Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Element not found error
370 views
Skip to first unread message
Brian C. Huffman
Sep 22, 2014, 1:50:02 PM9/22/14
to
I have a Samba 4.1.4 AD server and am trying to set up a file server as
a member of the domain.
Currently I'm using Samba 3.6.9 from the CentOS repository.
I've followed this wiki:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
but when I try to make changes in the Security tab of Computer
Management->System Tools->Shared Folders-Shares, I'm getting "An error
occurred while applying security information to: \\SAMBA02\files -
Element not found." If I click continue, then I get "Unable to save
permission changes on files (\\SAMBA02). Element not found."
I can't figure out what I'm doing wrong. Any suggestions?
Thanks,
Brian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
a member of the domain.
Currently I'm using Samba 3.6.9 from the CentOS repository.
I've followed this wiki:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
but when I try to make changes in the Security tab of Computer
Management->System Tools->Shared Folders-Shares, I'm getting "An error
occurred while applying security information to: \\SAMBA02\files -
Element not found." If I click continue, then I get "Unable to save
permission changes on files (\\SAMBA02). Element not found."
I can't figure out what I'm doing wrong. Any suggestions?
Thanks,
Brian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
Sep 22, 2014, 2:10:03 PM9/22/14
to
Hello Brian,
Am 22.09.2014 um 19:48 schrieb Brian C. Huffman:
> I have a Samba 4.1.4 AD server and am trying to set up a file server as
> a member of the domain.
>
> Currently I'm using Samba 3.6.9 from the CentOS repository.
>
> I've followed this wiki:
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
I didn't tried that with 3.6, when I wrote the documentation. Do you
have a change to re-try it with the latest 4.0 or better 4.1? Maybe some
else here on the list can say for sure, that it should work with 3.6, too.
> but when I try to make changes in the Security tab of Computer
> Management->System Tools->Shared Folders-Shares, I'm getting "An error
> occurred while applying security information to: \\SAMBA02\files -
> Element not found." If I click continue, then I get "Unable to save
> permission changes on files (\\SAMBA02). Element not found."
>
> I can't figure out what I'm doing wrong. Any suggestions?
My guess, without having seen any logs and configs:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
Regards,
Marc
Am 22.09.2014 um 19:48 schrieb Brian C. Huffman:
> I have a Samba 4.1.4 AD server and am trying to set up a file server as
> a member of the domain.
>
> Currently I'm using Samba 3.6.9 from the CentOS repository.
>
> I've followed this wiki:
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
have a change to re-try it with the latest 4.0 or better 4.1? Maybe some
else here on the list can say for sure, that it should work with 3.6, too.
> but when I try to make changes in the Security tab of Computer
> Management->System Tools->Shared Folders-Shares, I'm getting "An error
> occurred while applying security information to: \\SAMBA02\files -
> Element not found." If I click continue, then I get "Unable to save
> permission changes on files (\\SAMBA02). Element not found."
>
> I can't figure out what I'm doing wrong. Any suggestions?
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
Regards,
Marc
Brian C. Huffman
Sep 22, 2014, 3:50:02 PM9/22/14
to
Mark,
Ok - I just tried using SerNet's 4.1 RPMS (4.1.12-9.el6.x86_64)
I had to change the syntax for adding the SeDiskOperatorPrivilege. Was
this written / tested using Samba 4.0?
[root@samba02 bhuffman]# net rpc rights grant 'ETI\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
Enter administrator's password:
Failed to grant privileges for ETI\Domain Admins (NT_STATUS_ACCESS_DENIED)
[root@samba02 bhuffman]# net sam rights grant 'ETI\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
Granted SeDiskOperatorPrivilege to ETI\Domain Admins
At any rate, after using "net sam" instead of "net rpc", it appeared to
work.
But now when I tried to change things in the security tab in computer
management, I get a "Access is denied" error message.
Ideas?
Thanks,
Brian
Ok - I just tried using SerNet's 4.1 RPMS (4.1.12-9.el6.x86_64)
I had to change the syntax for adding the SeDiskOperatorPrivilege. Was
this written / tested using Samba 4.0?
[root@samba02 bhuffman]# net rpc rights grant 'ETI\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
Enter administrator's password:
Failed to grant privileges for ETI\Domain Admins (NT_STATUS_ACCESS_DENIED)
[root@samba02 bhuffman]# net sam rights grant 'ETI\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
Granted SeDiskOperatorPrivilege to ETI\Domain Admins
At any rate, after using "net sam" instead of "net rpc", it appeared to
work.
But now when I tried to change things in the security tab in computer
management, I get a "Access is denied" error message.
Ideas?
Thanks,
Brian
Brian C. Huffman
Sep 23, 2014, 2:10:02 PM9/23/14
to
I was finally able to get this to work, but I had to do the following
(which is not on the main file shares wiki page):
After making the directory on the Samba member server, I did the
following (from the profiles wiki page):
chmod 1770 /share
chgrp "Domain Users" /share
Then I'm able to add "Domain Admins" group with full control in Windows
computer management and from there I'm good.
Should this be added to the wiki? Or maybe this is a side effect of
something else I did wrong?
-b
On 09/22/2014 02:06 PM, Marc Muehlfeld wrote:
(which is not on the main file shares wiki page):
After making the directory on the Samba member server, I did the
following (from the profiles wiki page):
chmod 1770 /share
chgrp "Domain Users" /share
Then I'm able to add "Domain Admins" group with full control in Windows
computer management and from there I'm good.
Should this be added to the wiki? Or maybe this is a side effect of
something else I did wrong?
-b
On 09/22/2014 02:06 PM, Marc Muehlfeld wrote:
Marc Muehlfeld
Sep 23, 2014, 2:50:03 PM9/23/14
to
Am 23.09.2014 um 20:02 schrieb Brian C. Huffman:
> I was finally able to get this to work, but I had to do the following
> (which is not on the main file shares wiki page):
>
> After making the directory on the Samba member server, I did the
> following (from the profiles wiki page):
> chmod 1770 /share
> chgrp "Domain Users" /share
>
> Then I'm able to add "Domain Admins" group with full control in Windows
> computer management and from there I'm good.
>
> Should this be added to the wiki? Or maybe this is a side effect of
> something else I did wrong?
Normally this shouldn't be necessary.
> I was finally able to get this to work, but I had to do the following
> (which is not on the main file shares wiki page):
>
> After making the directory on the Samba member server, I did the
> following (from the profiles wiki page):
> chmod 1770 /share
> chgrp "Domain Users" /share
>
> Then I'm able to add "Domain Admins" group with full control in Windows
> computer management and from there I'm good.
>
> Should this be added to the wiki? Or maybe this is a side effect of
> something else I did wrong?
- Which account did you used to add the ACL?
- Is this account mapped in the backend (e. g. to root)?
- Can you show me your smb.conf (global and the share config)
Brian C. Huffman
Sep 25, 2014, 1:00:02 PM9/25/14
to
On 09/23/2014 02:47 PM, Marc Muehlfeld wrote:
> Am 23.09.2014 um 20:02 schrieb Brian C. Huffman:
>> I was finally able to get this to work, but I had to do the following
>> (which is not on the main file shares wiki page):
>>
>> After making the directory on the Samba member server, I did the
>> following (from the profiles wiki page):
>> chmod 1770 /share
>> chgrp "Domain Users" /share
>>
>> Then I'm able to add "Domain Admins" group with full control in Windows
>> computer management and from there I'm good.
>>
>> Should this be added to the wiki? Or maybe this is a side effect of
>> something else I did wrong?
> Normally this shouldn't be necessary.
>
> - Which account did you used to add the ACL?
> - Is this account mapped in the backend (e. g. to root)?
umm. Maybe this is the problem? I don't think I have this. I did try
at one point to add an smbusers file with the following line, but it
didn't seem to help:
root = administrator admin
> - Can you show me your smb.conf (global and the share config)
[global]
netbios name = samba02
workgroup = ETI
realm = XMEN.ETI
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
# Added for ACL Support
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
[etifiles]
path = /samba/etifiles
read only = no
I'll admit I'm not too sure about the idmap config. I'm looking for the
simplist configuration that will work. The wiki for setting up member
server suggests some different idmap config options, but it references
schema mode rfc2307 and I don't think I have that.
Thanks,
Brian
Rowland Penny
Sep 25, 2014, 1:30:02 PM9/25/14
to
want to use the 'ad' backend, then you need to use the rid backend:
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config ETI:backend = rid
idmap config ETI:range = 500-40000
Changing the numbers to match your requirements.
> # Added for ACL Support
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> [etifiles]
> path = /samba/etifiles
> read only = no
>
> I'll admit I'm not too sure about the idmap config. I'm looking for
> the simplist configuration that will work. The wiki for setting up
> member server suggests some different idmap config options, but it
> references schema mode rfc2307 and I don't think I have that.
>
will need to give yours users a uidNumber and your groups a gidNumber.
Information about this is available on the samba wiki and elsewhere on
the internet.
Rowland
Brian C. Huffman
Sep 25, 2014, 1:40:02 PM9/25/14
to
On 09/25/2014 01:20 PM, Rowland Penny wrote:
> On 25/09/14 17:58, Brian C. Huffman wrote:
>> [global]
>> netbios name = samba02
>> workgroup = ETI
>> realm = XMEN.ETI
>> security = ads
>> idmap config * : range = 16777216-33554431
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind use default domain = true
>> winbind offline logon = false
>> winbind enum users = yes
>> winbind enum groups = yes
>> encrypt passwords = yes
>>
>
> Hi, with the above, samba has nowhere to map the users to, if you
> don't want to use the 'ad' backend, then you need to use the rid backend:
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config ETI:backend = rid
> idmap config ETI:range = 500-40000
>
> Changing the numbers to match your requirements.
I don't plan to add any local linux accounts to this server. With the
> On 25/09/14 17:58, Brian C. Huffman wrote:
>> [global]
>> netbios name = samba02
>> workgroup = ETI
>> realm = XMEN.ETI
>> security = ads
>> idmap config * : range = 16777216-33554431
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind use default domain = true
>> winbind offline logon = false
>> winbind enum users = yes
>> winbind enum groups = yes
>> encrypt passwords = yes
>>
>
> Hi, with the above, samba has nowhere to map the users to, if you
> don't want to use the 'ad' backend, then you need to use the rid backend:
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config ETI:backend = rid
> idmap config ETI:range = 500-40000
>
> Changing the numbers to match your requirements.
exception of possibly the root user (which Marc implied should be mapped
to something), I don't know that I need a mapping as long as the
permissions can be modified and utilized from a windows desktop.
How should the root user be mapped to something (say Administrator)? I
don't see UID 0 mentioned in that range.
>>
>> I'll admit I'm not too sure about the idmap config. I'm looking for
>> the simplist configuration that will work. The wiki for setting up
>> member server suggests some different idmap config options, but it
>> references schema mode rfc2307 and I don't think I have that.
>>
>
> If you are using samba4 as the AD DC, then you do have rfc2307, but
> you will need to give yours users a uidNumber and your groups a
> gidNumber. Information about this is available on the samba wiki and
> elsewhere on the internet.
other linux machines where users login. Right now I don't have the
uidNumber configured for my users.
Marc Muehlfeld
Sep 25, 2014, 2:00:03 PM9/25/14
to
Am 25.09.2014 um 19:29 schrieb Brian C. Huffman:
>> Hi, with the above, samba has nowhere to map the users to, if you
>> don't want to use the 'ad' backend, then you need to use the rid backend:
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config ETI:backend = rid
>> idmap config ETI:range = 500-40000
>>
>> Changing the numbers to match your requirements.
>
> I don't plan to add any local linux accounts to this server.
Samba Domain Members have, like Windows, some built-in accounts/groups,
>> Hi, with the above, samba has nowhere to map the users to, if you
>> don't want to use the 'ad' backend, then you need to use the rid backend:
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config ETI:backend = rid
>> idmap config ETI:range = 500-40000
>>
>> Changing the numbers to match your requirements.
>
> I don't plan to add any local linux accounts to this server.
which require the mappings. E. g.
BUILTIN\Print Operators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Server Operators
BUILTIN\Administrators
etc.
> With the exception of possibly the root user (which Marc implied
> should be mapped to something), I don't know that I need a mapping as
> long as the permissions can be modified and utilized from a windows
> desktop.
SeDiskOperatorPrivilege to you Administrator account or a group, it
belongs to, it should be enough to edit the permissions. But some do
that mapping and as more information about your configuration we have,
as easier it would be to find out, what's wrong. :-)
But if you have a 'username map' entry, you have to add and enable the
account with smbpasswd -a/-e.
> I'll admit I'm not too sure about the idmap config. I'm looking for
> the simplist configuration that will work. The wiki for setting up
> member server suggests some different idmap config options, but it
> references schema mode rfc2307 and I don't think I have that.
different Idmap backends. But in the meantime, have a look at the
manpage of 'idmap_rid'. The usage is like for the rfc2307 backend.
Regards,
Marc
Rowland Penny
Sep 25, 2014, 2:10:02 PM9/25/14
to
permissions if it doesn't know who the users/groups are ???
>
> How should the root user be mapped to something (say Administrator)?
> I don't see UID 0 mentioned in that range.
>
!root = EXAMPLE\Administrator Administrator administrator
then add this line to the global section of smb.conf:
username map = /etc/samba/smbusers
then restart the samba daemons
Rowland
Davor Vusir
Oct 5, 2014, 4:00:03 PM10/5/14
to
0 new messages