Peter Milesson
2023-Dec-12 17:30 UTC
[Samba] Permission denied while trying to setup share with RSAT
Hi Luke, The usermap file says: !root = PRIVATE\administrator PRIVATE\Administrator Best regards, Peter On 12.12.2023 17:59, Luke Barone wrote:> What does your usermap file look like? > > On Tue, Dec 12, 2023 at 8:58?AM Peter Milesson via samba > <samba at lists.samba.org> wrote: > > Hi Fab, > > Thanks for the advice. This server is setup a couple of years ago, > and I > followed the Samba Wiki to the letter. I have also reviewed the steps > again, in case I have overlooked something. > > There are several existing shares, and previously (long ago) there > were > no problems setting up shares. During the time, the server has been > upgraded from Debian Bullseye to Debian Bookworm and Samba was > upgraded > a week ago from 4.18.9 to the latest 4.19.3 from Debian Bookworm > backports. > > What is strange is, that I can configure the share if I create the > directory and set the ownership to myadmin:"Domain Admins" and > 0770, but > not as Administrator, only as myadmin. It seems that the mapping from > root to PRIVATE\Administrator does not work somehow. > > I appreciate your input. > > Best regards, > > Peter > > > On 12.12.2023 16:58, Fabrizio Rompani via samba wrote: > > hi , > > did you followed this > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > > > particoulary : > > Granting the SeDiskOperatorPrivilege Privilege > > > > I'm not expert , but following that wiki works like a charm for > me in samba 4.16 > > > > > > fab > > > > > > > > ----- Messaggio originale ----- > > Da: "Peter Milesson via samba" <samba at lists.samba.org> > > A: "samba" <samba at lists.samba.org> > > Inviato: Marted?, 12 dicembre 2023 13:11:14 > > Oggetto: [Samba] Permission denied while trying to setup share > with RSAT > > > > Hi folks, > > > > AD Member server with Samba 4.19.3 from Debian Bookworm > backports. AD DC > > also Samba 4.19.3 from Debian Bookworm backports. smb.conf last > in the > > message. > > > > When trying to setup a share with RSAT as Administrator, every > operation > > fails with the error message: > > > > "An error occurred while applying security information to:" > > \\DATASRV\groble$ > > Failed to enumerate objects in the container. Access is denied. > > > > The only operation that succeeds is changing ownership > > > > I setup the directory the usual way according to the Samba Wiki > > > > mkdir -p /data/groble > > chown root:"Domain Admins" /data/groble > > chmod 0770 /data/groble > > > > and defined it in smb.conf as > > > > [groble$] > >? ???????? comment = Roaming profiles > >? ???????? path = /data/groble/ > >? ???????? read only = no > >? ???????? acl_xattr:ignore system acls = yes > >? ???????? hide dot files = no > >? ???????? csc policy = disable > > > > When opening RSAT (Computer configuration, Shares, Security) I > have got > > the following properties > > > > Object name: \\DATASRV\groble$ > > Group or user names: > > root (Unix User\root) > > SYSTEM > > Domain Admins (PRIVATE\Domain Admins) > > > > Clicking on Advanced opens Advanced security settings > > > > Name: \\DATASRV\groble$ > > Owner: root (Unix Users\root) > > > > Under the permissions tab there are 3 entries in the list: > > > > root (Unix Users\root), Full control, Inherited from None, > Applies to > > This folder only > > Domain Admins (PRIVATE\Domain Admins), Read, write & execute, > Inherited > > from None, Applies to This folder only > > SYSTEM, Full control, Inherited from None, Applies to This > folder only > > > > If I create the share directory and set ownership to > > > > chown myadmin:"Domain Admins" /data/groble > > > > where user PRIVATE\myadmin is a user belonging to the group > > PRIVATE\Domain Admins, I have no problems setting up the share > if I'm > > logged on as this user > > > > Neither the Administrator user, nor the myadmin exist locally in the > > member server. There are no uids or guids set for users in AD. > Executing > > getent group or getent passwd display the correct users with correct > > uids and gids (for example Administrator 10500:10512, myadmin > 11118:10512) > > > > I have tried with and without > > > > username map = /etc/samba/user.map > > min domain uid = 0 > > > > but there is no difference. > > > > I have configured folder redirection (which works perfectly), but it > > should not interfere here. The PRIVATE\administrator account is > not in > > the user group for folder redirection anyway. The user > PRIVATE\myadmin > > is however, member of the folder redirection group of users. > > > > The behavior seriously baffles me, it did work once upon a time > (if I > > remember correctly Samba 4.17.x), and now not at all according > to any > > documentation. If somebody has got any idea how to correct this, > I would > > be grateful. > > > > Best regards, > > > > Peter > > > > smb.conf > > ======> > > > # Global parameters > > [global] > >? ???????? debug pid = yes > >? ???????? debug uid = yes > >? ???????? dedicated keytab file = /etc/krb5.keytab > >? ???????? disable spoolss = yes > >? ???????? disable netbios = yes > >? ???????? smb ports = 445 > >? ???????? kerberos method = secrets and keytab > >? ???????? log level = 1 > >? ???????? log file = /var/log/samba/%m.log > >? ???????? printcap name = /dev/null > >? ???????? realm = PRIVATE.TALPS > >? ???????? security = ADS > >? ???????? server role = member server > >? ???????? restrict anonymous = 2 > >? ???????? template homedir = /home/%U > >? ???????? template shell = /bin/bash > >? ???????? timestamp logs = yes > >? ???????? username map = /etc/samba/user.map > >? ???????? min domain uid = 0 > >? ???????? winbind refresh tickets = yes > >? ???????? winbind use default domain = yes > >? ???????? workgroup = PRIVATE > >? ???????? idmap config * : backend = tdb > >? ???????? idmap config * : range = 3000-9999 > >? ???????? idmap config PRIVATE : backend = rid > >? ???????? idmap config PRIVATE : range = 10000-99999 > >? ???????? idmap config PRIVATE : unix_primary_group = yes > >? ???????? acl group control = yes > >? ???????? inherit acls = yes > >? ???????? map acl inherit = yes > >? ???????? vfs objects = acl_xattr > >? ???????? acl_xattr:ignore system acls = yes > >? ???????? apply group policies = yes > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >