[Samba] Shares requiring "Everyone" access...

[Ryan Ashley]

A further update. Since the printer was not being added via GPO as it 
should. I attempted to add it by hand to my remote workstation. If I try 
at add it using the Windows GUI, I get to the point where you select the 
printer (in my case, \\PS01\Xerox7545) and then is gives me error 
0x00000002. The strange thing however, is that I CAN access the driver 
share as both an admin user AND a normal domain user. Share permissions 
on "/var/spool/samba" are 1777 per the guide, and I also added "Domain 
Users", "Domain Computers", and "Domain Admins" to the list, but no dice.

On 08/18/2014 11:14 AM, Ryan Ashley wrote:
> I left all of the permissions at default after setting 2775 on 
> "printer_drivers" and everything below it and normal users can get 
> into it with read permissions as expected. However, when my 
> workstations reboot they still cannot access it for some odd reason. 
> The global security group "Domain Computers" has read and execute 
> permissions on the files and folders, but this is logged at each boot.
>
> The computer '<ip address removed>' preference item in the 'Default 
> Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy 
> object did not apply because it failed with error code '0x80070005 
> Access is denied.' This error was suppressed.
>
> So despite the permissions, I am getting an access denied error somehow.
>
> On 08/18/2014 10:58 AM, Ryan Ashley wrote:
>> I believe you found my issue then. I NEVER leave "CREATOR OWNER" or 
>> "CREATOR GROUP" on a share under any circumstances. The reason is 
>> simple. I want the share owner to be the owner of everything, and 
>> same with the group. If files start being owned by a bunch of 
>> different users and (assuming here) their default groups, I get a 
>> mess. Windows has no issue without these two groups. How can I 
>> replicate this behavior in Samba?
>>
>> On 08/18/2014 10:41 AM, L.P.H. van Belle wrote:
>>> Wel, im thinking, you can setup as following.
>>>
>>> in this order..
>>>
>>> 1) /srv/samba/printer_drivers
>>> ( something like )
>>>
>>> chmod 2775 /srv
>>> chmod 2775 /srv/samba
>>> chmod 2775 /srv/samba/printer_drivers
>>>
>>> 2) setup the share from windows pc. add the 2 groups to the share 
>>> with full access.
>>>     ( share tab ) domain admins and a second global security.
>>>
>>>
>>> 3) set the security rights from witin windows on the shared folder.
>>>     ( security tab) domain admins and a second global security
>>>
>>>> .This means nobody can access it now.
>>> set "authenticated users to have read access on the share" if needed,
>>> the security rights will stop any folder access
>>>
>>>
>>> and leave alone. :
>>>   "CREATOR OWNER", and "CREATOR GROUP"
>>>
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: ryana at reachtechfp.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>> Verzonden: maandag 18 augustus 2014 16:31
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Shares requiring "Everyone" access...
>>>>
>>>> I believe I have found either a bug or something I do not
>>>> understand. I
>>>> recently had a file-share issue and the resolution was to set the
>>>> "others" permissions to 5, read and execute. The problem with this is
>>>> that once I am in Windows on a workstation, this appears to allow
>>>> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally
>>>> setup our shares with the domain admins group having full access and a
>>>> global security group for the share having full access. When I remove
>>>> those three aforementioned groups in the Windows ACL UI, it
>>>> removes the
>>>> permissions from the share. This means nobody can access it now.
>>>>
>>>> So my question is this: How do I properly configure a share that will
>>>> only allow the domain admins and a second global security
>>>> group access?
>>>> I do not want just anybody to gain access to these shares. Some shares
>>>> are for finance and if a normal user could gain access, it would allow
>>>> them to see pay-rates and such for every employee, which is not a good
>>>> thing.
>>>>
>>>> Along with that question, I am still having share issues with the one
>>>> network printer in the organization and I believe it is related. Below
>>>> is all pertinent information that I can think of. The user and group
>>>> ID's are from AD (uidNumber/gidNumber) and match on both
>>>> member servers.
>>>>
>>>> root at ps01:~# cat /etc/samba/smb.conf
>>>> [global]
>>>>    netbios name = PS01
>>>>    workgroup = TRUEVINE
>>>>    security = ADS
>>>>    realm = TRUEVINE.LAN
>>>>    encrypt passwords = yes
>>>>    dedicated keytab file = /etc/krb5.keytab
>>>>    kerberos method = secrets and keytab
>>>>
>>>>    idmap config *:backend = tdb
>>>>    idmap config *:range = 70001-80000
>>>>    idmap config TRUEVINE:backend = ad
>>>>    idmap config TRUEVINE:schema_mode = rfc2307
>>>>    idmap config TRUEVINE:range = 10000-40000
>>>>
>>>>    winbind nss info = rfc2307
>>>>    winbind trusted domains only = no
>>>>    winbind use default domain = yes
>>>>    winbind enum users  = yes
>>>>    winbind enum groups = yes
>>>>    winbind refresh tickets = yes
>>>>
>>>>    domain master = no
>>>>    local master = no
>>>>    preferred master = no
>>>>
>>>>    vfs objects = acl_xattr
>>>>    map acl inherit = yes
>>>>    store dos attributes = yes
>>>>    auth methods = winbind
>>>>    rpc_server:spoolss = external
>>>>    rpc_daemon:spoolssd = fork
>>>>    spoolss: architecture = Windows x64
>>>>
>>>> [printers]
>>>>    path = /var/spool/samba
>>>>    printable = yes
>>>>    printing = CUPS
>>>>    use client driver = yes
>>>>    guest ok = no
>>>>    printable = yes
>>>>
>>>> [print$]
>>>>    path = /srv/samba/printer_drivers
>>>>    comment = Printer drivers
>>>>    writeable = yes
>>>>
>>>> [Xerox7545]
>>>>    path = /var/spool/samba
>>>>    browseable = yes
>>>>    printable = yes
>>>>    printer name = Xerox_WC_7545
>>>>
>>>> The guide for sharing printers was followed (not a cached copy this
>>>> time) including the things like modifying permissions to 2755 on
>>>> /srv/samba and everything below it. Now /srv is owned by root and the
>>>> root group, as is /srv/samba, but they both have 755 for
>>>> permissions. No
>>>> ACLs exist at that level.
>>>>
>>>> root at ps01:~# getfacl /srv/samba/printer_drivers/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: srv/samba/printer_drivers/
>>>> # owner: reachfp
>>>> # group: domain\040admins
>>>> # flags: ss-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:domain\040admins:rwx
>>>> group:domain\040users:r-x
>>>> group:domain\040computers:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:domain\040admins:rwx
>>>> default:group:domain\040users:r-x
>>>> default:group:domain\040computers:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> I even set the driver file permissions
>>>> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>>>> recommended but I still get "Access is denied" in my logs when the
>>>> workstations boot and attempt to map the machine. I am not running
>>>> iptables or SELinux on this system. I do have a Kerberos keytab as
>>>> advised by Rowland in my previous thread.
>>>>
>>>> So, have I screwed up or is this an issue? I imagine I am missing
>>>> something and it may be the "Everyone" issue in my first few
>>>> paragraphs,
>>>> but I am not sure.
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>
>