[Samba] Retaining Permissions on a share

Neil nwilson123 at gmail.com
Thu Aug 17 13:44:50 UTC 2017


Hi all,

Sorry to repost about this same issue once again, but I'm really at a
complete loss as to how to solve the problem with ownership being changed
after I've set it.

I've set ownership as follows... ( set this by chmod -R 0770 HR, as well as
chgroup -R HR-Group, I then signed into a Windows PC that was part of the
domain, went to computer management as per the WIKI and chose "connect to
remote computer" went to the sharing on this DC and under sharing only set
HR-Group, and then under permissions I set HR-Group, Domain Administrator,
and I even tried setting Creator Group to HR-Group, but this doesn't show
when looking through getfacl...

[root at headoffice data]# getfacl HR
# file: HR
# owner: 3000238
# group: CBL-HO\134HR-Group
user::rwx
user:root:rwx
group::rwx
group:CBL-HO\134HR-Group:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000238:rwx
default:group::rwx
default:group:CBL-HO\134HR-Group:rwx
default:mask::rwx
default:other::---

...yet when a user creates a folder inside HR they then become the owner
and the group changes to "Domain users" and therefore no one else can save
into this folder, below is an example...

data/HR/Recruitment and Selection/lisa

[root at headoffice Recruitment and Selection]# getfacl lisa
# file: lisa
# owner: CBL-HO\134lpretorius
# group: CBL-HO\134Domain\040Users
user::rwx
user:CBL-HO\134lpretorius:rwx
group::r-x
group:CBL-HO\134Domain\040Users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:CBL-HO\134lpretorius:rwx
default:group::r-x
default:group:CBL-HO\134Domain\040Users:r-x
default:mask::rwx
default:other::r-x

Not sure if the entire email history is attached, but the share is
configured as ...

[HR]
        path = /var/lib/samba/data/data/HR
        read only = No

I've set the SeDiskOperatorPrivilege to the group HR-Group as well as my
domain administrator which is the user I signed onto to set the share
permissions.

How can I prevent users from creating folders owned by themselves and
thereby locking other group members out of the folder?

Thanks.

Regards.

Neil Wilson


On Tue, Jun 13, 2017 at 3:14 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 13 Jun 2017 15:03:49 +0200
> Neil <nwilson123 at gmail.com> wrote:
>
> > On Tue, Jun 13, 2017 at 1:17 PM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Tue, 13 Jun 2017 12:25:32 +0200
> > > Neil <nwilson123 at gmail.com> wrote:
> > >
> > > > Hi Rowland,
> > > >
> > > > Thank you for the reply and info.
> > > >
> > > > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org>
> > > > wrote:
> > > >
> > > > > On Tue, 13 Jun 2017 09:15:40 +0200
> > > > > Neil via samba <samba at lists.samba.org> wrote:
> > > > >
> > > > >
> > > > > OK, this a DC and therefore you will have to do things
> > > > > differently from a Unix domain member.
> > > > >
> > > > > You might as well remove these lines from [global]
> > > > >
> > > > >     winbind use default domain = yes
> > > > >     vfs objects = acl_xattr
> > > > >     map acl inherit = Yes
> > > > >     store dos attributes = Yes
> > > > >
> > > > > The first doesn't work on a DC and the others are built into the
> > > > > 'samba' deamon and so could be causing problems.
> > > > >
> > > > > You should also make the [HR] share look like this:
> > > > >
> > > > > [HR]
> > > > >         path = /var/lib/samba/data/data/HR
> > > > >         read only = No
> > > > >
> > > > > Now go and read this:
> > > > >
> > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_
> Windows_ACLs
> > > > >
> > > > > You must use Windows ACLs on a DC.
> > > > >
> > > >
> > > > Thanks I've cleaned up the smb.conf (and HR share) and had a full
> > > > read again, but I'm still not sure how this will prevent users
> > > > from becoming owner (shows using getfacl as the extended
> > > > attributes) the files if they save it or if they create a
> > > > directory.
> > > >
> > > > From what I've seen the only difference I've done, is because I
> > > > set the permissions to 777 on the initially I didn't have to set
> > > > the SeDiskOperatorPrivilege
> > > > although I was using the user who already had this permission.
> > >
> > > Using '777' means that you now have a wide open share.
> > >
> >
> > Yes thanks, it was just used to reset permissions initially, I'll use
> > the SeDiskOperatorPrivilege to avoid having to "loosen" the
> > permissions.
> >
> >
> > > >
> > > > One other thing is that the current HR share is 100GB's + and
> > > > changing permissions from the Windows side takes hours, is there
> > > > a quicker way to set both the sharing permissions and the
> > > > Security permissions for group HR-group using setfacl? I've tried
> > > > setting it using setfacl but couldn't seem to get this right.
> > > >
> > > > Apologies if I've misunderstood or if I'm missing something.
> > > >
> > > > Thank you!
> > > >
> > > > Regards.
> > > >
> > > > Neil Wilson
> > > >
> > >
> > > # getfacl /srv/samba/Demo/
> > > # file: srv/samba/Demo/
> > > # owner: root
> > > # group: root
> > > user::rwx
> > > user:root:rwx
> > > group::---
> > > group:root:---
> > > group:domain\040users:rwx
> > > group:domain\040admins:rwx
> > > mask::rwx
> > > other::---
> > > default:user::rwx
> > > default:user:root:rwx
> > > default:group::---
> > > default:group:root:---
> > > default:group:domain\040users:rwx
> > > default:group:domain\040admins:rwx
> > > default:mask::rwx
> > > default:other::---
> > >
> > >
> > >
> > > This shows that the share directory is owned by root:root and the
> > > user root can do anything, but root group members cannot do
> > > anything. Extended ACLs for Domain Users and Domain Admins, allow
> > > members of these groups to do anything
> > >
> > > The settings shown on the wiki page are only examples, so you can
> > > change them if you wish. If you are going to only administer the
> > > share using the 'Administrator' user then you can leave the owner
> > > group alone, but if you want to use members of a group, you will
> > > need to 'chmod' the group ownership and then give the group the
> > > 'SeDiskOperatorPrivilege'
> > >
> >
> > Great thanks, I didn't realise that I'd need to set the group to the
> > "diskOperatorprivilege" that makes completely sense now!
> >
> > Thank you for your help, I'll go ahead and give this a try.
> >
>
> One thing I neglected to mention, you will need to give the group the
> 'SeDiskOperatorPrivilege' on the Samba machine that holds the share.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list