[Samba] Permission Issues with GPO
viktor at troja.ch
Thu Nov 19 10:37:05 UTC 2015
On 18.11.2015 12:24, Rowland Penny wrote:
> On 18/11/15 10:24, mourik jan c heupink wrote:
>> On 18-11-2015 10:59, Rowland Penny wrote:
>>> OK, I am trying to understand this as well, I take it that the
>>> you add is a unique number that is inside the range you have set in
>>> smb.conf, but what about the gidNumber? do you set it to '515' and is
>>> this also inside the range?
>> Yep. gidNumber 515, both inside the range yes. (range starts at 500)
>>> Who owns the share on the disk and what are the permissions, also what
>>> is the share in smb.conf.
>>> guest ok = no
>>> comment = Ninite Software Updater
>>> path = /srv/ninite
>>> read only = No
>>> writable = yes
>>> valid users = @"Domain Admins", @"Domain Computers"
>>> create mask = 0775
>>> directory mask = 0775
>> Permissions on disk:
>>> drwxrwxr-x 5 root Domain Admins 4096 Jul 8 14:10 ninite
> OK, I think I understand this, Mourik is setting this on the share:
> valid users = @"Domain Admins", @"Domain Computers"
> This means that only members of the 'Domain Admins' or 'Domain
> Computers' groups can connect to the share, whilst Louis has this
> showing in his ACLs from getfacl:
> Creator owner special. Only folders and files on underlying
> Creator group special. Only folders and files on underlying
> Verified users read+exec This folder underlying folders and files
> Domain Admins Full This folder underlying folders and files
> Domain users read+exec This folder underlying folders and files
> Domain computers read+exec This folder underlying folders and
> Which gives (amongst others) 'Domain Admins' full control and 'Domain
> Computer' read+exec permissions.
> With Mourik's way of doing things, 'Domain Computers' must be known to
> Unix, hence the required gidNumber
> Louis's way will probably rely on winbind mapping 'Domain Computers'
So I had some time today to study the whole thread once more and see if
I can finally get it to work. The good news is, yes, it works now. But I
don't yet understand what the problem initially was, and I also would
like to know if the way I got it to work is really optimal.
At first, I tried Louis' suggestion. In contrast to MJ, I did not change
my share permissions, they just contained "everybody:full control" from
the start. All I did, though, when I realized I had an issue with the
access on a computer level, I added the "domain computers" group to the
windows ACL of the Samba share. Since getent group wouldn't reveal
domain computers on the linux station, of course, since I have AD type
ID mapping, I added a uid to the group "domain computers".
I still wouldn't work, so I tried Louis' advice and added the line
acl_xattr:ignore system acls = yes to the share but that didn't solve
the issue, either, same error messages.
But once, I set a uid and gid for the PC as MJ suggested, it finally worked.
- Is it really necessary to specifically give access to "domain
computers" on a share in order to be accessed in computer mode? Would
this work in the same way in a Windows AD?
- At what level does it have to be set? Is it necessary at share level
or would folder level have been sufficient? Would this have any
influence on the outcome?
- Why did it work for Louis without setting uid/gid and I had to? After
all, my configuration is closer to Louis' than to MJ's. I didn't quite
understand Rowland's remark about winbindd doing the job for Louis.
Anyway, for now I'm just glad it works. Thank you all for participating
in the search for a solution.
More information about the samba