On 10/12/2022 18:38, Luis Peromarta via samba wrote:> Contingency server (4.17.3): > > root at servercont:/home2# ls -lad /home2/shares > drwxrwx---+ 23 luis domain admins 4096 Nov 17 14:17 /home2/shares > > root at servercont:/home2# getfacl /home2/shares > getfacl: Removing leading '/' from absolute path names > # file: home2/shares > # owner: luis > # group: domain\040admins > user::rwx > user:luis:rwx > group::rwx > group:domain\040users:r-x > group:domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:luis:rwx > default:group::--- > default:group:domain\040admins:rwx > default:mask::rwx > default:other::--- > > root at servercont:/home2# samba-tool ntacl get /home2/shares --as-sddl > O:S-1-5-21-2152908145-95474353-1514027631-1110G:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;CI;0x001200a9;;;DU) > root at servercont:/home2#From Windows, members of Domain Admins get full control and Domain Users get read and execute. The user 'luis' is probably just a member of Domain Users and so cannot write to the share.> > Main server (4.9.5): > > server:/home2# ls -lad /home2/shares > drwxrwx---+ 23 luis domain admins 4096 Nov 17 14:17 /home2/shares > server:/home2# getfacl /home2/shares > getfacl: Removing leading '/' from absolute path names > # file: home2/shares > # owner: luis > # group: domain\040admins > user::rwx > user:luis:rwx > group::rwx > group:domain\040users:r-x > group:domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:luis:rwx > default:group::--- > default:group:domain\040admins:rwx > default:mask::rwx > default:other::--- > > server:/home2# samba-tool ntacl get /home2/shares --as-sddl > ERROR: Unable to read domain SID from configuration files > server:/home2#Hmm, why doesn't that work ? You are running it as root ? I have been taking another look at the smb.conf you posted and noticed a couple of things: You have, vfs objects = fruit streams_xattr and then a bit further down, vfs objects = acl_xattr The latter takes precedence over the first, or to put it another way, the first one will be ignored. You have also commented out the 'username map' line, why ? Rowland
So yes, running as root. No idea why that fails. Re. vfs objects the scientific explanation is: 1.- Somewhere I read this was good for Macs: # Configure Samba to Work Better with Mac OS X min protocol = SMB2 ea support = yes vfs objects = fruit streams_xattr fruit:aapl = yes fruit:metadata = stream fruit:model = RackMac fruit:posix_rename = yes fruit:veto_appledouble = yes fruit:wipe_intentionally_left_blank_rfork = yes fruit:delete_empty_adfiles = yes And I put it in. 2.- A few days later - or earlier, I found that in order to set ACLs with windows I needed: # To configure shares using extended access control lists (ACL) vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes And I put it in. In fairness I have no idea what those lines mean. Re. username map, I had it configured long ago, but for some reason I thought I had no need for it, and commented it. My user.map has: !root = MAD\Administrator MAD\administrator Administrator administrator But I don?t use administrator anyway so I commented the line. Is there a need for it ? Should I add MAD\Luis there ? Luis is a Domain Admin. All the best, LP On 10 Dec 2022 at 20:03 +0100, samba at lists.samba.org, wrote:> > Hmm, why doesn't that work ? > You are running it as root ? > > I have been taking another look at the smb.conf you posted and noticed a > couple of things: > > You have, > > vfs objects = fruit streams_xattr > > and then a bit further down, > > vfs objects = acl_xattr > > The latter takes precedence over the first, or to put it another way, > the first one will be ignored. > > You have also commented out the 'username map' line, why ? >