Peter Milesson
2023-Dec-12 18:34 UTC
[Samba] Permission denied while trying to setup share with RSAT
On 12.12.2023 19:12, Rowland Penny via samba wrote:> On Tue, 12 Dec 2023 18:59:33 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 12.12.2023 18:42, Rowland Penny via samba wrote: >>> On Tue, 12 Dec 2023 13:11:14 +0100 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> Hi folks, >>>> >>>> AD Member server with Samba 4.19.3 from Debian Bookworm backports. >>>> AD DC also Samba 4.19.3 from Debian Bookworm backports. smb.conf >>>> last in the message. >>>> >>>> When trying to setup a share with RSAT as Administrator, every >>>> operation fails with the error message: >>>> >>>> "An error occurred while applying security information to:" >>>> \\DATASRV\groble$ >>>> Failed to enumerate objects in the container. Access is denied. >>>> >>>> The only operation that succeeds is changing ownership >>>> >>>> I setup the directory the usual way according to the Samba Wiki >>>> >>>> mkdir -p /data/groble >>>> chown root:"Domain Admins" /data/groble >>>> chmod 0770 /data/groble >>>> >>>> and defined it in smb.conf as >>>> >>>> [groble$] >>>> ??????? comment = Roaming profiles >>>> ??????? path = /data/groble/ >>>> ??????? read only = no >>>> ??????? acl_xattr:ignore system acls = yes >>>> ??????? hide dot files = no >>>> ??????? csc policy = disable >>>> >>> That share appears to be for 'roaming profiles', so I suggest you >>> read this wiki page and then follow it to the letter: >>> >>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles >>> >>> Follow the 'Using Windows ACLs' section. >>> >>> I also suggest you connect from Windows as a member of Domain >>> Admins. >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> I have already done that, a zillion times. Still does not work. The >> basic problem is, that I cannot modify anything as Administrator. >> Whether the share will be used for roaming profiles or not, is >> secondary, and not the problem. >> >> As I reported, if I set the owner on the directory I want to share as >> PRIVATE\myadmin:"Domain Admins" with permissions 0770, I can manage >> the share properties as that user. If I create it as root:"Domain >> Admins", no way. Neither as PRIVATE\myadmin, nor as >> PRIVATE\Administrator. >> > From my testing, you no longer seem to need the user.map, try reading > this: > > https://lists.samba.org/archive/samba/2023-November/247267.html > > Rowland >Hi Rowland, Just one more bit of information. I don't think it is relevant, but who knows. All servers are VMs that I migrated from Xen to Qemu/KVM a week ago. The VMs are running off of LVM volumes (like before). I have also checked Apparmor. Samba is not under Apparmor control. Best regards, Peter
Rowland Penny
2023-Dec-12 18:46 UTC
[Samba] Permission denied while trying to setup share with RSAT
On Tue, 12 Dec 2023 19:34:20 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > Just one more bit of information. I don't think it is relevant, but > who knows. All servers are VMs that I migrated from Xen to Qemu/KVM a > week ago. The VMs are running off of LVM volumes (like before). > > I have also checked Apparmor. Samba is not under Apparmor control. > > Best regards, > > Peter > >I have heard of VMs where root doesn't work, could this be your problem ? I ask this because I use Oracle virtual box and it works for myself, with Apparmor ! Rowland