Good-day Folks,
So, I'm fairly new to OMV and I'm really loving my first deployment of it to support a small network for my church. I'm having a small problem with permissions and I'd like to solicit the community's help. I've already read through about half of the threads in this section of the forum, but none seem to address my issue particularly. Thus, in the interest of time, I decided to post a new thread. Please forgive me if this may have already been asked and answered, and kindly point me to it.
My Environment:
- Two Domain Controllers (Windows Server 2022)
- OMV Version 6.0.46-5 (Shaitan) running Linux 5.19.17-1-pve kernel
- Users & Groups coming from Active Directory
- ZFS Filesystem (using the openmediavault-zfs plugin, Version 6.0.12)
- Windows 10 Pro Clients (version 22H2, Build 19045.2251)
My Goals:
- A Single Shared Folder (exposed to "Domain Users" with Read-Only and "Domain Admins" with Read-Write permissions)
- Use Group Policy to map a network drive which points to the single shared folder from #1 for all "Domain Users"
- "Domain Admins" should have the ability to create sub-folders from a Windows Client and manage the permissions from there
Thus far, I have been successful in implementing #1 and #2. However, #3 is eluding me with mixed results. While I am able to log into a domain controller (as a Domain Admin) and see the network drive successfully mapped, and I'm able to create subfolders, I am not able to change the permissions on those subfolders. I'm being hit with the following error whenever I try:
My environment is primarily comprised of Windows 10 clients, so I do not foresee any need for any of my users or admins, for that matter, to ever have a need to access the share from the CLI of the OMV Server or from another Linux host. The likelihood is low, but possible and I'll cross that bridge when I get there. But for now, my focus is to make sure that a Domain Admin can create subfolders and manage the permissions from their Windows Client.
Am I asking OMV to do something it is not designed to do? Or is there something I'm missing?
Update (as of 0700 on 11/23/2022):
Here's what I've one since the original posting of my question.
I came upon this article in the Samba Wiki, which mentioned that in order to be able to manage share permissions from a Windows host, the user account being used to do this must possess the SeDiskOperatorPrivilege privilege. So I followed the guide to grant my Domain Admins group this privilege, as well as adding the acl_xattr:ignore system acls = yes parameter to the share settings via the OMV Web UI. I have rebooted the OMV Server to confirm that Samba is reloaded, but I'm still facing the access denied message when attempting to manage permissions from a Windows client.