[Samba] Retaining Permissions on a share
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 13 12:42:13 UTC 2017
Im missing from the getfacl command one or both.
CREATOR OWNER
And/or
CREATOR GROUP
Especial "Creator Group" is very wise to set.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 13 juni 2017 13:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Retaining Permissions on a share
>
> On Tue, 13 Jun 2017 12:25:32 +0200
> Neil <nwilson123 at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thank you for the reply and info.
> >
> > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org>
> > wrote:
> >
> > > On Tue, 13 Jun 2017 09:15:40 +0200
> > > Neil via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > > OK, this a DC and therefore you will have to do things
> differently
> > > from a Unix domain member.
> > >
> > > You might as well remove these lines from [global]
> > >
> > > winbind use default domain = yes
> > > vfs objects = acl_xattr
> > > map acl inherit = Yes
> > > store dos attributes = Yes
> > >
> > > The first doesn't work on a DC and the others are built into the
> > > 'samba' deamon and so could be causing problems.
> > >
> > > You should also make the [HR] share look like this:
> > >
> > > [HR]
> > > path = /var/lib/samba/data/data/HR
> > > read only = No
> > >
> > > Now go and read this:
> > >
> > >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC
> > > Ls
> > >
> > > You must use Windows ACLs on a DC.
> > >
> >
> > Thanks I've cleaned up the smb.conf (and HR share) and had
> a full read
> > again, but I'm still not sure how this will prevent users from
> > becoming owner (shows using getfacl as the extended attributes) the
> > files if they save it or if they create a directory.
> >
> > From what I've seen the only difference I've done, is because I set
> > the permissions to 777 on the initially I didn't have to set the
> > SeDiskOperatorPrivilege although I was using the user who
> already had
> > this permission.
>
> Using '777' means that you now have a wide open share.
>
> >
> > One other thing is that the current HR share is 100GB's +
> and changing
> > permissions from the Windows side takes hours, is there a
> quicker way
> > to set both the sharing permissions and the Security
> permissions for
> > group HR-group using setfacl? I've tried setting it using
> setfacl but
> > couldn't seem to get this right.
> >
> > Apologies if I've misunderstood or if I'm missing something.
> >
> > Thank you!
> >
> > Regards.
> >
> > Neil Wilson
> >
>
> # getfacl /srv/samba/Demo/
> # file: srv/samba/Demo/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:domain\040users:rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
>
>
> This shows that the share directory is owned by root:root and
> the user root can do anything, but root group members cannot
> do anything.
> Extended ACLs for Domain Users and Domain Admins, allow
> members of these groups to do anything
>
> The settings shown on the wiki page are only examples, so you
> can change them if you wish. If you are going to only
> administer the share using the 'Administrator' user then you
> can leave the owner group alone, but if you want to use
> members of a group, you will need to 'chmod' the group
> ownership and then give the group the 'SeDiskOperatorPrivilege'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list