[Samba] Shares requiring "Everyone" access...

Ryan Ashley ryana at reachtechfp.com
Mon Aug 18 08:45:57 MDT 2014 

Sorry, I scrolled to high in my buffer and pasted the wrong ACL list for 
the share. The correct one is below.

root at ps01:~# getfacl /srv/samba/printer_drivers/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/printer_drivers/
# owner: reachfp
# group: domain\040admins
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:domain\040admins:rwx
group:domain\040users:r-x
group:domain\040computers:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:reachfp:rwx
default:group::r-x
default:group:domain\040admins:rwx
default:group:domain\040users:r-x
default:group:domain\040computers:r-x
default:mask::rwx
default:other::r-x

I did remove "CREATOR OWNER" and "CREATOR GROUP", but I left "Everyone" 
with read and execute, but I still get "Access is denied".

On 08/18/2014 10:31 AM, Ryan Ashley wrote:
> I believe I have found either a bug or something I do not understand. 
> I recently had a file-share issue and the resolution was to set the 
> "others" permissions to 5, read and execute. The problem with this is 
> that once I am in Windows on a workstation, this appears to allow 
> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally 
> setup our shares with the domain admins group having full access and a 
> global security group for the share having full access. When I remove 
> those three aforementioned groups in the Windows ACL UI, it removes 
> the permissions from the share. This means nobody can access it now.
>
> So my question is this: How do I properly configure a share that will 
> only allow the domain admins and a second global security group 
> access? I do not want just anybody to gain access to these shares. 
> Some shares are for finance and if a normal user could gain access, it 
> would allow them to see pay-rates and such for every employee, which 
> is not a good thing.
>
> Along with that question, I am still having share issues with the one 
> network printer in the organization and I believe it is related. Below 
> is all pertinent information that I can think of. The user and group 
> ID's are from AD (uidNumber/gidNumber) and match on both member servers.
>
> root at ps01:~# cat /etc/samba/smb.conf
> [global]
>   netbios name = PS01
>   workgroup = TRUEVINE
>   security = ADS
>   realm = TRUEVINE.LAN
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config TRUEVINE:backend = ad
>   idmap config TRUEVINE:schema_mode = rfc2307
>   idmap config TRUEVINE:range = 10000-40000
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>
>   domain master = no
>   local master = no
>   preferred master = no
>
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   auth methods = winbind
>   rpc_server:spoolss = external
>   rpc_daemon:spoolssd = fork
>   spoolss: architecture = Windows x64
>
> [printers]
>   path = /var/spool/samba
>   printable = yes
>   printing = CUPS
>   use client driver = yes
>   guest ok = no
>   printable = yes
>
> [print$]
>   path = /srv/samba/printer_drivers
>   comment = Printer drivers
>   writeable = yes
>
> [Xerox7545]
>   path = /var/spool/samba
>   browseable = yes
>   printable = yes
>   printer name = Xerox_WC_7545
>
> The guide for sharing printers was followed (not a cached copy this 
> time) including the things like modifying permissions to 2755 on 
> /srv/samba and everything below it. Now /srv is owned by root and the 
> root group, as is /srv/samba, but they both have 755 for permissions. 
> No ACLs exist at that level.
>
> root at ps01:~# getfacl /srv/samba/printer_drivers/
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/printer_drivers/
> # owner: reachfp
> # group: domain\040admins
> # flags: ss-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:domain\040admins:rwx
> group:domain\040users:r-x
> group:domain\040computers:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:group:domain\040users:r-x
> default:group:domain\040computers:r-x
> default:mask::rwx
> default:other::---
>
> I even set the driver file permissions 
> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett 
> recommended but I still get "Access is denied" in my logs when the 
> workstations boot and attempt to map the machine. I am not running 
> iptables or SELinux on this system. I do have a Kerberos keytab as 
> advised by Rowland in my previous thread.
>
> So, have I screwed up or is this an issue? I imagine I am missing 
> something and it may be the "Everyone" issue in my first few 
> paragraphs, but I am not sure.

More information about the samba mailing list