[Samba] *****SPAM***** Re: Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?

[Rowland Penny]

On 27/02/15 20:07, Shane Robinson wrote:
> Hi Rowland,
>
> Chown to Administrator seems less flexible than Chgrp to Domain Admins on
> the face of it. You could add/remove users from the Domain Admins group,
> which allows/denies them the ability to change the permissions on the share.
> By changing the owner to Administrator, only those credentials would have
> that ability, no?
>
> What advantages do you predict with the change owner approach? What
> disadvantages do you see to the change group approach?
>
> Thank you!
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Friday, February 27, 2015 11:51 AM
> To: samba at lists.samba.org
> Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable
> to edit permissions of share without usermapping - shall I add to Wiki?
>
> On 27/02/15 19:46, Shane Robinson wrote:
>> Hello all,
>>
>> Sorry about the top-posting.
>>
>> I have added the bit about the linking (YAY!, I'm helping!).
>>
>> Now if we can clear up the ACL issue, this will be a great day!
>>
>> Summary: To edit ACL's from Windows on a Debian Member server, we need
>> to either
>> 1) map the domain admin to root OR
>> 2) give explicit permissions to Domain Admins with a chmod 0755 and
>> chgrp "MYDOM\Domain Admins"
>>
>> Which is better and why?
>>
>> Thanks everyone!
>>
>> Shane
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org]
>> On Behalf Of Rowland Penny
>> Sent: Friday, February 27, 2015 11:25 AM
>> To: samba at lists.samba.org
>> Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) -
>> Unable to edit permissions of share without usermapping - shall I add to
> Wiki?
>> On 27/02/15 19:09, Shane Robinson wrote:
>>> Hello again List, Marc, and Louis!
>>>
>>> I'm afraid my message from yesterday may have been TL;DR. The short
>>> version is as follows:
>>>
>>> Following the wiki's for AD member server (building from source on
>>> Debian
>>> Wheezy) and Setting up shares with Windows acls did not give the
>>> expected results
>>>
>>> First, I needed to link libnss_winbind.so to
>>> /usr/lib/x86_64-linux-gnu for winbind to work. Marc - may I add this
>>> to the wiki, or is there a reason not to that I'm unaware of?
>> I think this would be a good idea, the problem is the wiki is a bit RH
>> centric, so go ahead and add something about setting the link for
>> debian, but follow the format that is already there, don't worry if it
>> isn't quite right, Marc will change it.
>>
>>> Second, setting permissions on a share did not work until I mapped
>>> the domain administrator to root. This is mentioned in the
>>> Troubleshooting member server wiki page, but only in relation to
>>> granting the SeDiskOperatorPrivilege, which was not an issue for me.
>>>     
>>> Does this mapping have any ramifications that I (or others) should be
>>> aware of?
>> No, but I don't think it has to be done this way, I am beginning to
>> think there are other ways of doing this.
>>
>> Rowland
>>
>>> The other way to allow ACL changes from windows (which I did on my
>>> now-defunct member File Servers) was something like this:
>>> "sudo chmod 0775 /srv/myshare" and
>>> "sudo chgrp 'Domain Admins' /srv/myshare"
>>> .. which as result will give full access to the members of the group
>>> "MYDOM\Domain Admins"
>>>
>>> Is one better than the other?
>>>
>>> If you'd like any further information, I'd be happy to provide it.
>>>
>>> Thank you very much for your help!
>>>
>>> PS - I included Louis in the TO line because of your unanswered email
>>> of February 16th ("Samba_Member_Server_Troubleshooting").
>>>
>>>
>>> Shane Robinson
>>> Chief Administrative Officer
>>> SimpeQ Care Inc.
>>> t. 604.988.3103 ext. 104
>>> c. 604.506.3311
>>> f. 604.988.3105
>>> Please consider the environment before printing this email.
>>>
>>>
>>> -----Original Message-----
>>> From: Shane Robinson [mailto:srobinson at simpeq.ca]
>>> Sent: Thursday, February 26, 2015 11:17 AM
>>> To: 'samba at lists.samba.org'
>>> Subject: Wheezy member Server - Unable to edit permissions of share
>>> without usermapping - shall I add to Wiki?
>>>
>>> Hello List!
>>>
>>> I have a Samba AD domain with two virtualized DC's running 4.1.15 and
>>> 4.1.17. I have had two member file servers with odd permissions
>>> problems that I've now given up on, and decided to start fresh.
>>>
>>> I have created a File server (FS3) with Debian wheezy, built samba
>>> 4.1.17 from source, with configure options of :
>>> --with-ads --with-shared-modules=idmap_ad
>>>
>>> ... and placed the attached smb.conf into /usr/local/samba/etc/ . I
>>> successfully joined it to the domain, and set up the shared
>>> directories as defined in the aforementioned smb.conf.
>>>
>>> I followed the AD Member Server setup wiki page, and getent passwd
>>> "INTERNAL\<domain user>" works, as does getent group and wbinfo. The
>>> SeDiskOperatorPrivilege was granted to the administrator without issue.
>>>
>>> The file system is ext4, mounted with user_xattr,acl,barrier=1. I
>>> have tried to follow the wiki to the letter, with one exception,
>>> linking libnss_winbind.so to /usr/lib/x86_64-linux-gnu in addition to
> /lib64.
>>> As the domain administrator, from a Win7 member, I was able to give
>>> Domain Admins full control in the "Share Permissions" tab (from
>>> Computer Management).
>>>
>>> Upon trying to give Domain Admins full control to the share, I get an
>>> Access Denied error (as in the screenshot attached).
>>>
>>> The log.smbd (level 8) of that interaction is also attached.
>>>
>>> The "Setup and Configure file shares with Windows ACLs" wiki page has
>>> a troubleshooting section which mentions trying:
>>>
>>> setfacl -R -m default:group:domain\ admins:rwx /srv/sites
>>>
>>> ... so I did. The result of getfacl is now:
>>>
>>> shane at FS3:/usr/local/samba$ sudo getfacl /srv/sites
>>> getfacl: Removing leading '/' from absolute path names # file:
>>> srv/sites #
>>> owner: root # group: root user::rwx group::r-x other::r-x
>>> default:user::rwx default:group::r-x
>>> default:group:domain\040admins:rwx
>>> default:mask::rwx
>>> default:other::r-x
>>>
>>> ... but the access denied error persists.
>>>
>>> As a list subscriber for a few years, I recalled Louis van Belle
>>> publishing a samba4 wheezy member script. Within the smb.conf it
>>> defines, I find that the username map option.
>>>
>>> I added the username map option to the smb.conf of FS3, and created
>>> the mapping file with:
>>>
>>> !root = "INTERNAL\Administrator" "INTERNAL\administrator"
>>>
>>> Upon trying this, I have success. (yay!)
>>>
>>>
>>>
>>> SO: The script is now relegated to an "old_set_of_scripts"
>>> repository, so I'm not sure if this is still the Right Thing to do.
>>>
>>> Are there ramifications to this mapping that need to be considered?
>>>
>>> Is this a debian-specific issue, like the libnss_winbind.so linking?
>>>
>>> Are there any reasons that I should NOT add these steps to the wiki
>>> (I have a logon already, and I'm just itching to use it)?
>>>
>>>
>>> Thank you in advance for any and all help you are able to provide!
>>>
>>> Shane Robinson
>>> Chief Administrative Officer
>>> SimpeQ Care Inc.
>>> t. 604.988.3103 ext. 104
>>> c. 604.506.3311
>>> f. 604.988.3105
>>> Please consider the environment before printing this email.
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> there is a third way, the one I am coming round to thinking is the best way,
> give Administrator a proper uidNumber and change ownership to Administrator
> not root.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

The thing is (and I am no expert here by any means), I don't think that 
windows gives a flying fig just who owns anything as long as the ACL 
contains an ACE giving who or whatever the correct access rights, so by 
making a directory owned by Administrator (with a uidNumber that isn't 
0), he could then set the correct ACLs from windows.

Rowland