Peter Milesson
2023-Dec-12 12:11 UTC
[Samba] Permission denied while trying to setup share with RSAT
Hi folks, AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in the message. When trying to setup a share with RSAT as Administrator, every operation fails with the error message: "An error occurred while applying security information to:" \\DATASRV\groble$ Failed to enumerate objects in the container. Access is denied. The only operation that succeeds is changing ownership I setup the directory the usual way according to the Samba Wiki mkdir -p /data/groble chown root:"Domain Admins" /data/groble chmod 0770 /data/groble and defined it in smb.conf as [groble$] ??????? comment = Roaming profiles ??????? path = /data/groble/ ??????? read only = no ??????? acl_xattr:ignore system acls = yes ??????? hide dot files = no ??????? csc policy = disable When opening RSAT (Computer configuration, Shares, Security) I have got the following properties Object name: \\DATASRV\groble$ Group or user names: root (Unix User\root) SYSTEM Domain Admins (PRIVATE\Domain Admins) Clicking on Advanced opens Advanced security settings Name: \\DATASRV\groble$ Owner: root (Unix Users\root) Under the permissions tab there are 3 entries in the list: root (Unix Users\root), Full control, Inherited from None, Applies to This folder only Domain Admins (PRIVATE\Domain Admins), Read, write & execute, Inherited from None, Applies to This folder only SYSTEM, Full control, Inherited from None, Applies to This folder only If I create the share directory and set ownership to chown myadmin:"Domain Admins" /data/groble where user PRIVATE\myadmin is a user belonging to the group PRIVATE\Domain Admins, I have no problems setting up the share if I'm logged on as this user Neither the Administrator user, nor the myadmin exist locally in the member server. There are no uids or guids set for users in AD. Executing getent group or getent passwd display the correct users with correct uids and gids (for example Administrator 10500:10512, myadmin 11118:10512) I have tried with and without username map = /etc/samba/user.map min domain uid = 0 but there is no difference. I have configured folder redirection (which works perfectly), but it should not interfere here. The PRIVATE\administrator account is not in the user group for folder redirection anyway. The user PRIVATE\myadmin is however, member of the folder redirection group of users. The behavior seriously baffles me, it did work once upon a time (if I remember correctly Samba 4.17.x), and now not at all according to any documentation. If somebody has got any idea how to correct this, I would be grateful. Best regards, Peter smb.conf ====== # Global parameters [global] ??????? debug pid = yes ??????? debug uid = yes ??????? dedicated keytab file = /etc/krb5.keytab ??????? disable spoolss = yes ??????? disable netbios = yes ??????? smb ports = 445 ??????? kerberos method = secrets and keytab ??????? log level = 1 ??????? log file = /var/log/samba/%m.log ??????? printcap name = /dev/null ??????? realm = PRIVATE.TALPS ??????? security = ADS ??????? server role = member server ??????? restrict anonymous = 2 ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? timestamp logs = yes ??????? username map = /etc/samba/user.map ??????? min domain uid = 0 ??????? winbind refresh tickets = yes ??????? winbind use default domain = yes ??????? workgroup = PRIVATE ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-9999 ??????? idmap config PRIVATE : backend = rid ??????? idmap config PRIVATE : range = 10000-99999 ??????? idmap config PRIVATE : unix_primary_group = yes ??????? acl group control = yes ??????? inherit acls = yes ??????? map acl inherit = yes ??????? vfs objects = acl_xattr ??????? acl_xattr:ignore system acls = yes ??????? apply group policies = yes
Fabrizio Rompani
2023-Dec-12 15:58 UTC
[Samba] Permission denied while trying to setup share with RSAT
hi , did you followed this https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs particoulary : Granting the SeDiskOperatorPrivilege Privilege I'm not expert , but following that wiki works like a charm for me in samba 4.16 fab ----- Messaggio originale ----- Da: "Peter Milesson via samba" <samba at lists.samba.org> A: "samba" <samba at lists.samba.org> Inviato: Marted?, 12 dicembre 2023 13:11:14 Oggetto: [Samba] Permission denied while trying to setup share with RSAT Hi folks, AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in the message. When trying to setup a share with RSAT as Administrator, every operation fails with the error message: "An error occurred while applying security information to:" \\DATASRV\groble$ Failed to enumerate objects in the container. Access is denied. The only operation that succeeds is changing ownership I setup the directory the usual way according to the Samba Wiki mkdir -p /data/groble chown root:"Domain Admins" /data/groble chmod 0770 /data/groble and defined it in smb.conf as [groble$] ??????? comment = Roaming profiles ??????? path = /data/groble/ ??????? read only = no ??????? acl_xattr:ignore system acls = yes ??????? hide dot files = no ??????? csc policy = disable When opening RSAT (Computer configuration, Shares, Security) I have got the following properties Object name: \\DATASRV\groble$ Group or user names: root (Unix User\root) SYSTEM Domain Admins (PRIVATE\Domain Admins) Clicking on Advanced opens Advanced security settings Name: \\DATASRV\groble$ Owner: root (Unix Users\root) Under the permissions tab there are 3 entries in the list: root (Unix Users\root), Full control, Inherited from None, Applies to This folder only Domain Admins (PRIVATE\Domain Admins), Read, write & execute, Inherited from None, Applies to This folder only SYSTEM, Full control, Inherited from None, Applies to This folder only If I create the share directory and set ownership to chown myadmin:"Domain Admins" /data/groble where user PRIVATE\myadmin is a user belonging to the group PRIVATE\Domain Admins, I have no problems setting up the share if I'm logged on as this user Neither the Administrator user, nor the myadmin exist locally in the member server. There are no uids or guids set for users in AD. Executing getent group or getent passwd display the correct users with correct uids and gids (for example Administrator 10500:10512, myadmin 11118:10512) I have tried with and without username map = /etc/samba/user.map min domain uid = 0 but there is no difference. I have configured folder redirection (which works perfectly), but it should not interfere here. The PRIVATE\administrator account is not in the user group for folder redirection anyway. The user PRIVATE\myadmin is however, member of the folder redirection group of users. The behavior seriously baffles me, it did work once upon a time (if I remember correctly Samba 4.17.x), and now not at all according to any documentation. If somebody has got any idea how to correct this, I would be grateful. Best regards, Peter smb.conf ====== # Global parameters [global] ??????? debug pid = yes ??????? debug uid = yes ??????? dedicated keytab file = /etc/krb5.keytab ??????? disable spoolss = yes ??????? disable netbios = yes ??????? smb ports = 445 ??????? kerberos method = secrets and keytab ??????? log level = 1 ??????? log file = /var/log/samba/%m.log ??????? printcap name = /dev/null ??????? realm = PRIVATE.TALPS ??????? security = ADS ??????? server role = member server ??????? restrict anonymous = 2 ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? timestamp logs = yes ??????? username map = /etc/samba/user.map ??????? min domain uid = 0 ??????? winbind refresh tickets = yes ??????? winbind use default domain = yes ??????? workgroup = PRIVATE ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-9999 ??????? idmap config PRIVATE : backend = rid ??????? idmap config PRIVATE : range = 10000-99999 ??????? idmap config PRIVATE : unix_primary_group = yes ??????? acl group control = yes ??????? inherit acls = yes ??????? map acl inherit = yes ??????? vfs objects = acl_xattr ??????? acl_xattr:ignore system acls = yes ??????? apply group policies = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Rowland Penny
2023-Dec-12 17:42 UTC
[Samba] Permission denied while trying to setup share with RSAT
On Tue, 12 Dec 2023 13:11:14 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> Hi folks, > > AD Member server with Samba 4.19.3 from Debian Bookworm backports. AD > DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf last in > the message. > > When trying to setup a share with RSAT as Administrator, every > operation fails with the error message: > > "An error occurred while applying security information to:" > \\DATASRV\groble$ > Failed to enumerate objects in the container. Access is denied. > > The only operation that succeeds is changing ownership > > I setup the directory the usual way according to the Samba Wiki > > mkdir -p /data/groble > chown root:"Domain Admins" /data/groble > chmod 0770 /data/groble > > and defined it in smb.conf as > > [groble$] > ??????? comment = Roaming profiles > ??????? path = /data/groble/ > ??????? read only = no > ??????? acl_xattr:ignore system acls = yes > ??????? hide dot files = no > ??????? csc policy = disable >That share appears to be for 'roaming profiles', so I suggest you read this wiki page and then follow it to the letter: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Follow the 'Using Windows ACLs' section. I also suggest you connect from Windows as a member of Domain Admins. Rowland