Web lists-archives.com

Re: [Samba] Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container




Set the permissions to drwxrwx---+ and make sure 'vfs objects = acl_xattr' is set in smb.conf.

Good luck

Jochen


Am 12.09.2018 um 02:14 schrieb Jonathan Kreider via samba:
I'm tying to set up a member server for serving files following the
instructions at:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.

Since I'm not an expert with log files or debugging, I need help
troubleshooting the following:

When I get to the part where I connect to the member server from the
Windows Computer Management tool, I get a long message starting with
"Computer FS3.MYDOM.COM cannot be connected. ..."

But then the tool connects anyway and lets me change the "Share
permissions" settings. I can add and delete groups here.

But when I click on the security tab I get a message "You must have read
permissions to view the properties of this object."  Other times, the tab
has displayed properly and allowed me to add groups and change permissions,
but then it won't allow me to save the changes.

Shared directory permissions:
drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/

testparm output:
# Global parameters
[global]
         dns proxy = No
         log file = /var/log/samba/log.%m
         map to guest = Bad User
         max log size = 1000
         panic action = /usr/share/samba/panic-action %d
         realm = KMS2.SAMDOM.COM (sanitized)
         security = ADS
         server role = member server
         server string = %h server (Samba, Ubuntu)
         username map = /etc/samba/user.map
         winbind refresh tickets = Yes
         workgroup = KMS2
         acl_xattr:default acl style = windows  (tried with and without -
could not tell a difference)
         acl_xattr:ignore system acls = yes     (tried with and without -
could not tell a difference)
         idmap config kms2 : range = 10000-19999
         idmap config kms2 : backend = rid
         idmap config * : range = 3000-7999
         idmap config * : backend = tdb
         map acl inherit = Yes
         store dos attributes = Yes
         vfs objects = acl_xattr

[printers]
         browseable = No
         comment = All Printers
         create mask = 0700
         path = /var/spool/samba
         printable = Yes

[print$]
         comment = Printer Drivers
         path = /var/lib/samba/printers

[Shared]
         path = /home/shared
         read only = No
         acl_xattr:default acl style = windows  (tried with and without -
could not tell a difference)
         acl_xattr:ignore system acls = yes  (tried with and without - could
not tell a difference)

Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu 16.04
host
Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged container
on the same host as above.
Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
container on same host.

The underlying file system is zfs-on-linux and in all cases I set the
following zfs attributes:
xattrs=sa
aclinherit=passthrough
acltype=posix

A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same host.
All workstations on the network are successfully joined to AD.
Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have the
DNS tools. so I had to downgrade.

All containers are "privileged" b/c samba NTACLs use the "security"
namespace which requires root privileges. This seems to work for the AD DCs
- I can't get the AD DCs to work in unprivileged mode.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba