[Samba] Shares requiring "Everyone" access...

Ryan Ashley ryana at reachtechfp.com
Mon Aug 18 11:11:17 MDT 2014 

More work and rework. I double and triple-checked permissions on both 
/var/spool/samba and /srv/samba/printer_drivers to verify they are 
correct. They are. I went into print management and reinstalled the 
driver to the server. I then went to the printer tab and selected the 
driver for that printer. Still no dice. I can use print management to 
see the ports, drivers, printers, and forms on the server just fine, but 
it will NOT install and gives that dammed 0x00000002 error every time. 
Event logs are useless because I do not know where the error is. Is it a 
printer access error, driver share access error, or something I do not 
know of?

If you need the exact setup, here is my physical setup.

192.168.3.1 -> Xerox WorkCentre 7545 PCL6
192.168.0.3 -> PS01
192.168.1.1 -> Remote Workstation (Win7 Pro 64bit)

The way I have deployed these printers before is with group policy 
preferences. It has worked until now. I set the printer preference port 
to th IP of the printer and then set the server to "\\ps01\xerox7545". 
This worked for about two weeks and then stopped. I cannot make it work 
now. It has been down for about three weeks and while everybody can 
access the drivers, we are being denied access to the printer itself. I 
will also note that using the official driver for Linux does not fix 
this issue.

On 08/18/2014 11:43 AM, Ryan Ashley wrote:
> A further update. Since the printer was not being added via GPO as it 
> should. I attempted to add it by hand to my remote workstation. If I 
> try at add it using the Windows GUI, I get to the point where you 
> select the printer (in my case, \\PS01\Xerox7545) and then is gives me 
> error 0x00000002. The strange thing however, is that I CAN access the 
> driver share as both an admin user AND a normal domain user. Share 
> permissions on "/var/spool/samba" are 1777 per the guide, and I also 
> added "Domain Users", "Domain Computers", and "Domain Admins" to the 
> list, but no dice.
>
> On 08/18/2014 11:14 AM, Ryan Ashley wrote:
>> I left all of the permissions at default after setting 2775 on 
>> "printer_drivers" and everything below it and normal users can get 
>> into it with read permissions as expected. However, when my 
>> workstations reboot they still cannot access it for some odd reason. 
>> The global security group "Domain Computers" has read and execute 
>> permissions on the files and folders, but this is logged at each boot.
>>
>> The computer '<ip address removed>' preference item in the 'Default 
>> Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy 
>> object did not apply because it failed with error code '0x80070005 
>> Access is denied.' This error was suppressed.
>>
>> So despite the permissions, I am getting an access denied error somehow.
>>
>> On 08/18/2014 10:58 AM, Ryan Ashley wrote:
>>> I believe you found my issue then. I NEVER leave "CREATOR OWNER" or 
>>> "CREATOR GROUP" on a share under any circumstances. The reason is 
>>> simple. I want the share owner to be the owner of everything, and 
>>> same with the group. If files start being owned by a bunch of 
>>> different users and (assuming here) their default groups, I get a 
>>> mess. Windows has no issue without these two groups. How can I 
>>> replicate this behavior in Samba?
>>>
>>> On 08/18/2014 10:41 AM, L.P.H. van Belle wrote:
>>>> Wel, im thinking, you can setup as following.
>>>>
>>>> in this order..
>>>>
>>>> 1) /srv/samba/printer_drivers
>>>> ( something like )
>>>>
>>>> chmod 2775 /srv
>>>> chmod 2775 /srv/samba
>>>> chmod 2775 /srv/samba/printer_drivers
>>>>
>>>> 2) setup the share from windows pc. add the 2 groups to the share 
>>>> with full access.
>>>>     ( share tab ) domain admins and a second global security.
>>>>
>>>>
>>>> 3) set the security rights from witin windows on the shared folder.
>>>>     ( security tab) domain admins and a second global security
>>>>
>>>>> .This means nobody can access it now.
>>>> set "authenticated users to have read access on the share" if needed,
>>>> the security rights will stop any folder access
>>>>
>>>>
>>>> and leave alone. :
>>>>   "CREATOR OWNER", and "CREATOR GROUP"
>>>>
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: ryana at reachtechfp.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>> Verzonden: maandag 18 augustus 2014 16:31
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: [Samba] Shares requiring "Everyone" access...
>>>>>
>>>>> I believe I have found either a bug or something I do not
>>>>> understand. I
>>>>> recently had a file-share issue and the resolution was to set the
>>>>> "others" permissions to 5, read and execute. The problem with this is
>>>>> that once I am in Windows on a workstation, this appears to allow
>>>>> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally
>>>>> setup our shares with the domain admins group having full access 
>>>>> and a
>>>>> global security group for the share having full access. When I remove
>>>>> those three aforementioned groups in the Windows ACL UI, it
>>>>> removes the
>>>>> permissions from the share. This means nobody can access it now.
>>>>>
>>>>> So my question is this: How do I properly configure a share that will
>>>>> only allow the domain admins and a second global security
>>>>> group access?
>>>>> I do not want just anybody to gain access to these shares. Some 
>>>>> shares
>>>>> are for finance and if a normal user could gain access, it would 
>>>>> allow
>>>>> them to see pay-rates and such for every employee, which is not a 
>>>>> good
>>>>> thing.
>>>>>
>>>>> Along with that question, I am still having share issues with the one
>>>>> network printer in the organization and I believe it is related. 
>>>>> Below
>>>>> is all pertinent information that I can think of. The user and group
>>>>> ID's are from AD (uidNumber/gidNumber) and match on both
>>>>> member servers.
>>>>>
>>>>> root at ps01:~# cat /etc/samba/smb.conf
>>>>> [global]
>>>>>    netbios name = PS01
>>>>>    workgroup = TRUEVINE
>>>>>    security = ADS
>>>>>    realm = TRUEVINE.LAN
>>>>>    encrypt passwords = yes
>>>>>    dedicated keytab file = /etc/krb5.keytab
>>>>>    kerberos method = secrets and keytab
>>>>>
>>>>>    idmap config *:backend = tdb
>>>>>    idmap config *:range = 70001-80000
>>>>>    idmap config TRUEVINE:backend = ad
>>>>>    idmap config TRUEVINE:schema_mode = rfc2307
>>>>>    idmap config TRUEVINE:range = 10000-40000
>>>>>
>>>>>    winbind nss info = rfc2307
>>>>>    winbind trusted domains only = no
>>>>>    winbind use default domain = yes
>>>>>    winbind enum users  = yes
>>>>>    winbind enum groups = yes
>>>>>    winbind refresh tickets = yes
>>>>>
>>>>>    domain master = no
>>>>>    local master = no
>>>>>    preferred master = no
>>>>>
>>>>>    vfs objects = acl_xattr
>>>>>    map acl inherit = yes
>>>>>    store dos attributes = yes
>>>>>    auth methods = winbind
>>>>>    rpc_server:spoolss = external
>>>>>    rpc_daemon:spoolssd = fork
>>>>>    spoolss: architecture = Windows x64
>>>>>
>>>>> [printers]
>>>>>    path = /var/spool/samba
>>>>>    printable = yes
>>>>>    printing = CUPS
>>>>>    use client driver = yes
>>>>>    guest ok = no
>>>>>    printable = yes
>>>>>
>>>>> [print$]
>>>>>    path = /srv/samba/printer_drivers
>>>>>    comment = Printer drivers
>>>>>    writeable = yes
>>>>>
>>>>> [Xerox7545]
>>>>>    path = /var/spool/samba
>>>>>    browseable = yes
>>>>>    printable = yes
>>>>>    printer name = Xerox_WC_7545
>>>>>
>>>>> The guide for sharing printers was followed (not a cached copy this
>>>>> time) including the things like modifying permissions to 2755 on
>>>>> /srv/samba and everything below it. Now /srv is owned by root and the
>>>>> root group, as is /srv/samba, but they both have 755 for
>>>>> permissions. No
>>>>> ACLs exist at that level.
>>>>>
>>>>> root at ps01:~# getfacl /srv/samba/printer_drivers/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: srv/samba/printer_drivers/
>>>>> # owner: reachfp
>>>>> # group: domain\040admins
>>>>> # flags: ss-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:domain\040admins:rwx
>>>>> group:domain\040users:r-x
>>>>> group:domain\040computers:r-x
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:domain\040admins:rwx
>>>>> default:group:domain\040users:r-x
>>>>> default:group:domain\040computers:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> I even set the driver file permissions
>>>>> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>>>>> recommended but I still get "Access is denied" in my logs when the
>>>>> workstations boot and attempt to map the machine. I am not running
>>>>> iptables or SELinux on this system. I do have a Kerberos keytab as
>>>>> advised by Rowland in my previous thread.
>>>>>
>>>>> So, have I screwed up or is this an issue? I imagine I am missing
>>>>> something and it may be the "Everyone" issue in my first few
>>>>> paragraphs,
>>>>> but I am not sure.
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>
>>
>

More information about the samba mailing list