Update: MAD\Administrator can change permissions on the ?share? tab. MAD\Luis (a domain admin) can not. Should this be like so ? On the other hand, I have built another domain member for testing. [global] apply group policies = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab log file = /var/log/samba/%m.log netbios name = SERVER2 realm = MAD.MATER.INT security = ADS server min protocol = SMB2 server role = member server username map = /etc/samba/user.map winbind refresh tickets = Yes winbind use default domain = Yes workgroup = MAD acl_xattr:ignore system acls = yes idmap config mad : unix_nss_info = yes idmap config mad : range = 10000-999999 idmap config mad : schema_mode = rfc2307 idmap config mad : backend = ad idmap config * : range = 3000-7999 idmap config * : backend = tdb fruit:delete_empty_adfiles = yes fruit:wipe_intentionally_left_blank_rfork = yes fruit:veto_appledouble = yes fruit:posix_rename = yes fruit:model = RackMac fruit:metadata = stream fruit:aapl = yes delete veto files = Yes ea support = Yes hosts deny = 0.0.0.0/0 map acl inherit = Yes vfs objects = acl_xattr [personales] hide unreadable = Yes path = /data/users/ read only = No acl_xattr:ignore system acls = yes It has the username map = /etc/samba/user.map And contains: !root = MAD\Administrator MAD\Administrator has no uidNumber However root at server2:~# getent passwd Administrator root at server2:~# wbinfo -i Administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user Administrator When MAD\Administrator tries to access the share via \\server2 I get a ?Windows can not access \\Server2" On the server : root at server2:/var/log/samba# tail 192.168.0.9.log [2023/05/25 17:32:47.622065,??0] ../../source3/auth/auth_util.c:1927(check_account) ??check_account: Failed to convert SID S-1-5-21-2152908145-95474353-1514027631-500 to a UID (dom_user[MAD\administrator]) I guess root mapping is not quite right. What am I missing ? Thanks, On 25 May 2023 at 21:49 +0200, samba at lists.samba.org, wrote:> > Okay, Administrator is mapping to the Unix root user, but I just noticed > you said 'share permissions', are we talking the 'Share Permissions' tab > here ? If so, then stop, you only change permissions on the 'Security' > tab and I can think of no reason to change the sysvol permissions in > that way. > > Rowland
On 25/05/2023 21:03, Luis Peromarta via samba wrote:> Update: > > MAD\Administrator can change permissions on the ?share? tab.Please stop trying to alter the 'share' tab, you need to use the 'security' tab, which really should be called 'This is where you set the NTFS permission' tab, but that's a bit long.> MAD\Luis (a domain admin) can not.Administrator is being mapped to root, luis is not.> > Should this be like so ? > > On the other hand, I have built another domain member for testing. > > [global] > apply group policies = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > log file = /var/log/samba/%m.log > netbios name = SERVER2 > realm = MAD.MATER.INT > security = ADS > server min protocol = SMB2 > server role = member server > username map = /etc/samba/user.map > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = MAD > acl_xattr:ignore system acls = yes > idmap config mad : unix_nss_info = yes > idmap config mad : range = 10000-999999 > idmap config mad : schema_mode = rfc2307 > idmap config mad : backend = ad > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > fruit:delete_empty_adfiles = yes > fruit:wipe_intentionally_left_blank_rfork = yes > fruit:veto_appledouble = yes > fruit:posix_rename = yes > fruit:model = RackMac > fruit:metadata = stream > fruit:aapl = yes > delete veto files = Yes > ea support = Yes > hosts deny = 0.0.0.0/0 > map acl inherit = Yes > vfs objects = acl_xattr > > [personales] > hide unreadable = Yes > path = /data/users/ > read only = No > acl_xattr:ignore system acls = yes > > > > > It has the > username map = /etc/samba/user.map > > And contains: > !root = MAD\Administrator > > MAD\Administrator has no uidNumber > > However > > root at server2:~# getent passwd Administrator > > root at server2:~# wbinfo -i Administrator > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user Administrator > > When MAD\Administrator tries to access the share via \\server2 I get a ?Windows can not access \\Server2" > > On the server : > > root at server2:/var/log/samba# tail 192.168.0.9.log > [2023/05/25 17:32:47.622065,??0] ../../source3/auth/auth_util.c:1927(check_account) > ??check_account: Failed to convert SID S-1-5-21-2152908145-95474353-1514027631-500 to a UID (dom_user[MAD\administrator]) > > I guess root mapping is not quite right. What am I missing ? >Try adding 'min domain uid = 0' to global in your smb.conf to fix that. There is also the problem that adding 'acl_xattr:ignore system acls = yes' does strange things. From my testing, if I remember correctly, with it, only Administrator can do things. I do not use it. Rowland