Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access




On Fri, 22 Feb 2019 09:52:36 +0100
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> > ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> > 
> > Can't see where I could be deviating
> Ok i think here ( as workaround ) the following. 
> 
> 
> > root@sce253:/# service smbd stop
> > root@sce253:/# rmdir /server/share-files
> > root@sce253:/# rmdir /server/users
> > root@sce253:/# cd ..
> > root@sce253:/# rmdir server
> > root@sce253:/# mkdir -p /server/share-files
> > root@sce253:/# mkdir -p /server/users
> 
> Install -d /server -o root -g "Domain Admins" -m 3771
> 
> > root@sce253:/# chown root:"Domain Admins" /server/share-files
> > root@sce253:/# chown root:"Domain Admins" /server/users
> > root@sce253:/# chmod 0770 /server/share-files
> > root@sce253:/# chmod 0770 /server/users
> 
> Now try again. 
> 
> The message: 
> > 
> > ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED 
> Purly due to /server not allowing "DOMAIN USER" write access. 
> Because ... What is the windows "Primary group" yes. Domain Users. 
> 
> So I thing also you might be affected with bug :  
> https://bugzilla.samba.org/show_bug.cgi?id=13371 

As I have already said, it depends on your perspective if bug 13371 is
actually a bug ;-)

If you use 'unix_primary_group = yes' and a user logs into a Unix
machine, they will get the Unix primary group instead of Domain Admins.
If the same user logs into a Windows machine, they will get Domain
Users as their primary group.

If the same user connects over the network (either from a Unix or
Windows machine) their primary group will be Domain Users, how can it
be otherwise, Samba is trying to emulate how Windows works, so it
doesn't care whether it is a Windows or a Unix machine. Because of
this, it has to work in the same way as a Windows machine expects.

My feelings are:
If you have only Unix clients, use 'unix_primary_group = yes' if you
wish. If you only have Windows clients, or a mixture of Unix & Windows
clients, don't.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba