[Samba] Shares requiring "Everyone" access...

Ryan Ashley ryana at reachtechfp.com
Mon Aug 18 08:58:02 MDT 2014


I believe you found my issue then. I NEVER leave "CREATOR OWNER" or 
"CREATOR GROUP" on a share under any circumstances. The reason is 
simple. I want the share owner to be the owner of everything, and same 
with the group. If files start being owned by a bunch of different users 
and (assuming here) their default groups, I get a mess. Windows has no 
issue without these two groups. How can I replicate this behavior in Samba?

On 08/18/2014 10:41 AM, L.P.H. van Belle wrote:
> Wel, im thinking, you can setup as following.
>
> in this order..
>
> 1) /srv/samba/printer_drivers
> ( something like )
>
> chmod 2775 /srv
> chmod 2775 /srv/samba
> chmod 2775 /srv/samba/printer_drivers
>
> 2) setup the share from windows pc. add the 2 groups to the share with full access.
> 	( share tab ) domain admins and a second global security.
> 	
>
> 3) set the security rights from witin windows on the shared folder.
> 	( security tab) domain admins and a second global security
>
>> .This means nobody can access it now.
> set "authenticated users to have read access on the share" if needed,
> the security rights will stop any folder access
>
>
> and leave alone. :
>   "CREATOR OWNER", and "CREATOR GROUP"
>
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: ryana at reachtechfp.com
>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>> Verzonden: maandag 18 augustus 2014 16:31
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Shares requiring "Everyone" access...
>>
>> I believe I have found either a bug or something I do not
>> understand. I
>> recently had a file-share issue and the resolution was to set the
>> "others" permissions to 5, read and execute. The problem with this is
>> that once I am in Windows on a workstation, this appears to allow
>> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally
>> setup our shares with the domain admins group having full access and a
>> global security group for the share having full access. When I remove
>> those three aforementioned groups in the Windows ACL UI, it
>> removes the
>> permissions from the share. This means nobody can access it now.
>>
>> So my question is this: How do I properly configure a share that will
>> only allow the domain admins and a second global security
>> group access?
>> I do not want just anybody to gain access to these shares. Some shares
>> are for finance and if a normal user could gain access, it would allow
>> them to see pay-rates and such for every employee, which is not a good
>> thing.
>>
>> Along with that question, I am still having share issues with the one
>> network printer in the organization and I believe it is related. Below
>> is all pertinent information that I can think of. The user and group
>> ID's are from AD (uidNumber/gidNumber) and match on both
>> member servers.
>>
>> root at ps01:~# cat /etc/samba/smb.conf
>> [global]
>>    netbios name = PS01
>>    workgroup = TRUEVINE
>>    security = ADS
>>    realm = TRUEVINE.LAN
>>    encrypt passwords = yes
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 70001-80000
>>    idmap config TRUEVINE:backend = ad
>>    idmap config TRUEVINE:schema_mode = rfc2307
>>    idmap config TRUEVINE:range = 10000-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = yes
>>
>>    domain master = no
>>    local master = no
>>    preferred master = no
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>    store dos attributes = yes
>>    auth methods = winbind
>>    rpc_server:spoolss = external
>>    rpc_daemon:spoolssd = fork
>>    spoolss: architecture = Windows x64
>>
>> [printers]
>>    path = /var/spool/samba
>>    printable = yes
>>    printing = CUPS
>>    use client driver = yes
>>    guest ok = no
>>    printable = yes
>>
>> [print$]
>>    path = /srv/samba/printer_drivers
>>    comment = Printer drivers
>>    writeable = yes
>>
>> [Xerox7545]
>>    path = /var/spool/samba
>>    browseable = yes
>>    printable = yes
>>    printer name = Xerox_WC_7545
>>
>> The guide for sharing printers was followed (not a cached copy this
>> time) including the things like modifying permissions to 2755 on
>> /srv/samba and everything below it. Now /srv is owned by root and the
>> root group, as is /srv/samba, but they both have 755 for
>> permissions. No
>> ACLs exist at that level.
>>
>> root at ps01:~# getfacl /srv/samba/printer_drivers/
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/printer_drivers/
>> # owner: reachfp
>> # group: domain\040admins
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:domain\040admins:rwx
>> group:domain\040users:r-x
>> group:domain\040computers:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:domain\040admins:rwx
>> default:group:domain\040users:r-x
>> default:group:domain\040computers:r-x
>> default:mask::rwx
>> default:other::---
>>
>> I even set the driver file permissions
>> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>> recommended but I still get "Access is denied" in my logs when the
>> workstations boot and attempt to map the machine. I am not running
>> iptables or SELinux on this system. I do have a Kerberos keytab as
>> advised by Rowland in my previous thread.
>>
>> So, have I screwed up or is this an issue? I imagine I am missing
>> something and it may be the "Everyone" issue in my first few
>> paragraphs,
>> but I am not sure.
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>



More information about the samba mailing list