samba - Oct 2023 - Issue creating share on Windows domain-joined Debian 12 Server

Environment:
New install of Debian 12 (Physical Server)
Latest Samba via apt (4.17.12)

So I am most of the way there getting this to work. I have successfully
joined the Debian server to our windows domain. I have created a "Unix
Admins" windows security group with the "SeDiskOperatorPrivilege"
enabled.
The file share exists although I am not yet able to open it. The problem I
am having is when attempting to manage the share by connecting to the Linux
server in Windows using Computer Management > Shared Folders > Shares >
"Share Name" > Properties. In the properties of the share when I go
to the
"Security" tab, the following message appears: "You must have
read
permissions to view the properties of this object". I am unable to take
ownership through the interface.

Some strange behavior I also noticed that may be related: When I attempt to
map the domain account I am using to the local root account (user.map:
!root = NETWORK\Admin) I am unable to connect to the Debian server using
computer management. It immediately gives an error and the Computer
Management MMC opens up blank. Immediately after commenting out the
user.map line and running  smbcontrol all reload-config I can again connect
to the server with Computer Management.

Here are the guides I have been referencing:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs


contents of smb.conf:

workgroup = network
password server = dc.network.domain.ca
realm = NETWORK.DOMAIN.CA
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
min protocol = SMB3
passdb backend = smbpasswd
vfs objects = acl_xattr
map acl inherit = yes
username map = /etc/samba/user.map

[storage]
        path = /Backup/Backuptest
        comment = Backup Share
        read only = no

On Tue, 17 Oct 2023 11:34:35 -0600
Joel R Smith via samba <samba at lists.samba.org> wrote:
> Environment:
> New install of Debian 12 (Physical Server)
> Latest Samba via apt (4.17.12)
> 
> So I am most of the way there getting this to work. I have
> successfully joined the Debian server to our windows domain. I have
> created a "Unix Admins" windows security group with the
> "SeDiskOperatorPrivilege" enabled. The file share exists although
I
> am not yet able to open it. The problem I am having is when
> attempting to manage the share by connecting to the Linux server in
> Windows using Computer Management > Shared Folders > Shares >
"Share
> Name" > Properties. In the properties of the share when I go to the
> "Security" tab, the following message appears: "You must
have read
> permissions to view the properties of this object". I am unable to
> take ownership through the interface.
> 
> Some strange behavior I also noticed that may be related: When I
> attempt to map the domain account I am using to the local root
> account (user.map: !root = NETWORK\Admin) I am unable to connect to
> the Debian server using computer management. It immediately gives an
> error and the Computer Management MMC opens up blank. Immediately
> after commenting out the user.map line and running  smbcontrol all
> reload-config I can again connect to the server with Computer
> Management.
> 
> Here are the guides I have been referencing:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Did you miss the part about 'Setting up a Basic smb.conf File',
particular the part about selecting an idmap backend ?
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> 
> contents of smb.conf:
> 
> workgroup = network
> password server = dc.network.domain.ca
You shouldn't set the 'password server', you should allow Samba to
find
the best DC to use.
> realm = NETWORK.DOMAIN.CA
> security = ads
> idmap config * : range = 16777216-33554431
There aren't enough 'idmap config' lines, also that is a strange
range,
could you also be running sssd ?
> template homedir = /home/%D/%U
That is the default.
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> min protocol = SMB3
> passdb backend = smbpasswd
Why ? The default is the much newer tdbsam
> vfs objects = acl_xattr
> map acl inherit = yes
> username map = /etc/samba/user.map
What are the contents of the user.map ?
> 
> [storage]
>         path = /Backup/Backuptest
>         comment = Backup Share
>         read only = no
Rowland

You can also try

http://samba.bigbird.es/doku.php?id=samba:file-server

This should address most of your problems.

Regards.
On 17 Oct 2023 at 19:35 +0200, Joel R Smith via samba <samba at
lists.samba.org>, wrote:
> Environment:
> New install of Debian 12 (Physical Server)
> Latest Samba via apt (4.17.12)
>
> So I am most of the way there getting this to work. I have successfully
> joined the Debian server to our windows domain. I have created a "Unix
> Admins" windows security group with the
"SeDiskOperatorPrivilege" enabled.
> The file share exists although I am not yet able to open it. The problem I
> am having is when attempting to manage the share by connecting to the Linux
> server in Windows using Computer Management > Shared Folders > Shares
>
> "Share Name" > Properties. In the properties of the share when
I go to the
> "Security" tab, the following message appears: "You must
have read
> permissions to view the properties of this object". I am unable to
take
> ownership through the interface.
>
> Some strange behavior I also noticed that may be related: When I attempt to
> map the domain account I am using to the local root account (user.map:
> !root = NETWORK\Admin) I am unable to connect to the Debian server using
> computer management. It immediately gives an error and the Computer
> Management MMC opens up blank. Immediately after commenting out the
> user.map line and running smbcontrol all reload-config I can again connect
> to the server with Computer Management.
>
> Here are the guides I have been referencing:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>
> contents of smb.conf:
>
> workgroup = network
> password server = dc.network.domain.ca
> realm = NETWORK.DOMAIN.CA
> security = ads
> idmap config * : range = 16777216-33554431
> template homedir = /home/%D/%U
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> min protocol = SMB3
> passdb backend = smbpasswd
> vfs objects = acl_xattr
> map acl inherit = yes
> username map = /etc/samba/user.map
>
> [storage]
> path = /Backup/Backuptest
> comment = Backup Share
> read only = no
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba