On 28/03/2023 17:41, Peter Carlson via samba wrote:> > On 3/28/23 08:40, Rowland Penny via samba wrote: >> >> >> On 28/03/2023 15:50, Peter Carlson via samba wrote: >>> >>> On 3/28/23 07:36, Rowland Penny via samba wrote: >>>> >>>> >>>> On 28/03/2023 15:08, Peter Carlson via samba wrote: >>>>> >>>>> On 3/28/23 01:33, Rowland Penny via samba wrote: >>>>>> >>>>>> >>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote: >>>>>>> I am having troubles with windows ACLs.? I have been following >>>>>>> the wiki >>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) and must have messed something up. >>>>>>> I can't set the permissions on the root of the share. error: >>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png >>>>>>> >>>>>>> I set the SeDiskOperatorPrivilege, created the folder with >>>>>>> permissions as stated in the wiki, and set smb.conf as described. >>>>>>> What might I be missing? >>>>>>> >>>>>>> root at filesvr:~# net rpc rights list privileges >>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter >>>>>>> Password for [SDCP\peter]: >>>>>>> SeDiskOperatorPrivilege: >>>>>>> ?? SDCP\Domain Admins >>>>>>> ?? BUILTIN\Administrators >>>>>>> >>>>>>> root at filesvr:~# ls -l /data >>>>>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test >>>>>> >>>>>> What are the permissions set on /data ? >>>>>> >>>>>> What does 'getfacl /data/test' produce ? >>>>>> >>>>>> Rowland >>>>>> >>>>> root at filesvr:~# ls -l / >>>>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data >>>>> >>>>> root at filesvr:~# getfacl /data/test >>>>> getfacl: Removing leading '/' from absolute path names >>>>> # file: data/test >>>>> # owner: root >>>>> # group: SDCP\\domain\040admins >>>>> user::rwx >>>>> user:root:rwx >>>>> user:SDCP\\domain\040admins:rwx >>>>> user:SDCP\\domain\040users:rwx >>>>> group::rwx >>>>> group:SDCP\\domain\040admins:rwx >>>>> group:SDCP\\domain\040users:rwx >>>>> mask::rwx >>>>> other::--- >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:SDCP\\domain\040users:rwx >>>>> default:group::r-x >>>>> default:group:SDCP\\domain\040admins:r-x >>>>> default:group:SDCP\\domain\040users:rwx >>>>> default:mask::rwx >>>>> default:other::r-x >>>> >>>> OK, your user should be able to get to the 'data' directory via >>>> 'others' >>>> >>>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data >>>> >>>> Where, because the permissions are these: >>>> >>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test >>>> >>>> His membership of Domain Admins should allow entry into 'test' >>>> >>>> However, you also wrote this 'On a different server showing my >>>> membership', what do you get if you run 'groups' on 'filesvr' ? >>>> >>>> Rowland >>>> >>>> >>> ok, on the filsvr I can get to things as me: >>> SDCP\peter at filesvr:~$ groups >>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain >>> users SDCP\denied rodc password replication group SDCP\dbusers >>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users >>> SDCP\peter at filesvr:~$ cd /data/test >>> SDCP\peter at filesvr:/data/test$ ls >>> officefld? peter-ad.txt? peter.txt? root.txt? test? Windows.txt >>> SDCP\peter at filesvr:/data/test$ cat peter.txt >>> >>> test from peter >>> >>> however on windows, I get acces denied both when trying to set >>> permissions via computer management on the root of the share as well >>> as when trying to access the share via file explorer >> >> >> I am using Samba 4.17.5 on a test machine with a share set up exactly >> like yours and using computer management on a Win10 computer, >> everything works for myself. >> >> After comparing your smb.conf with mine, could you please try adding >> 'winbind expand groups = 2' to your smb.conf, reload or restart Samba >> and try again. >> >> Rowland >> >> > winbind expand groups = 2 didn't help.? Same error on windows, nothing > in the event viewer and no logs in /var/log/samba, perhaps a higher > logging setting is needed?? I am running on Version 4.15.13-Ubuntu, I > could do a tcpdump if that helps, but I'd need to read up on what you > would need for thatThis is weird, it just works for myself, the only other differences between my smb.conf and yours is these lines: disable netbios = Yes dns proxy = No min domain uid = 0 username map = /etc/samba/user.map The last one relies on a file containing this line: !root = SDCP\Administrator have you tried running 'net cache flush' on the Linux machine ? Could Apparmor be getting in the way ? Rowland
On 3/28/23 09:55, Rowland Penny via samba wrote:> > > On 28/03/2023 17:41, Peter Carlson via samba wrote: >> >> On 3/28/23 08:40, Rowland Penny via samba wrote: >>> >>> >>> On 28/03/2023 15:50, Peter Carlson via samba wrote: >>>> >>>> On 3/28/23 07:36, Rowland Penny via samba wrote: >>>>> >>>>> >>>>> On 28/03/2023 15:08, Peter Carlson via samba wrote: >>>>>> >>>>>> On 3/28/23 01:33, Rowland Penny via samba wrote: >>>>>>> >>>>>>> >>>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote: >>>>>>>> I am having troubles with windows ACLs.? I have been following >>>>>>>> the wiki >>>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) >>>>>>>> and must have messed something up. >>>>>>>> I can't set the permissions on the root of the share. error: >>>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png >>>>>>>> >>>>>>>> I set the SeDiskOperatorPrivilege, created the folder with >>>>>>>> permissions as stated in the wiki, and set smb.conf as >>>>>>>> described. What might I be missing? >>>>>>>> >>>>>>>> root at filesvr:~# net rpc rights list privileges >>>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter >>>>>>>> Password for [SDCP\peter]: >>>>>>>> SeDiskOperatorPrivilege: >>>>>>>> ?? SDCP\Domain Admins >>>>>>>> ?? BUILTIN\Administrators >>>>>>>> >>>>>>>> root at filesvr:~# ls -l /data >>>>>>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct 3 08:45 test >>>>>>> >>>>>>> What are the permissions set on /data ? >>>>>>> >>>>>>> What does 'getfacl /data/test' produce ? >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>> root at filesvr:~# ls -l / >>>>>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data >>>>>> >>>>>> root at filesvr:~# getfacl /data/test >>>>>> getfacl: Removing leading '/' from absolute path names >>>>>> # file: data/test >>>>>> # owner: root >>>>>> # group: SDCP\\domain\040admins >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:SDCP\\domain\040admins:rwx >>>>>> user:SDCP\\domain\040users:rwx >>>>>> group::rwx >>>>>> group:SDCP\\domain\040admins:rwx >>>>>> group:SDCP\\domain\040users:rwx >>>>>> mask::rwx >>>>>> other::--- >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:SDCP\\domain\040users:rwx >>>>>> default:group::r-x >>>>>> default:group:SDCP\\domain\040admins:r-x >>>>>> default:group:SDCP\\domain\040users:rwx >>>>>> default:mask::rwx >>>>>> default:other::r-x >>>>> >>>>> OK, your user should be able to get to the 'data' directory via >>>>> 'others' >>>>> >>>>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data >>>>> >>>>> Where, because the permissions are these: >>>>> >>>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test >>>>> >>>>> His membership of Domain Admins should allow entry into 'test' >>>>> >>>>> However, you also wrote this 'On a different server showing my >>>>> membership', what do you get if you run 'groups' on 'filesvr' ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> ok, on the filsvr I can get to things as me: >>>> SDCP\peter at filesvr:~$ groups >>>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain >>>> users SDCP\denied rodc password replication group SDCP\dbusers >>>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users >>>> SDCP\peter at filesvr:~$ cd /data/test >>>> SDCP\peter at filesvr:/data/test$ ls >>>> officefld? peter-ad.txt? peter.txt? root.txt? test Windows.txt >>>> SDCP\peter at filesvr:/data/test$ cat peter.txt >>>> >>>> test from peter >>>> >>>> however on windows, I get acces denied both when trying to set >>>> permissions via computer management on the root of the share as >>>> well as when trying to access the share via file explorer >>> >>> >>> I am using Samba 4.17.5 on a test machine with a share set up >>> exactly like yours and using computer management on a Win10 >>> computer, everything works for myself. >>> >>> After comparing your smb.conf with mine, could you please try adding >>> 'winbind expand groups = 2' to your smb.conf, reload or restart >>> Samba and try again. >>> >>> Rowland >>> >>> >> winbind expand groups = 2 didn't help.? Same error on windows, >> nothing in the event viewer and no logs in /var/log/samba, perhaps a >> higher logging setting is needed?? I am running on Version >> 4.15.13-Ubuntu, I could do a tcpdump if that helps, but I'd need to >> read up on what you would need for that > > This is weird, it just works for myself, the only other differences > between my smb.conf and yours is these lines: > > ????disable netbios = Yes > ????dns proxy = No > ????min domain uid = 0 > ????username map = /etc/samba/user.map > > The last one relies on a file containing this line: > > !root = SDCP\Administrator > > have you tried running 'net cache flush' on the Linux machine ? > Could Apparmor be getting in the way ? > > Rowland >net cache flush had no effect.? there are no entries in syslog from apparmor.? here is loglevel 3 [2023/03/28 10:16:07.511129,? 3] ../../lib/util/access.c:372(allow_access) ? Allowed connection from 192.168.10.115 (192.168.10.115) [2023/03/28 10:16:07.511306,? 3] ../../source3/smbd/service.c:610(make_connection_snum) ? make_connection_snum: Connect path is '/tmp' for service [IPC$] [2023/03/28 10:16:07.511374,? 3] ../../source3/smbd/vfs.c:115(vfs_init_default) ? Initialising default vfs hooks [2023/03/28 10:16:07.511482,? 3] ../../source3/smbd/vfs.c:141(vfs_init_custom) ? Initialising custom vfs hooks from [/[Default VFS]/] [2023/03/28 10:16:07.511551,? 3] ../../source3/smbd/vfs.c:141(vfs_init_custom) ? Initialising custom vfs hooks from [acl_xattr] [2023/03/28 10:16:07.511639,? 2] ../../source3/modules/vfs_acl_xattr.c:203(connect_acl_xattr) ? connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$ [2023/03/28 10:16:07.511931,? 3] ../../source3/smbd/service.c:854(make_connection_snum) ? 192.168.10.115 (ipv4:192.168.10.115:59428) connect to service IPC$ initially as user SDCP\peter (uid=2001110, gid=2000512) (pid 2341006) [2023/03/28 10:16:07.549769,? 3] ../../lib/util/access.c:372(allow_access) ? Allowed connection from 192.168.10.115 (192.168.10.115) [2023/03/28 10:16:07.549894,? 3] ../../source3/smbd/service.c:610(make_connection_snum) ? make_connection_snum: Connect path is '/data/test' for service [Test] [2023/03/28 10:16:07.549940,? 3] ../../source3/smbd/vfs.c:115(vfs_init_default) ? Initialising default vfs hooks [2023/03/28 10:16:07.549966,? 3] ../../source3/smbd/vfs.c:141(vfs_init_custom) ? Initialising custom vfs hooks from [/[Default VFS]/] [2023/03/28 10:16:07.549988,? 3] ../../source3/smbd/vfs.c:141(vfs_init_custom) ? Initialising custom vfs hooks from [acl_xattr] [2023/03/28 10:16:07.550011,? 2] ../../source3/modules/vfs_acl_xattr.c:203(connect_acl_xattr) ? connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Test [2023/03/28 10:16:07.550196,? 2] ../../source3/smbd/service.c:854(make_connection_snum) ? 192.168.10.115 (ipv4:192.168.10.115:59428) connect to service Test initially as user SDCP\peter (uid=2001110, gid=2000512) (pid 2341006) [2023/03/28 10:16:07.551237,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:07.554113,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:07.558583,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:07.559292,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:07.559972,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:09.232851,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:09.233653,? 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 [2023/03/28 10:16:23.609881,? 3] ../../source3/smbd/service.c:1127(close_cnum) ? 192.168.10.115 (ipv4:192.168.10.115:59428) closed connection to service IPC$ [2023/03/28 10:16:23.610507,? 2] ../../source3/smbd/service.c:1127(close_cnum) ? 192.168.10.115 (ipv4:192.168.10.115:59428) closed connection to service Test
On 3/28/23 09:55, Rowland Penny via samba wrote:> > > On 28/03/2023 17:41, Peter Carlson via samba wrote: >> >> On 3/28/23 08:40, Rowland Penny via samba wrote: >>> >>> >>> On 28/03/2023 15:50, Peter Carlson via samba wrote: >>>> >>>> On 3/28/23 07:36, Rowland Penny via samba wrote: >>>>> >>>>> >>>>> On 28/03/2023 15:08, Peter Carlson via samba wrote: >>>>>> >>>>>> On 3/28/23 01:33, Rowland Penny via samba wrote: >>>>>>> >>>>>>> >>>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote: >>>>>>>> I am having troubles with windows ACLs.? I have been following >>>>>>>> the wiki >>>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) >>>>>>>> and must have messed something up. >>>>>>>> I can't set the permissions on the root of the share. error: >>>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png >>>>>>>> >>>>>>>> I set the SeDiskOperatorPrivilege, created the folder with >>>>>>>> permissions as stated in the wiki, and set smb.conf as >>>>>>>> described. What might I be missing? >>>>>>>> >>>>>>>> root at filesvr:~# net rpc rights list privileges >>>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter >>>>>>>> Password for [SDCP\peter]: >>>>>>>> SeDiskOperatorPrivilege: >>>>>>>> ?? SDCP\Domain Admins >>>>>>>> ?? BUILTIN\Administrators >>>>>>>> >>>>>>>> root at filesvr:~# ls -l /data >>>>>>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct 3 08:45 test >>>>>>> >>>>>>> What are the permissions set on /data ? >>>>>>> >>>>>>> What does 'getfacl /data/test' produce ? >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>> root at filesvr:~# ls -l / >>>>>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data >>>>>> >>>>>> root at filesvr:~# getfacl /data/test >>>>>> getfacl: Removing leading '/' from absolute path names >>>>>> # file: data/test >>>>>> # owner: root >>>>>> # group: SDCP\\domain\040admins >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:SDCP\\domain\040admins:rwx >>>>>> user:SDCP\\domain\040users:rwx >>>>>> group::rwx >>>>>> group:SDCP\\domain\040admins:rwx >>>>>> group:SDCP\\domain\040users:rwx >>>>>> mask::rwx >>>>>> other::--- >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:SDCP\\domain\040users:rwx >>>>>> default:group::r-x >>>>>> default:group:SDCP\\domain\040admins:r-x >>>>>> default:group:SDCP\\domain\040users:rwx >>>>>> default:mask::rwx >>>>>> default:other::r-x >>>>> >>>>> OK, your user should be able to get to the 'data' directory via >>>>> 'others' >>>>> >>>>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data >>>>> >>>>> Where, because the permissions are these: >>>>> >>>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test >>>>> >>>>> His membership of Domain Admins should allow entry into 'test' >>>>> >>>>> However, you also wrote this 'On a different server showing my >>>>> membership', what do you get if you run 'groups' on 'filesvr' ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> ok, on the filsvr I can get to things as me: >>>> SDCP\peter at filesvr:~$ groups >>>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain >>>> users SDCP\denied rodc password replication group SDCP\dbusers >>>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users >>>> SDCP\peter at filesvr:~$ cd /data/test >>>> SDCP\peter at filesvr:/data/test$ ls >>>> officefld? peter-ad.txt? peter.txt? root.txt? test Windows.txt >>>> SDCP\peter at filesvr:/data/test$ cat peter.txt >>>> >>>> test from peter >>>> >>>> however on windows, I get acces denied both when trying to set >>>> permissions via computer management on the root of the share as >>>> well as when trying to access the share via file explorer >>> >>> >>> I am using Samba 4.17.5 on a test machine with a share set up >>> exactly like yours and using computer management on a Win10 >>> computer, everything works for myself. >>> >>> After comparing your smb.conf with mine, could you please try adding >>> 'winbind expand groups = 2' to your smb.conf, reload or restart >>> Samba and try again. >>> >>> Rowland >>> >>> >> winbind expand groups = 2 didn't help.? Same error on windows, >> nothing in the event viewer and no logs in /var/log/samba, perhaps a >> higher logging setting is needed?? I am running on Version >> 4.15.13-Ubuntu, I could do a tcpdump if that helps, but I'd need to >> read up on what you would need for that > > This is weird, it just works for myself, the only other differences > between my smb.conf and yours is these lines: > > ????disable netbios = Yes > ????dns proxy = No > ????min domain uid = 0 > ????username map = /etc/samba/user.map > > The last one relies on a file containing this line: > > !root = SDCP\Administrator > > have you tried running 'net cache flush' on the Linux machine ? > Could Apparmor be getting in the way ? > > Rowland >bumping the log to 5, there are a few more lines right before NT_STATUS_ACCESS_DENIED, could the EA error be a clue? [2023/03/28 10:37:19.643508,? 5] ../../source3/smbd/vfs.c:1334(check_reduced_name) ? check_reduced_name: . reduced to /data/test [2023/03/28 10:37:19.643539,? 5] ../../source3/smbd/dosmode.c:177(unix_mode) ? unix_mode: unix_mode(.) returning 0666 [2023/03/28 10:37:19.643605,? 5] ../../source3/smbd/dosmode.c:396(fget_ea_dos_attribute) ? fget_ea_dos_attribute: Cannot get attribute from EA on file .: Error = No data available [2023/03/28 10:37:19.643652,? 4] ../../source3/smbd/open.c:3808(open_file_ntcreate) ? calling open_file with flags=0x0 flags2=0x800 mode=0666, access_mask = 0x20080, open_access_mask = 0x20080 [2023/03/28 10:37:19.643680,? 5] ../../source3/smbd/open.c:4427(open_directory) ? open_directory: opening directory ., access_mask = 0x20080, share_access = 0x7 create_options = 0x200000, create_disposition = 0x1, file_attributes = 0x10