[Samba] Shares requiring "Everyone" access...

[Ryan Ashley]

I left all of the permissions at default after setting 2775 on 
"printer_drivers" and everything below it and normal users can get into 
it with read permissions as expected. However, when my workstations 
reboot they still cannot access it for some odd reason. The global 
security group "Domain Computers" has read and execute permissions on 
the files and folders, but this is logged at each boot.

The computer '<ip address removed>' preference item in the 'Default 
Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy 
object did not apply because it failed with error code '0x80070005 
Access is denied.' This error was suppressed.

So despite the permissions, I am getting an access denied error somehow.

On 08/18/2014 10:58 AM, Ryan Ashley wrote:
> I believe you found my issue then. I NEVER leave "CREATOR OWNER" or 
> "CREATOR GROUP" on a share under any circumstances. The reason is 
> simple. I want the share owner to be the owner of everything, and same 
> with the group. If files start being owned by a bunch of different 
> users and (assuming here) their default groups, I get a mess. Windows 
> has no issue without these two groups. How can I replicate this 
> behavior in Samba?
>
> On 08/18/2014 10:41 AM, L.P.H. van Belle wrote:
>> Wel, im thinking, you can setup as following.
>>
>> in this order..
>>
>> 1) /srv/samba/printer_drivers
>> ( something like )
>>
>> chmod 2775 /srv
>> chmod 2775 /srv/samba
>> chmod 2775 /srv/samba/printer_drivers
>>
>> 2) setup the share from windows pc. add the 2 groups to the share 
>> with full access.
>>     ( share tab ) domain admins and a second global security.
>>
>>
>> 3) set the security rights from witin windows on the shared folder.
>>     ( security tab) domain admins and a second global security
>>
>>> .This means nobody can access it now.
>> set "authenticated users to have read access on the share" if needed,
>> the security rights will stop any folder access
>>
>>
>> and leave alone. :
>>   "CREATOR OWNER", and "CREATOR GROUP"
>>
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: ryana at reachtechfp.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>> Verzonden: maandag 18 augustus 2014 16:31
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Shares requiring "Everyone" access...
>>>
>>> I believe I have found either a bug or something I do not
>>> understand. I
>>> recently had a file-share issue and the resolution was to set the
>>> "others" permissions to 5, read and execute. The problem with this is
>>> that once I am in Windows on a workstation, this appears to allow
>>> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally
>>> setup our shares with the domain admins group having full access and a
>>> global security group for the share having full access. When I remove
>>> those three aforementioned groups in the Windows ACL UI, it
>>> removes the
>>> permissions from the share. This means nobody can access it now.
>>>
>>> So my question is this: How do I properly configure a share that will
>>> only allow the domain admins and a second global security
>>> group access?
>>> I do not want just anybody to gain access to these shares. Some shares
>>> are for finance and if a normal user could gain access, it would allow
>>> them to see pay-rates and such for every employee, which is not a good
>>> thing.
>>>
>>> Along with that question, I am still having share issues with the one
>>> network printer in the organization and I believe it is related. Below
>>> is all pertinent information that I can think of. The user and group
>>> ID's are from AD (uidNumber/gidNumber) and match on both
>>> member servers.
>>>
>>> root at ps01:~# cat /etc/samba/smb.conf
>>> [global]
>>>    netbios name = PS01
>>>    workgroup = TRUEVINE
>>>    security = ADS
>>>    realm = TRUEVINE.LAN
>>>    encrypt passwords = yes
>>>    dedicated keytab file = /etc/krb5.keytab
>>>    kerberos method = secrets and keytab
>>>
>>>    idmap config *:backend = tdb
>>>    idmap config *:range = 70001-80000
>>>    idmap config TRUEVINE:backend = ad
>>>    idmap config TRUEVINE:schema_mode = rfc2307
>>>    idmap config TRUEVINE:range = 10000-40000
>>>
>>>    winbind nss info = rfc2307
>>>    winbind trusted domains only = no
>>>    winbind use default domain = yes
>>>    winbind enum users  = yes
>>>    winbind enum groups = yes
>>>    winbind refresh tickets = yes
>>>
>>>    domain master = no
>>>    local master = no
>>>    preferred master = no
>>>
>>>    vfs objects = acl_xattr
>>>    map acl inherit = yes
>>>    store dos attributes = yes
>>>    auth methods = winbind
>>>    rpc_server:spoolss = external
>>>    rpc_daemon:spoolssd = fork
>>>    spoolss: architecture = Windows x64
>>>
>>> [printers]
>>>    path = /var/spool/samba
>>>    printable = yes
>>>    printing = CUPS
>>>    use client driver = yes
>>>    guest ok = no
>>>    printable = yes
>>>
>>> [print$]
>>>    path = /srv/samba/printer_drivers
>>>    comment = Printer drivers
>>>    writeable = yes
>>>
>>> [Xerox7545]
>>>    path = /var/spool/samba
>>>    browseable = yes
>>>    printable = yes
>>>    printer name = Xerox_WC_7545
>>>
>>> The guide for sharing printers was followed (not a cached copy this
>>> time) including the things like modifying permissions to 2755 on
>>> /srv/samba and everything below it. Now /srv is owned by root and the
>>> root group, as is /srv/samba, but they both have 755 for
>>> permissions. No
>>> ACLs exist at that level.
>>>
>>> root at ps01:~# getfacl /srv/samba/printer_drivers/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: srv/samba/printer_drivers/
>>> # owner: reachfp
>>> # group: domain\040admins
>>> # flags: ss-
>>> user::rwx
>>> user:reachfp:rwx
>>> group::rwx
>>> group:domain\040admins:rwx
>>> group:domain\040users:r-x
>>> group:domain\040computers:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:reachfp:rwx
>>> default:group::---
>>> default:group:domain\040admins:rwx
>>> default:group:domain\040users:r-x
>>> default:group:domain\040computers:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> I even set the driver file permissions
>>> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>>> recommended but I still get "Access is denied" in my logs when the
>>> workstations boot and attempt to map the machine. I am not running
>>> iptables or SELinux on this system. I do have a Kerberos keytab as
>>> advised by Rowland in my previous thread.
>>>
>>> So, have I screwed up or is this an issue? I imagine I am missing
>>> something and it may be the "Everyone" issue in my first few
>>> paragraphs,
>>> but I am not sure.
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>