[Samba] Shares requiring "Everyone" access...
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 18 08:41:51 MDT 2014
Wel, im thinking, you can setup as following.
in this order..
1) /srv/samba/printer_drivers
( something like )
chmod 2775 /srv
chmod 2775 /srv/samba
chmod 2775 /srv/samba/printer_drivers
2) setup the share from windows pc. add the 2 groups to the share with full access.
( share tab ) domain admins and a second global security.
3) set the security rights from witin windows on the shared folder.
( security tab) domain admins and a second global security
>.This means nobody can access it now.
set "authenticated users to have read access on the share" if needed,
the security rights will stop any folder access
and leave alone. :
"CREATOR OWNER", and "CREATOR GROUP"
Louis
>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: maandag 18 augustus 2014 16:31
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Shares requiring "Everyone" access...
>
>I believe I have found either a bug or something I do not
>understand. I
>recently had a file-share issue and the resolution was to set the
>"others" permissions to 5, read and execute. The problem with this is
>that once I am in Windows on a workstation, this appears to allow
>"Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally
>setup our shares with the domain admins group having full access and a
>global security group for the share having full access. When I remove
>those three aforementioned groups in the Windows ACL UI, it
>removes the
>permissions from the share. This means nobody can access it now.
>
>So my question is this: How do I properly configure a share that will
>only allow the domain admins and a second global security
>group access?
>I do not want just anybody to gain access to these shares. Some shares
>are for finance and if a normal user could gain access, it would allow
>them to see pay-rates and such for every employee, which is not a good
>thing.
>
>Along with that question, I am still having share issues with the one
>network printer in the organization and I believe it is related. Below
>is all pertinent information that I can think of. The user and group
>ID's are from AD (uidNumber/gidNumber) and match on both
>member servers.
>
>root at ps01:~# cat /etc/samba/smb.conf
>[global]
> netbios name = PS01
> workgroup = TRUEVINE
> security = ADS
> realm = TRUEVINE.LAN
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config TRUEVINE:backend = ad
> idmap config TRUEVINE:schema_mode = rfc2307
> idmap config TRUEVINE:range = 10000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> domain master = no
> local master = no
> preferred master = no
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> auth methods = winbind
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> spoolss: architecture = Windows x64
>
>[printers]
> path = /var/spool/samba
> printable = yes
> printing = CUPS
> use client driver = yes
> guest ok = no
> printable = yes
>
>[print$]
> path = /srv/samba/printer_drivers
> comment = Printer drivers
> writeable = yes
>
>[Xerox7545]
> path = /var/spool/samba
> browseable = yes
> printable = yes
> printer name = Xerox_WC_7545
>
>The guide for sharing printers was followed (not a cached copy this
>time) including the things like modifying permissions to 2755 on
>/srv/samba and everything below it. Now /srv is owned by root and the
>root group, as is /srv/samba, but they both have 755 for
>permissions. No
>ACLs exist at that level.
>
>root at ps01:~# getfacl /srv/samba/printer_drivers/
>getfacl: Removing leading '/' from absolute path names
># file: srv/samba/printer_drivers/
># owner: reachfp
># group: domain\040admins
># flags: ss-
>user::rwx
>user:reachfp:rwx
>group::rwx
>group:domain\040admins:rwx
>group:domain\040users:r-x
>group:domain\040computers:r-x
>mask::rwx
>other::---
>default:user::rwx
>default:user:reachfp:rwx
>default:group::---
>default:group:domain\040admins:rwx
>default:group:domain\040users:r-x
>default:group:domain\040computers:r-x
>default:mask::rwx
>default:other::---
>
>I even set the driver file permissions
>(/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>recommended but I still get "Access is denied" in my logs when the
>workstations boot and attempt to map the machine. I am not running
>iptables or SELinux on this system. I do have a Kerberos keytab as
>advised by Rowland in my previous thread.
>
>So, have I screwed up or is this an issue? I imagine I am missing
>something and it may be the "Everyone" issue in my first few
>paragraphs,
>but I am not sure.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list