[Samba] Setting up a Share Using Windows ACLs
Henry
henry at incred.com.au
Sun Apr 23 10:53:39 UTC 2017
On 2017-04-23 17:19, Henry via samba wrote:
> On 2017-04-23 17:01, Rowland Penny wrote:
>> On Sun, 23 Apr 2017 14:07:44 +1000
>> Henry via samba <samba at lists.samba.org> wrote:
>>
>>> Following:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> In windows:
>>>
>>> I can set permissions under the "Share Permissions" tab.
>>>
>>> I am unable to make ANY changes under the "Security". When I try I am
>>> presented with:
>>>
>>> "Remotely setting permissions on the folder at the root of a share
>>> removes all inherited permissions from the root folder and all
>>> subfolders. To set permissions without removing the inherited
>>> permissions, click No and either change the permissions on a child
>>> folder or make the change while logged in locally"
>>>
>>> Under "Share Permissions" I have:
>>>
>>> Domain Admins = Full Control
>>>
>>> Domain Users = Read & Change
>>>
>>> As it stands I am unable to access the share (using a Domain Admins
>>> account) however I am unable to do anything.
>>
>> As it stands, when you create the share as shown on the wiki page:
>>
>> # mkdir -p /srv/samba/Demo/
>>
>> It ends up belonging to root:root with drwxr-xr-x permissions
>>
>> Or to put it it another way the 'root' user has full permissions on
>> the directory, members of the 'root' group have read and enter
>> permissions, the same goes for any other users or groups. This all
>> means that members of the Domain Admins group cannot write to the
>> directory.
>>
>> Try this:
>>
>> chown root:Domain\ Admins /srv/samba/Demo/
>> chmod 0770 /srv/samba/Demo/
>>
>> Now try to set the permissions from windows.
>>
>> If this works and I am sure it will, I will update the wiki page.
>>
>> Rowland
>
> Thanks Rowland I was wondering about this not being in the guide but
> thought best to follow it word for word. I have made the changes
> suggested:
>
> root at aphrodite:~# getfacl /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
> root at aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/
> root at aphrodite:~# chmod 0770 /srv/samba/data/Testing/
>
> root at aphrodite:~# getfacl /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: domain\040admins
> user::rwx
> group::rwx
> other::---
>
> After this I was able to access the security tab and add "Domain
> Admins" as per the guide without any errors however after that I am
> locked out again. Looking at the unix permissions I see they have now
> changed to the following and now I can't remove "Domain Admins" to get
> it back to where I was before.
>
> root at aphrodite:~# getfacl /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::---
> group:domain\040admins:---
> mask::rwx
> other::---
OK, have now reset the ACLs back to where they were:
https://serverfault.com/questions/285597/setfacl-to-reset-file-to-default-permissions
root at aphrodite:~# getfacl -d /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
However in Windows I am still unable to edit the "Security" permissions
tab.
"You do not have permission to view or edit this object's permission
settings"
I am really at a loss here as I am unable to get a Samba share working
with Windows ACLs. Surely it cannot be this complex so what am I
missing. All I want is a Samba share that I can control the permissions
using Windows...
More information about the samba
mailing list