[Samba] Setting up a Share Using Windows ACLs
Henry
henry at incred.com.au
Sun Apr 23 22:59:54 UTC 2017
On 2017-04-24 01:44, Rowland Penny wrote:
> On Sun, 23 Apr 2017 20:53:39 +1000
> Henry via samba <samba at lists.samba.org> wrote:
>
>> root at aphrodite:~# getfacl -d /srv/samba/data/Testing
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/data/Testing
>> # owner: root
>> # group: domain\040admins
>>
>> However in Windows I am still unable to edit the "Security"
>> permissions tab.
>> "You do not have permission to view or edit this object's permission
>> settings"
>>
>> I am really at a loss here as I am unable to get a Samba share
>> working with Windows ACLs. Surely it cannot be this complex so what
>> am I missing. All I want is a Samba share that I can control the
>> permissions using Windows...
>>
>
> OK, sorry to be so long, but it turned out that I had a problem myself
> and I had to fix it (amongst other things)
>
> Right, if I run this:
>
> ls -lad /srv/samba/Demo/
>
> I get this:
>
> drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/
>
> Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to
> the same thing.
>
> getfacl gives this:
>
> getfacl /srv/samba/Demo/
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/Demo/
> # owner: root
> # group: unix\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:domain\040users:rwx
> group:unix\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:domain\040users:rwx
> default:group:unix\040admins:rwx
> default:mask::rwx
> default:other::---
>
> and on windows:
>
> Share permissions:
>
> Everyone Full control
> unix admins Full control
> domain users Full control
>
> Security:
>
> root Full control
> unix admins Full control
> domain users Modify, Read & execute, List folder contents, Read, Write
>
> One thing it doesn't say on the wiki page, when you grant the
> SeDiskOperatorPrivilege, you have to do it on the machine that holds
> the share.
>
> So, make sure that Domain Admins, on the machine that holds the share,
> has the SeDiskOperatorPrivilege. set the Unix permissions as I
> suggested and then try again from 'Computer Management' on a domain
> joined windows machine.
>
> Make sure that you log in as a user that is a member of Domain Admins.
>
> can you also test that the underlying OS knows Domain Admins with:
>
> getent group Domain\ Admins
>
> If you do not get any output, then this is part of your problem.
>
> Rowland
hi Rowland... one step forwards thank you.
I think I found my mistake. In Windows I was using a domain admins
account other than administrator however only administrator has the
SeDiskOperatorPrivilege. When I login to Windows as administrator it
works. Now with my "testing" share I can do everything I need to ! I
have now created a new share following this procedure and it works too
:)
I have two existing shares that do not display the "Security" tab in
Windows and I have double & triple checked everything in Samba.
Does Windows/Samba cache the security settings or can I reset the
security settings for these two shares and start again from scratch?
Thanks
More information about the samba
mailing list