[Samba] Shares requiring "Everyone" access...

L.P.H. van Belle belle at bazuin.nl
Tue Aug 19 00:41:10 MDT 2014 

well... for your Xerox printer, thats a bad one, im having Xerox here also 
and Xerox is not supported in linux. this is due the driver design. 
The Xerox drivers ( if tested the global drivers ) does not work.
I'm dumping my xerox printers and im switching to HP.. 

for you policies not working, this is just nog correctie setup. 
look here at step 7. its outlined. 
http://www.alexwyn.com/computer-tips/folder-redirection-samba4-active-directory-domain-controller 
 
greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com 
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: maandag 18 augustus 2014 17:44
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Shares requiring "Everyone" access...
>
>A further update. Since the printer was not being added via GPO as it 
>should. I attempted to add it by hand to my remote 
>workstation. If I try 
>at add it using the Windows GUI, I get to the point where you 
>select the 
>printer (in my case, \\PS01\Xerox7545) and then is gives me error 
>0x00000002. The strange thing however, is that I CAN access the driver 
>share as both an admin user AND a normal domain user. Share 
>permissions 
>on "/var/spool/samba" are 1777 per the guide, and I also added "Domain 
>Users", "Domain Computers", and "Domain Admins" to the list, 
>but no dice.
>
>On 08/18/2014 11:14 AM, Ryan Ashley wrote:
>> I left all of the permissions at default after setting 2775 on 
>> "printer_drivers" and everything below it and normal users can get 
>> into it with read permissions as expected. However, when my 
>> workstations reboot they still cannot access it for some odd reason. 
>> The global security group "Domain Computers" has read and execute 
>> permissions on the files and folders, but this is logged at 
>each boot.
>>
>> The computer '<ip address removed>' preference item in the 'Default 
>> Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy 
>> object did not apply because it failed with error code '0x80070005 
>> Access is denied.' This error was suppressed.
>>
>> So despite the permissions, I am getting an access denied 
>error somehow.
>>
>> On 08/18/2014 10:58 AM, Ryan Ashley wrote:
>>> I believe you found my issue then. I NEVER leave "CREATOR OWNER" or 
>>> "CREATOR GROUP" on a share under any circumstances. The reason is 
>>> simple. I want the share owner to be the owner of everything, and 
>>> same with the group. If files start being owned by a bunch of 
>>> different users and (assuming here) their default groups, I get a 
>>> mess. Windows has no issue without these two groups. How can I 
>>> replicate this behavior in Samba?
>>>
>>> On 08/18/2014 10:41 AM, L.P.H. van Belle wrote:
>>>> Wel, im thinking, you can setup as following.
>>>>
>>>> in this order..
>>>>
>>>> 1) /srv/samba/printer_drivers
>>>> ( something like )
>>>>
>>>> chmod 2775 /srv
>>>> chmod 2775 /srv/samba
>>>> chmod 2775 /srv/samba/printer_drivers
>>>>
>>>> 2) setup the share from windows pc. add the 2 groups to the share 
>>>> with full access.
>>>>     ( share tab ) domain admins and a second global security.
>>>>
>>>>
>>>> 3) set the security rights from witin windows on the shared folder.
>>>>     ( security tab) domain admins and a second global security
>>>>
>>>>> .This means nobody can access it now.
>>>> set "authenticated users to have read access on the share" 
>if needed,
>>>> the security rights will stop any folder access
>>>>
>>>>
>>>> and leave alone. :
>>>>   "CREATOR OWNER", and "CREATOR GROUP"
>>>>
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: ryana at reachtechfp.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>> Verzonden: maandag 18 augustus 2014 16:31
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: [Samba] Shares requiring "Everyone" access...
>>>>>
>>>>> I believe I have found either a bug or something I do not
>>>>> understand. I
>>>>> recently had a file-share issue and the resolution was to set the
>>>>> "others" permissions to 5, read and execute. The problem 
>with this is
>>>>> that once I am in Windows on a workstation, this appears to allow
>>>>> "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. 
>We normally
>>>>> setup our shares with the domain admins group having full 
>access and a
>>>>> global security group for the share having full access. 
>When I remove
>>>>> those three aforementioned groups in the Windows ACL UI, it
>>>>> removes the
>>>>> permissions from the share. This means nobody can access it now.
>>>>>
>>>>> So my question is this: How do I properly configure a 
>share that will
>>>>> only allow the domain admins and a second global security
>>>>> group access?
>>>>> I do not want just anybody to gain access to these 
>shares. Some shares
>>>>> are for finance and if a normal user could gain access, 
>it would allow
>>>>> them to see pay-rates and such for every employee, which 
>is not a good
>>>>> thing.
>>>>>
>>>>> Along with that question, I am still having share issues 
>with the one
>>>>> network printer in the organization and I believe it is 
>related. Below
>>>>> is all pertinent information that I can think of. The 
>user and group
>>>>> ID's are from AD (uidNumber/gidNumber) and match on both
>>>>> member servers.
>>>>>
>>>>> root at ps01:~# cat /etc/samba/smb.conf
>>>>> [global]
>>>>>    netbios name = PS01
>>>>>    workgroup = TRUEVINE
>>>>>    security = ADS
>>>>>    realm = TRUEVINE.LAN
>>>>>    encrypt passwords = yes
>>>>>    dedicated keytab file = /etc/krb5.keytab
>>>>>    kerberos method = secrets and keytab
>>>>>
>>>>>    idmap config *:backend = tdb
>>>>>    idmap config *:range = 70001-80000
>>>>>    idmap config TRUEVINE:backend = ad
>>>>>    idmap config TRUEVINE:schema_mode = rfc2307
>>>>>    idmap config TRUEVINE:range = 10000-40000
>>>>>
>>>>>    winbind nss info = rfc2307
>>>>>    winbind trusted domains only = no
>>>>>    winbind use default domain = yes
>>>>>    winbind enum users  = yes
>>>>>    winbind enum groups = yes
>>>>>    winbind refresh tickets = yes
>>>>>
>>>>>    domain master = no
>>>>>    local master = no
>>>>>    preferred master = no
>>>>>
>>>>>    vfs objects = acl_xattr
>>>>>    map acl inherit = yes
>>>>>    store dos attributes = yes
>>>>>    auth methods = winbind
>>>>>    rpc_server:spoolss = external
>>>>>    rpc_daemon:spoolssd = fork
>>>>>    spoolss: architecture = Windows x64
>>>>>
>>>>> [printers]
>>>>>    path = /var/spool/samba
>>>>>    printable = yes
>>>>>    printing = CUPS
>>>>>    use client driver = yes
>>>>>    guest ok = no
>>>>>    printable = yes
>>>>>
>>>>> [print$]
>>>>>    path = /srv/samba/printer_drivers
>>>>>    comment = Printer drivers
>>>>>    writeable = yes
>>>>>
>>>>> [Xerox7545]
>>>>>    path = /var/spool/samba
>>>>>    browseable = yes
>>>>>    printable = yes
>>>>>    printer name = Xerox_WC_7545
>>>>>
>>>>> The guide for sharing printers was followed (not a cached 
>copy this
>>>>> time) including the things like modifying permissions to 2755 on
>>>>> /srv/samba and everything below it. Now /srv is owned by 
>root and the
>>>>> root group, as is /srv/samba, but they both have 755 for
>>>>> permissions. No
>>>>> ACLs exist at that level.
>>>>>
>>>>> root at ps01:~# getfacl /srv/samba/printer_drivers/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: srv/samba/printer_drivers/
>>>>> # owner: reachfp
>>>>> # group: domain\040admins
>>>>> # flags: ss-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:domain\040admins:rwx
>>>>> group:domain\040users:r-x
>>>>> group:domain\040computers:r-x
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:domain\040admins:rwx
>>>>> default:group:domain\040users:r-x
>>>>> default:group:domain\040computers:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> I even set the driver file permissions
>>>>> (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett
>>>>> recommended but I still get "Access is denied" in my logs when the
>>>>> workstations boot and attempt to map the machine. I am not running
>>>>> iptables or SELinux on this system. I do have a Kerberos keytab as
>>>>> advised by Rowland in my previous thread.
>>>>>
>>>>> So, have I screwed up or is this an issue? I imagine I am missing
>>>>> something and it may be the "Everyone" issue in my first few
>>>>> paragraphs,
>>>>> but I am not sure.
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list