Rowland Penny
2023-Dec-12 18:12 UTC
[Samba] Permission denied while trying to setup share with RSAT
On Tue, 12 Dec 2023 18:59:33 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 12.12.2023 18:42, Rowland Penny via samba wrote: > > On Tue, 12 Dec 2023 13:11:14 +0100 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> AD Member server with Samba 4.19.3 from Debian Bookworm backports. > >> AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf > >> last in the message. > >> > >> When trying to setup a share with RSAT as Administrator, every > >> operation fails with the error message: > >> > >> "An error occurred while applying security information to:" > >> \\DATASRV\groble$ > >> Failed to enumerate objects in the container. Access is denied. > >> > >> The only operation that succeeds is changing ownership > >> > >> I setup the directory the usual way according to the Samba Wiki > >> > >> mkdir -p /data/groble > >> chown root:"Domain Admins" /data/groble > >> chmod 0770 /data/groble > >> > >> and defined it in smb.conf as > >> > >> [groble$] > >> ??????? comment = Roaming profiles > >> ??????? path = /data/groble/ > >> ??????? read only = no > >> ??????? acl_xattr:ignore system acls = yes > >> ??????? hide dot files = no > >> ??????? csc policy = disable > >> > > That share appears to be for 'roaming profiles', so I suggest you > > read this wiki page and then follow it to the letter: > > > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > > > Follow the 'Using Windows ACLs' section. > > > > I also suggest you connect from Windows as a member of Domain > > Admins. > > > > Rowland > > > > > Hi Rowland, > > I have already done that, a zillion times. Still does not work. The > basic problem is, that I cannot modify anything as Administrator. > Whether the share will be used for roaming profiles or not, is > secondary, and not the problem. > > As I reported, if I set the owner on the directory I want to share as > PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage > the share properties as that user. If I create it as root:"Domain > Admins", no way. Neither as PRIVATE\myadmin, nor as > PRIVATE\Administrator. >From my testing, you no longer seem to need the user.map, try reading this: https://lists.samba.org/archive/samba/2023-November/247267.html Rowland
Peter Milesson
2023-Dec-12 18:31 UTC
[Samba] Permission denied while trying to setup share with RSAT
On 12.12.2023 19:12, Rowland Penny via samba wrote:> On Tue, 12 Dec 2023 18:59:33 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 12.12.2023 18:42, Rowland Penny via samba wrote: >>> On Tue, 12 Dec 2023 13:11:14 +0100 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> Hi folks, >>>> >>>> AD Member server with Samba 4.19.3 from Debian Bookworm backports. >>>> AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf >>>> last in the message. >>>> >>>> When trying to setup a share with RSAT as Administrator, every >>>> operation fails with the error message: >>>> >>>> "An error occurred while applying security information to:" >>>> \\DATASRV\groble$ >>>> Failed to enumerate objects in the container. Access is denied. >>>> >>>> The only operation that succeeds is changing ownership >>>> >>>> I setup the directory the usual way according to the Samba Wiki >>>> >>>> mkdir -p /data/groble >>>> chown root:"Domain Admins" /data/groble >>>> chmod 0770 /data/groble >>>> >>>> and defined it in smb.conf as >>>> >>>> [groble$] >>>> ??????? comment = Roaming profiles >>>> ??????? path = /data/groble/ >>>> ??????? read only = no >>>> ??????? acl_xattr:ignore system acls = yes >>>> ??????? hide dot files = no >>>> ??????? csc policy = disable >>>> >>> That share appears to be for 'roaming profiles', so I suggest you >>> read this wiki page and then follow it to the letter: >>> >>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles >>> >>> Follow the 'Using Windows ACLs' section. >>> >>> I also suggest you connect from Windows as a member of Domain >>> Admins. >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> I have already done that, a zillion times. Still does not work. The >> basic problem is, that I cannot modify anything as Administrator. >> Whether the share will be used for roaming profiles or not, is >> secondary, and not the problem. >> >> As I reported, if I set the owner on the directory I want to share as >> PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage >> the share properties as that user. If I create it as root:"Domain >> Admins", no way. Neither as PRIVATE\myadmin, nor as >> PRIVATE\Administrator. >> > From my testing, you no longer seem to need the user.map, try reading > this: > > https://lists.samba.org/archive/samba/2023-November/247267.html > > Rowland >Hi Rowland, I have also tried that, still the same error. I did also check if there is some old cruft in the local samba user database. That one is empty. Best regards, Peter
Peter Milesson
2023-Dec-12 18:34 UTC
[Samba] Permission denied while trying to setup share with RSAT
On 12.12.2023 19:12, Rowland Penny via samba wrote:> On Tue, 12 Dec 2023 18:59:33 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 12.12.2023 18:42, Rowland Penny via samba wrote: >>> On Tue, 12 Dec 2023 13:11:14 +0100 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> Hi folks, >>>> >>>> AD Member server with Samba 4.19.3 from Debian Bookworm backports. >>>> AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf >>>> last in the message. >>>> >>>> When trying to setup a share with RSAT as Administrator, every >>>> operation fails with the error message: >>>> >>>> "An error occurred while applying security information to:" >>>> \\DATASRV\groble$ >>>> Failed to enumerate objects in the container. Access is denied. >>>> >>>> The only operation that succeeds is changing ownership >>>> >>>> I setup the directory the usual way according to the Samba Wiki >>>> >>>> mkdir -p /data/groble >>>> chown root:"Domain Admins" /data/groble >>>> chmod 0770 /data/groble >>>> >>>> and defined it in smb.conf as >>>> >>>> [groble$] >>>> ??????? comment = Roaming profiles >>>> ??????? path = /data/groble/ >>>> ??????? read only = no >>>> ??????? acl_xattr:ignore system acls = yes >>>> ??????? hide dot files = no >>>> ??????? csc policy = disable >>>> >>> That share appears to be for 'roaming profiles', so I suggest you >>> read this wiki page and then follow it to the letter: >>> >>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles >>> >>> Follow the 'Using Windows ACLs' section. >>> >>> I also suggest you connect from Windows as a member of Domain >>> Admins. >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> I have already done that, a zillion times. Still does not work. The >> basic problem is, that I cannot modify anything as Administrator. >> Whether the share will be used for roaming profiles or not, is >> secondary, and not the problem. >> >> As I reported, if I set the owner on the directory I want to share as >> PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage >> the share properties as that user. If I create it as root:"Domain >> Admins", no way. Neither as PRIVATE\myadmin, nor as >> PRIVATE\Administrator. >> > From my testing, you no longer seem to need the user.map, try reading > this: > > https://lists.samba.org/archive/samba/2023-November/247267.html > > Rowland >Hi Rowland, Just one more bit of information. I don't think it is relevant, but who knows. All servers are VMs that I migrated from Xen to Qemu/KVM a week ago. The VMs are running off of LVM volumes (like before). I have also checked Apparmor. Samba is not under Apparmor control. Best regards, Peter