[Samba] Computer Management - Share Security - No Read Access
Rowland Penny
rpenny at samba.org
Tue Feb 19 18:58:21 UTC 2019
On Tue, 19 Feb 2019 13:26:12 -0500
Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>
> On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
> > On Mon, 18 Feb 2019 10:58:01 -0500
> >
> > I have proven that it does work, I have pointed you at the
> > documentation.
> > This leads to one of two things:
> >
> > You cannot understand the wiki pages and if so, what can you not
> > understand ? If you can let me know, I will try to clarify it for
> > you and update the wiki.
> >
> > You are not fully following the wiki.
> >
> > As I said, it works for myself and numerous other people.
> >
> > Rowland
>
> ok. I find my eyesight is resulting in stupid typos.
> I concede that I may have dome something totally stupid
> due to lack of familiarity with Linux, Windows, etc
> settings/configurations.
>
> However ......
>
> Following
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> ** Samba Extended ACL Support
> (CHECK - Expected result returned)
>
> root at machine253:/# smbd -b |grep HAVE_LIBACL
> HAVE_LIBACL
>
> ** Enable Extended ACL Support in the smb.conf file
> (CHECK - Specified lines are part of [global] section - Full
> smb.conf provided)
>
> [global]
> workgroup = INTERNAL
> security = ADS
> realm = INTERNAL.COMPANY.COM
> server string = Samba 4 Client %h
>
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = yes
>
> ## map ids outside of domain to tdb files
> idmap config *:backend - tdb
> idmap config *:range = 2000-9999
>
> ## map ids from the domain
> idmap config INTERNAL : backend = rid
> idmap config INTERNAL : range = 10000-999999
>
> # uncomment next line to allow login
> # template shell = /bin/bash
> template homedir = /home/%U
>
> domain master = no
> local master = no
> preferred master = no
>
> # user administrator workaround
> username map = /etc/samba/user.map
Just to check, what is in the user.map ?
>
> # for ACL support on domain member
> -> vfs objects = acl_xattr
> -> map acl inherit = yes
> -> store dos attributes = yes
>
> # disable printing completely
> # Remove these lines to print
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # logging = 0
> # Change the number to raise level
> log level = 0
>
> [programs]
> path = /server/programs
> read only = no
>
> ** Granting the SeDiskOperatorPrivilege Privilege
> (CHECK - results as expected)
>
> root at machine253:/# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "INTERNAL\administrator"
> Enter INTERNAL\administrator's password:
> SeDiskOperatorPrivilege:
> BUILTIN\Administrators
> INTERNAL\Domain Admins
If you run 'getent group Domain\ Admins', do you get 'Administrator'
listed as a group member e.g.
domain_admins:x:10512:administrator,rowland,.........
>
> ** Create Share & Set permissions
>
> root at sce253:/# ls -la /server
> drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs
Something seems to have happened, note the '+' sign at the end of the
Unix permissions, what does 'getfacl /server' show ?
>
> ** Login to Windows10 client with INTERNAL\administrator
> and launch Server Manager -> Computer Manager
>
> Action/Connect to another Computer -> Machine253
>
> Open System Tools/Shared Folders/Shares menu
>
> Right click properties of "programs" share
>
> Share permissions assigned to INTERNAL\programs
> (INTERNAL\Programs is a group created which includes
> users which are allowed to have access to the programs share)
>
> Security tab shows:
>
> "You must have permissions to view the properties
> of this object"
> (The 'Object' is \\Machine253\programs)
This is very strange, it should work, are the 'attr' and 'acl'
packages installed ?
Rowland
More information about the samba
mailing list