Created attachment 15752 [details] log.smbd Attempts to use smbcacls always fail with NT_STATUS_ACCESS_DENIED, when: - the fileshare is hosted on an AD DM - smbcacls is run as root - there is a mapping between root and <DOMAIN>\administrator Probably "root" is used in place of "<DOMAIN>\administrator" at some point during the authentication. Version of sernet-samba is: 99:4.9.15-20.suse150 OS: ------------------------------ datarec:~ # cat /etc/os-release NAME="SLES" VERSION="15" VERSION_ID="15" PRETTY_NAME="SUSE Linux Enterprise Server 15" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15" datarec:~ # ------------------------------ Behavior: ------------------------------ datarec:~ # smbcacls //datarec/TCS / -U administrator Enter VPTC3\administrator's password: cli_full_connection failed! (NT_STATUS_ACCESS_DENIED) datarec:~ # ------------------------------ Info relating to permissions in the test environment (smbcacls succeeds here because the root/Administrator mapping was removed): ------------------------------ datarec:~ # smbcacls //datarec/TCS / -U administrator Enter VPTC3\administrator's password: REVISION:1 CONTROL:SR|DP OWNER:VPTC3\administrator GROUP:VPTC3\Unix Admins ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL ACL:VPTC3\Domain Users:ALLOWED/0x0/CHANGE ACL:VPTC3\Unix Admins:ALLOWED/OI|CI|IO/FULL datarec:~ # datarec:~ # sharesec -v TCS REVISION:1 CONTROL:SR|DP OWNER: GROUP: ACL:S-1-5-21-1186222027-375203681-1372933539-513:ALLOWED/0x0/CHANGE ACL:S-1-5-21-1186222027-375203681-1372933539-1103:ALLOWED/0x0/FULL datarec:~ # datarec:~ # wbinfo --sid-to-name S-1-5-21-1186222027-375203681-1372933539-513 VPTC3\Domain Users 2 datarec:~ # wbinfo --sid-to-name S-1-5-21-1186222027-375203681-1372933539-1103 VPTC3\Unix Admins 2 datarec:~ # datarec:~ # samba-tool group listmembers "unix admins" -U administrator --URL ldap://mcbackup Password for [VPTC3\administrator]: Administrator atihon mveil pan ohrstka datarec:~ # datarec:~ # net rpc rights list privileges SeDiskOperatorPrivilege -U administrator Enter administrator's password: SeDiskOperatorPrivilege: VPTC3\Domain Admins VPTC3\administrator VPTC3\Unix Admins BUILTIN\Administrators datarec:~ # ------------------------------ smb.conf: ------------------------------ [global] log level = 10 security = ADS workgroup = VPTC3 realm = VPTC3.ORG idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config VPTC3 : backend = ad idmap config VPTC3 : schema = rfc2307 idmap config VPTC3 : range = 10000-999999 idmap config VPTC3 : unix_nss_info = yes idmap config VPTC3 : unix_primary_group = yes template shell = /bin/bash template homedir = /tcs_usr/%U username map = /etc/samba/user.map kerberos method = secrets and keytab winbind refresh tickets = yes winbind offline logon = yes winbind use default domain = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes durable handles = no kernel oplocks = yes durable handles = no kernel oplocks = yes ### BEGIN /TCS share ### [TCS] path = /TCS read only = no ### END /TCS share ### ### BEGIN /TCS/runtimeStore/log share ### [TCS-runtimeStore-log] path = /TCS/runtimeStore/log read only = no ### END /TCS/runtimeStore/log share ### ### BEGIN /home/VPTC3 share ### [home-VPTC3] path = /home/VPTC3 read only = no ### END /home/VPTC3 share ### ------------------------------ user.map: ------------------------------ !root = VPTC3\Administrator VPTC3\administrator Administrator administrator ------------------------------ Relevant portion of log (full log attached): ------------------------------ [2020/01/15 17:54:39.723607, 3, pid=13163, effective(0, 0), real(0, 0)] ../lib/util/access.c:365(allow_access) Allowed connection from 10.110.30.80 (10.110.30.80) [2020/01/15 17:54:39.723631, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:219(user_ok_token) user_ok_token: share TCS is ok for unix user root [2020/01/15 17:54:39.723676, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:70(set_conn_connectpath) set_conn_connectpath: service TCS, connectpath = /TCS [2020/01/15 17:54:39.723700, 3, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:605(make_connection_snum) make_connection_snum: Connect path is '/TCS' for service [TCS] [2020/01/15 17:54:39.723719, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:219(user_ok_token) user_ok_token: share TCS is ok for unix user root [2020/01/15 17:54:39.723737, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:266(is_share_read_only_for_token) is_share_read_only_for_user: share TCS is read-write for unix user root [2020/01/15 17:54:39.723778, 10, pid=13163, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:366(se_file_access_check) se_file_access_check: MAX desired = 0x2000000 mapped to 0x0 [2020/01/15 17:54:39.723797, 3, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:157(check_user_share_access) check_user_share_access: user root connection to TCS denied due to share security descriptor. ------------------------------
I cannot reproduce this on Samba 4.11.7 (Running on Debian) with a very similar smb.conf and user.map I also cannot extract the log file attachment
Created attachment 15980 [details] log.smbd Sorry, apparently I had gzipped the log file twice.
Created attachment 15981 [details] log.smbd
Sorry for late reply, but I still cannot reproduce this and I am now using Samba 4.12.5 from Louis Van Belle's repo. I can only surmise that there was a problem before 4.11.x and it has now been fixed. If you still have the problem and are still using 4.9.x, I suggest you upgrade to a Samba supported version (preferably 4.11.x upwards) and see if you still have the problem. One thought I did have, you are using the 'ad' backend, you haven't given Administrator a uidNumber attribute, have you ?
Administrator did have a uidNumber at first, but I had the same behavior after recreating my environment with no such assignment. Currently, I am still able to reproduce the issue with sernet samba 99:4.12.2-11.suse150. Given that you cannot reproduce it, I may have some other config issue.. I currently have: ------------------------------ mcaddc1:~ # samba-tool user show administrator | grep idNumber mcaddc1:~ # samba-tool user show administrator | grep memberOf memberOf: CN=Domain Admins,CN=Users,DC=vptc3,DC=org memberOf: CN=Schema Admins,CN=Users,DC=vptc3,DC=org memberOf: CN=Enterprise Admins,CN=Users,DC=vptc3,DC=org memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vptc3,DC=org memberOf: CN=Administrators,CN=Builtin,DC=vptc3,DC=org memberOf: CN=Unix Admins,CN=Users,DC=vptc3,DC=org mcaddc1:~ # mcaddc1:~ # mcaddc1:~ # samba-tool group show domain\ admins | grep idNumber mcaddc1:~ # samba-tool group show domain\ admins | grep memberOf memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=vptc3,DC=org memberOf: CN=Administrators,CN=Builtin,DC=vptc3,DC=org mcaddc1:~ # mcaddc1:~ # mcaddc1:~ # samba-tool group show unix\ admins | grep idNumber gidNumber: 100001 mcaddc1:~ # samba-tool group show unix\ admins | grep memberOf memberOf: CN=Domain Admins,CN=Users,DC=vptc3,DC=org ------------------------------