[Samba] Shares requiring "Everyone" access...
Ryan Ashley
ryana at reachtechfp.com
Mon Aug 18 08:58:02 MDT 2014
I believe you found my issue then. I NEVER leave "CREATOR OWNER" or
"CREATOR GROUP" on a share under any circumstances. The reason is
simple. I want the share owner to be the owner of everything, and same
with the group. If files start being owned by a bunch of different users
and (assuming here) their default groups, I get a mess. Windows has no
issue without these two groups. How can I replicate this behavior in Samba?
On 08/18/2014 10:41 AM, L.P.H. van Belle wrote:
> Wel, im thinking, you can setup as following.
>
> in this order..
>
> 1) /srv/samba/printer_drivers
> ( something like )
>
> chmod 2775 /srv
> chmod 2775 /srv/samba
> chmod 2775 /srv/samba/printer_drivers
>
> 2) setup the share from windows pc. add the 2 groups to the share with full access.
> ( share tab ) domain admins and a second global security.
>
>
> 3) set the security rights from witin windows on the shared folder.
> ( security tab) domain admins and a second global security
>
>> .This means nobody can access it now.
> set "authenticated users to have read access on the share" if needed,
> the security rights will stop any folder access
>
>
> and leave alone. :
> "CREATOR OWNER", and "CREATOR GROUP"
>
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: ryana at reachtechfp.com
>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>> Verzonden: maandag 18 augustus 2014 16:31
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Shares requiring "Everyone" access...
>>
>> I believe I have found either a bug or something I do not
>> understand. I
>> recently had a file-share issue and the resolution was to set the
>> "others" permissions to 5, read and execute. The problem with this is
>> that once I am in Windows on a workstation, this appears to allow
>> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally
>> setup our shares with the domain admins group having full access and a
>> global security group for the share having full access. When I remove
>> those three aforementioned groups in the Windows ACL UI, it
>> removes the
>> permissions from the share. This means nobody can access it now.
>>
>> So my question is this: How do I properly configure a share that will
>> only allow the domain admins and a second global security
>> group access?
>> I do not want just anybody to gain access to these shares. Some shares
>> are for finance and if a normal user could gain access, it would allow
>> them to see pay-rates and such for every employee, which is not a good
>> thing.
>>
>> Along with that question, I am still having share issues with the one
>> network printer in the organization and I believe it is related. Below
>> is all pertinent information that I can think of. The user and group
>> ID's are from AD (uidNumber/gidNumber) and match on both
>> member servers.
>>
>> root at ps01:~# cat /etc/samba/smb.conf
>> [global]
>> netbios name = PS01
>> workgroup = TRUEVINE
>> security = ADS
>> realm = TRUEVINE.LAN
>> encrypt passwords = yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config TRUEVINE:backend = ad
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:range = 10000-40000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = yes
>>
>> domain master = no
>> local master = no
>> preferred master = no
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> auth methods = winbind
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>> spoolss: architecture = Windows x64
>>
>> [printers]
>> path = /var/spool/samba
>> printable = yes
>> printing = CUPS
>> use client driver = yes
>> guest ok = no
>> printable = yes
>>
>> [print$]
>> path = /srv/samba/printer_drivers
>> comment = Printer drivers
>> writeable = yes
>>
>> [Xerox7545]
>> path = /var/spool/samba
>> browseable = yes
>> printable = yes
>> printer name = Xerox_WC_7545
>>
>> The guide for sharing printers was followed (not a cached copy this
>> time) including the things like modifying permissions to 2755 on
>> /srv/samba and everything below it. Now /srv is owned by root and the
>> root group, as is /srv/samba, but they both have 755 for
>> permissions. No
>> ACLs exist at that level.
>>
>> root at ps01:~# getfacl /srv/samba/printer_drivers/
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/printer_drivers/
>> # owner: reachfp
>> # group: domain\040admins
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:domain\040admins:rwx
>> group:domain\040users:r-x
>> group:domain\040computers:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:domain\040admins:rwx
>> default:group:domain\040users:r-x
>> default:group:domain\040computers:r-x
>> default:mask::rwx
>> default:other::---
>>
>> I even set the driver file permissions
>> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>> recommended but I still get "Access is denied" in my logs when the
>> workstations boot and attempt to map the machine. I am not running
>> iptables or SELinux on this system. I do have a Kerberos keytab as
>> advised by Rowland in my previous thread.
>>
>> So, have I screwed up or is this an issue? I imagine I am missing
>> something and it may be the "Everyone" issue in my first few
>> paragraphs,
>> but I am not sure.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
More information about the samba
mailing list