samba - Mar 2022 - Setting permissions on AD member file server

On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
wrote:
> So, this is kind of odd.
> 
> Samba member server;
> Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
> Went through setup as described in the wiki for member servers - all
> seems
> fine.
> SeDiskOperatorPrivilege is granted to Domain Admins too.
> 
> Initially I chowned the dirs/files as root:domain admins
> and chmod 0770
> getfacl shows:
> # file: .
> # owner: root
> # group: AD\\domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> However,
> When I try to set permissions from a Windows 10 machine, using
> windows file
> explorer, I get this message:
> 
> "Failed to enumerate objects in the container. Access is denied."
> 
> I'm logged into the domain on the station where I'm trying to mod
> permissions as a user that's a member of "Domain Admins"
> 
> ---
> smb.conf from the member/file server
> ---
> [global]
>         realm = AD.SAMDOM.LOCAL
>         security = ADS
>         server role = member server
>         server string = FileServer
>         username map = /etc/samba/user.map
>         workgroup = AD
>         idmap config ad : range = 10000-999999
>         idmap config ad : backend = rid
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         vfs objects = acl_xattr
> 
> 
> [root-share]
>         comment = root-share
>         path = /abc-zfs-01/ad-shared-folders/
>         read only = No
> 
> ---
> Any good pointers?
Try adding 'min domain uid = 0' to global and reload the config or
restart Samba

Rowland

No, that doesn't appear to resolve it.
(Not that it matters a ton, but what is that option - what does it even do?)

On Thu, Mar 10, 2022 at 10:55 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
> wrote:
> > So, this is kind of odd.
> >
> > Samba member server;
> > Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
> > Went through setup as described in the wiki for member servers - all
> > seems
> > fine.
> > SeDiskOperatorPrivilege is granted to Domain Admins too.
> >
> > Initially I chowned the dirs/files as root:domain admins
> > and chmod 0770
> > getfacl shows:
> > # file: .
> > # owner: root
> > # group: AD\\domain\040admins
> > user::rwx
> > group::rwx
> > other::---
> >
> > However,
> > When I try to set permissions from a Windows 10 machine, using
> > windows file
> > explorer, I get this message:
> >
> > "Failed to enumerate objects in the container. Access is
denied."
> >
> > I'm logged into the domain on the station where I'm trying to
mod
> > permissions as a user that's a member of "Domain Admins"
> >
> > ---
> > smb.conf from the member/file server
> > ---
> > [global]
> >         realm = AD.SAMDOM.LOCAL
> >         security = ADS
> >         server role = member server
> >         server string = FileServer
> >         username map = /etc/samba/user.map
> >         workgroup = AD
> >         idmap config ad : range = 10000-999999
> >         idmap config ad : backend = rid
> >         idmap config * : range = 3000-7999
> >         idmap config * : backend = tdb
> >         map acl inherit = Yes
> >         vfs objects = acl_xattr
> >
> >
> > [root-share]
> >         comment = root-share
> >         path = /abc-zfs-01/ad-shared-folders/
> >         read only = No
> >
> > ---
> > Any good pointers?
>
> Try adding 'min domain uid = 0' to global and reload the config or
> restart Samba
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hmm, found also something else.. 

(* small hijack of this thread).. 
When i run : 
net rpc rights list privileges SeDiskOperatorPrivilege
-U'ADDOM\Administrator'
On a Debian 10 with samba 4.15.5 with smbd and winbind installed/setup 
I get back : 
Password for [ADDOM\Administrator]:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators 
*( to Greg, yes, you can have ADDOM\Domain Admins) , 

ADDOM\Domain Admins is member of  BUILTIN\Administrators  
* this is how i setup, not how wiki tells me. 
** yeah, im bit strange..  ;-) 

Now, im installing a new server, based on the setup of the one i showed above. 
Only, i dont need smbd on it anymore so that now. 
A Debian 11 with samba 4.15.5 with winbind installed/setup. 

When i now run : 
net rpc rights list privileges SeDiskOperatorPrivilege
-U'ADDOM\Administrator'
Could not connect to server 127.0.0.1

net rpc rights list privileges SeDiskOperatorPrivilege -S RTD-WEB2
-U'ADDOM\Administrator'
Could not connect to server RTD-WEB2

Thinking about this, i "might" be locical, since i dont have smbd
installed/configured,
Just, the error message is off in this case.. If im able i'll test that
later on.

So that aside.. 
Back to Greg's problem. 
> > > getfacl shows:
> > > # file: .
> > > # owner: root
> > > # group: AD\\domain\040admins
> > > user::rwx
> > > group::rwx
> > > other::--- 
This should fix it. 
setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/

If you cant enter the folder as user after that.  
Did you change the share security rights (* which is by default
"everyone" )
Then do check the current rights on : 

getfacl /abc-zfs-01
getfacl /abc-zfs-01/ad-shared-folders 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Greg 
> Sloop <gregs--- via samba
> Verzonden: donderdag 10 maart 2022 20:32
> CC: sambalist
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
> 
> No, that doesn't appear to resolve it.
> (Not that it matters a ton, but what is that option - what 
> does it even do?)
> 
> On Thu, Mar 10, 2022 at 10:55 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
> > wrote:
> > > So, this is kind of odd.
> > >
> > > Samba member server;
> > > Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
> > > Went through setup as described in the wiki for member 
> servers - all
> > > seems
> > > fine.
> > > SeDiskOperatorPrivilege is granted to Domain Admins too.
> > >
> > > Initially I chowned the dirs/files as root:domain admins
> > > and chmod 0770
> > > getfacl shows:
> > > # file: .
> > > # owner: root
> > > # group: AD\\domain\040admins
> > > user::rwx
> > > group::rwx
> > > other::---
> > >
> > > However,
> > > When I try to set permissions from a Windows 10 machine, using
> > > windows file
> > > explorer, I get this message:
> > >
> > > "Failed to enumerate objects in the container. Access is
denied."
> > >
> > > I'm logged into the domain on the station where I'm
trying to mod
> > > permissions as a user that's a member of "Domain
Admins"
> > >
> > > ---
> > > smb.conf from the member/file server
> > > ---
> > > [global]
> > >         realm = AD.SAMDOM.LOCAL
> > >         security = ADS
> > >         server role = member server
> > >         server string = FileServer
> > >         username map = /etc/samba/user.map
> > >         workgroup = AD
> > >         idmap config ad : range = 10000-999999
> > >         idmap config ad : backend = rid
> > >         idmap config * : range = 3000-7999
> > >         idmap config * : backend = tdb
> > >         map acl inherit = Yes
> > >         vfs objects = acl_xattr
> > >
> > >
> > > [root-share]
> > >         comment = root-share
> > >         path = /abc-zfs-01/ad-shared-folders/
> > >         read only = No
> > >
> > > ---
> > > Any good pointers?
> >
> > Try adding 'min domain uid = 0' to global and reload the
config or
> > restart Samba
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>