiki: share name, folder location, read only = no > > > > > OK, lets start with the obvious, you have: > > workgroup = SAMDOMAIN > > and: > > idmap config hq:backend = ad > > Is 'SAMDOMAIN' actually 'HQ' ? > >Yes> Do all your users have a uidNumber attribute containing a number inside > 10000-999999 ? > > Yes. It's a fresh AD. 2 users at the moment. And as mentioned, I've beenonly using the Administrator so far. Does Domain Users have a gidNumber attribute containing a number inside> 10000-999999 ? > > Yes, 10000.Is Apparmor (or Selinux) running and denying access ? No Selinux present. As for Apparmor, it doesn't look like it. ubuntu at fs1:/$ sudo apparmor_status apparmor module is loaded. 9 profiles are loaded. 9 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient lsb_release nvidia_modprobe nvidia_modprobe//kmod 0 profiles are in complain mode. 0 processes have profiles defined.
On 31/05/2020 17:20, Viktor Trojanovic wrote:> > Is 'SAMDOMAIN' actually 'HQ' ? > > > YesI thought it was, if you are going to sanitise things, do it everywhere ;-)> > Is Apparmor (or Selinux) running and denying access ? > > > No Selinux present. As for Apparmor, it doesn't look like it. > > ?ubuntu at fs1:/$ sudo apparmor_status > apparmor module is loaded.Yes it is, you need to find out if Apparmor is your problem (I think it is) and how to fix it, if it is. I cannot help you, I always 'apt-get purge apparmor'. The problem with Apparmor (and Selinux) is that you get strange 'permission denied' errors and cannot find out why and then spend hours trying to fix the problem, only to find the quickest fix is to remove Apparmor. Don't get me wrong, Apparmor is a good idea, but without something shouting at you "you cannot do that because of 'this', you need to do 'this' to fix your problem", you have to be an Apparmor expert to fix it. Rowland Rowland
Viktor Trojanovic
2020-May-31 16:55 UTC
[Samba] Cannot change NTACL for share from Windows
On Sun, 31 May 2020 at 16:47, Rowland penny via samba <samba at lists.samba.org> wrote:> On 31/05/2020 17:20, Viktor Trojanovic wrote: > > > > Is 'SAMDOMAIN' actually 'HQ' ? > > > > > > Yes > I thought it was, if you are going to sanitise things, do it everywhere ;-) > > > > Is Apparmor (or Selinux) running and denying access ? > > > > > > No Selinux present. As for Apparmor, it doesn't look like it. > > > > ubuntu at fs1:/$ sudo apparmor_status > > apparmor module is loaded. > > Yes it is, you need to find out if Apparmor is your problem (I think it > is) and how to fix it, if it is. I cannot help you, I always 'apt-get > purge apparmor'. The problem with Apparmor (and Selinux) is that you get > strange 'permission denied' errors and cannot find out why and then > spend hours trying to fix the problem, only to find the quickest fix is > to remove Apparmor. Don't get me wrong, Apparmor is a good idea, but > without something shouting at you "you cannot do that because of 'this', > you need to do 'this' to fix your problem", you have to be an Apparmor > expert to fix it. > > It's just what's there from a default Ubuntu (minimal) install... It lookslike snapd depends on it. Anyway, I don't need either here, so I removed it entirely. The issue persists, though.