[Samba] Retaining Permissions on a share

Rowland Penny rpenny at samba.org
Tue Jun 13 11:17:00 UTC 2017


On Tue, 13 Jun 2017 12:25:32 +0200
Neil <nwilson123 at gmail.com> wrote:

> Hi Rowland,
> 
> Thank you for the reply and info.
> 
> On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org>
> wrote:
> 
> > On Tue, 13 Jun 2017 09:15:40 +0200
> > Neil via samba <samba at lists.samba.org> wrote:
> >
> >
> > OK, this a DC and therefore you will have to do things differently
> > from a Unix domain member.
> >
> > You might as well remove these lines from [global]
> >
> >     winbind use default domain = yes
> >     vfs objects = acl_xattr
> >     map acl inherit = Yes
> >     store dos attributes = Yes
> >
> > The first doesn't work on a DC and the others are built into the
> > 'samba' deamon and so could be causing problems.
> >
> > You should also make the [HR] share look like this:
> >
> > [HR]
> >         path = /var/lib/samba/data/data/HR
> >         read only = No
> >
> > Now go and read this:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > You must use Windows ACLs on a DC.
> >
> 
> Thanks I've cleaned up the smb.conf (and HR share) and had a full read
> again, but I'm still not sure how this will prevent users from
> becoming owner (shows using getfacl as the extended attributes) the
> files if they save it or if they create a directory.
> 
> From what I've seen the only difference I've done, is because I set
> the permissions to 777 on the initially I didn't have to set the
> SeDiskOperatorPrivilege
> although I was using the user who already had this permission.

Using '777' means that you now have a wide open share.

> 
> One other thing is that the current HR share is 100GB's + and changing
> permissions from the Windows side takes hours, is there a quicker way
> to set both the sharing permissions and the Security permissions for
> group HR-group using setfacl? I've tried setting it using setfacl but
> couldn't seem to get this right.
> 
> Apologies if I've misunderstood or if I'm missing something.
> 
> Thank you!
> 
> Regards.
> 
> Neil Wilson
> 

# getfacl /srv/samba/Demo/
# file: srv/samba/Demo/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040users:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---



This shows that the share directory is owned by root:root and the user
root can do anything, but root group members cannot do anything.
Extended ACLs for Domain Users and Domain Admins, allow members of
these groups to do anything

The settings shown on the wiki page are only examples, so you can
change them if you wish. If you are going to only administer the share
using the 'Administrator' user then you can leave the owner group
alone, but if you want to use members of a group, you will need to
'chmod' the group ownership and then give the group the
'SeDiskOperatorPrivilege'

Rowland



More information about the samba mailing list