[Samba] Shares requiring "Everyone" access...

[Ryan Ashley]

I believe I have found either a bug or something I do not understand. I 
recently had a file-share issue and the resolution was to set the 
"others" permissions to 5, read and execute. The problem with this is 
that once I am in Windows on a workstation, this appears to allow 
"Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally 
setup our shares with the domain admins group having full access and a 
global security group for the share having full access. When I remove 
those three aforementioned groups in the Windows ACL UI, it removes the 
permissions from the share. This means nobody can access it now.

So my question is this: How do I properly configure a share that will 
only allow the domain admins and a second global security group access? 
I do not want just anybody to gain access to these shares. Some shares 
are for finance and if a normal user could gain access, it would allow 
them to see pay-rates and such for every employee, which is not a good 
thing.

Along with that question, I am still having share issues with the one 
network printer in the organization and I believe it is related. Below 
is all pertinent information that I can think of. The user and group 
ID's are from AD (uidNumber/gidNumber) and match on both member servers.

root at ps01:~# cat /etc/samba/smb.conf
[global]
   netbios name = PS01
   workgroup = TRUEVINE
   security = ADS
   realm = TRUEVINE.LAN
   encrypt passwords = yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config TRUEVINE:backend = ad
   idmap config TRUEVINE:schema_mode = rfc2307
   idmap config TRUEVINE:range = 10000-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = yes

   domain master = no
   local master = no
   preferred master = no

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   auth methods = winbind
   rpc_server:spoolss = external
   rpc_daemon:spoolssd = fork
   spoolss: architecture = Windows x64

[printers]
   path = /var/spool/samba
   printable = yes
   printing = CUPS
   use client driver = yes
   guest ok = no
   printable = yes

[print$]
   path = /srv/samba/printer_drivers
   comment = Printer drivers
   writeable = yes

[Xerox7545]
   path = /var/spool/samba
   browseable = yes
   printable = yes
   printer name = Xerox_WC_7545

The guide for sharing printers was followed (not a cached copy this 
time) including the things like modifying permissions to 2755 on 
/srv/samba and everything below it. Now /srv is owned by root and the 
root group, as is /srv/samba, but they both have 755 for permissions. No 
ACLs exist at that level.

root at ps01:~# getfacl /srv/samba/printer_drivers/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/printer_drivers/
# owner: reachfp
# group: domain\040admins
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:domain\040admins:rwx
group:domain\040users:r-x
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:r-x
default:group:domain\040computers:r-x
default:mask::rwx
default:other::---

I even set the driver file permissions 
(/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett 
recommended but I still get "Access is denied" in my logs when the 
workstations boot and attempt to map the machine. I am not running 
iptables or SELinux on this system. I do have a Kerberos keytab as 
advised by Rowland in my previous thread.

So, have I screwed up or is this an issue? I imagine I am missing 
something and it may be the "Everyone" issue in my first few paragraphs, 
but I am not sure.