Web lists-archives.com

Re: [Samba] error on the modificed permission

Hi, witch command

getent group Domain\ Admins

I optaing domain admins:x:10512:

It's correct?

Il 12/02/2019 12:57, Rowland Penny via samba ha scritto:
On Tue, 12 Feb 2019 11:13:56 +0100
marco pirola via samba <samba@xxxxxxxxxxxxxxx> wrote:

I obtaing this resulta. Imposible enumerated the object in the
container: access negated.

Hi Marco, you posted this as your smb.conf:

  security = ADS
  workgroup = ROBINOOD
  realm = ROBINOOD.TST
  log file = /var/log/samba/%m.log
  log level = 1
  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes
  # Default ID mapping configuration for local BUILTIN accounts
  # and groups on a domain member. The default (*) domain:
  # - must not overlap with any domain ID mapping configuration!
  # - must use a read-write-enabled back end, such as tdb.
  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  # - You must set a DOMAIN backend configuration
  # idmap config for the ROBINOOD domain
  idmap config ROBINOOD : backend = rid
  idmap config ROBINOOD : range = 10000-999999
  winbind use default domain = yes
  username map = /etc/samba/user.map

  path = /home/samba/samba/
  read only = no

So I added your share to an existing Unix domain member, that also uses
the 'rid' backend, these are my notes, they prove it works.

Log into the Samba Unix domain member that holds the share

Some commands will be run as root

Running the following command:

getent group Domain\ Admins

Should produce output similar to this:


If you do not get output, then nothing is going to work.

List the existing SeDiskOperatorPrivilege owners

net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:

If 'Domain Admins' isn't shown (as above), you need to add the group:

net rpc rights grant "ROBINOOD\Domain Admins" SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:
Successfully granted rights.

Check the privelege owners again

net rpc rights list privileges SeDiskOperatorPrivilege -U "ROBINOOD\administrator"
Enter ROBINOOD\administrator's password:

Now create the share directory (if it doesn't already exist):

sudo mkdir -p /home/samba/samba/

sudo chown root:Domain\ Admins /home/samba/samba/
sudo chmod 0770 /home/samba/samba/

Check the ownership:

ls -lad /home/samba/samba/
drwxrwx--- 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/

Reload Samba:

sudo smbcontrol all reload-config

Now goto a Windows machine (in my case win10) and log on using an account that is a member of Domain Admins.

     Click Start, enter Computer Management, and start the application.

     Select Action --> Connect to another computer.

     Enter the name of the Samba host and click OK to connect the console to the host.

     Open System Tools
     NOTE: You may get an error box, just click 'OK' and it will connect.

     Open Shared Folders --> Shares menu entry.

     Right-click the 'samba' share and select Properties.

     Select the Security tab.

     Click the Edit button and then the 'Add' button

     Click 'Advanced' button

     Click 'Find Now'

     Select a user or group from the list, I will use 'Domain Users'

     Click 'OK'

     Click 'OK'

     Select permissions to grant, I will grant 'Full control'

     A windows security box should open, asking if you want to continue
     Click 'Yes'

     If you now check the list of 'Group or user names', you should find 'Domain Users' listed

     Click OK to close the Properties box.

Back to the Samba share machine:

If you check the ownership of the share directory, you should see that something has been added:

ls -lad /home/samba/samba/
drwxrwx---+ 2 root domain_admins 4096 Feb 12 10:47 /home/samba/samba/
           |--- This

If you now run:

getfacl /home/samba/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/samba/
# owner: root
# group: domain_admins

You can now see that members of 'Domain Users' can Read, Write and enter the directory.
Hope this helps


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba