[Samba] Shares requiring "Everyone" access...

L.P.H. van Belle belle at bazuin.nl
Mon Aug 18 08:41:51 MDT 2014 

Wel, im thinking, you can setup as following. 

in this order..

1) /srv/samba/printer_drivers
( something like ) 

chmod 2775 /srv
chmod 2775 /srv/samba
chmod 2775 /srv/samba/printer_drivers

2) setup the share from windows pc. add the 2 groups to the share with full access.  
	( share tab ) domain admins and a second global security. 
	

3) set the security rights from witin windows on the shared folder. 
	( security tab) domain admins and a second global security 

>.This means nobody can access it now. 
set "authenticated users to have read access on the share" if needed, 
the security rights will stop any folder access


and leave alone. : 
 "CREATOR OWNER", and "CREATOR GROUP" 


Louis


>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com 
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: maandag 18 augustus 2014 16:31
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Shares requiring "Everyone" access...
>
>I believe I have found either a bug or something I do not 
>understand. I 
>recently had a file-share issue and the resolution was to set the 
>"others" permissions to 5, read and execute. The problem with this is 
>that once I am in Windows on a workstation, this appears to allow 
>"Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally 
>setup our shares with the domain admins group having full access and a 
>global security group for the share having full access. When I remove 
>those three aforementioned groups in the Windows ACL UI, it 
>removes the 
>permissions from the share. This means nobody can access it now.
>
>So my question is this: How do I properly configure a share that will 
>only allow the domain admins and a second global security 
>group access? 
>I do not want just anybody to gain access to these shares. Some shares 
>are for finance and if a normal user could gain access, it would allow 
>them to see pay-rates and such for every employee, which is not a good 
>thing.
>
>Along with that question, I am still having share issues with the one 
>network printer in the organization and I believe it is related. Below 
>is all pertinent information that I can think of. The user and group 
>ID's are from AD (uidNumber/gidNumber) and match on both 
>member servers.
>
>root at ps01:~# cat /etc/samba/smb.conf
>[global]
>   netbios name = PS01
>   workgroup = TRUEVINE
>   security = ADS
>   realm = TRUEVINE.LAN
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config TRUEVINE:backend = ad
>   idmap config TRUEVINE:schema_mode = rfc2307
>   idmap config TRUEVINE:range = 10000-40000
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>
>   domain master = no
>   local master = no
>   preferred master = no
>
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   auth methods = winbind
>   rpc_server:spoolss = external
>   rpc_daemon:spoolssd = fork
>   spoolss: architecture = Windows x64
>
>[printers]
>   path = /var/spool/samba
>   printable = yes
>   printing = CUPS
>   use client driver = yes
>   guest ok = no
>   printable = yes
>
>[print$]
>   path = /srv/samba/printer_drivers
>   comment = Printer drivers
>   writeable = yes
>
>[Xerox7545]
>   path = /var/spool/samba
>   browseable = yes
>   printable = yes
>   printer name = Xerox_WC_7545
>
>The guide for sharing printers was followed (not a cached copy this 
>time) including the things like modifying permissions to 2755 on 
>/srv/samba and everything below it. Now /srv is owned by root and the 
>root group, as is /srv/samba, but they both have 755 for 
>permissions. No 
>ACLs exist at that level.
>
>root at ps01:~# getfacl /srv/samba/printer_drivers/
>getfacl: Removing leading '/' from absolute path names
># file: srv/samba/printer_drivers/
># owner: reachfp
># group: domain\040admins
># flags: ss-
>user::rwx
>user:reachfp:rwx
>group::rwx
>group:domain\040admins:rwx
>group:domain\040users:r-x
>group:domain\040computers:r-x
>mask::rwx
>other::---
>default:user::rwx
>default:user:reachfp:rwx
>default:group::---
>default:group:domain\040admins:rwx
>default:group:domain\040users:r-x
>default:group:domain\040computers:r-x
>default:mask::rwx
>default:other::---
>
>I even set the driver file permissions 
>(/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett 
>recommended but I still get "Access is denied" in my logs when the 
>workstations boot and attempt to map the machine. I am not running 
>iptables or SELinux on this system. I do have a Kerberos keytab as 
>advised by Rowland in my previous thread.
>
>So, have I screwed up or is this an issue? I imagine I am missing 
>something and it may be the "Everyone" issue in my first few 
>paragraphs, 
>but I am not sure.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list