[Samba] Retaining Permissions on a share

Neil nwilson123 at gmail.com
Tue Jun 13 13:03:49 UTC 2017 

On Tue, Jun 13, 2017 at 1:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 13 Jun 2017 12:25:32 +0200
> Neil <nwilson123 at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thank you for the reply and info.
> >
> > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org>
> > wrote:
> >
> > > On Tue, 13 Jun 2017 09:15:40 +0200
> > > Neil via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > > OK, this a DC and therefore you will have to do things differently
> > > from a Unix domain member.
> > >
> > > You might as well remove these lines from [global]
> > >
> > >     winbind use default domain = yes
> > >     vfs objects = acl_xattr
> > >     map acl inherit = Yes
> > >     store dos attributes = Yes
> > >
> > > The first doesn't work on a DC and the others are built into the
> > > 'samba' deamon and so could be causing problems.
> > >
> > > You should also make the [HR] share look like this:
> > >
> > > [HR]
> > >         path = /var/lib/samba/data/data/HR
> > >         read only = No
> > >
> > > Now go and read this:
> > >
> > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > >
> > > You must use Windows ACLs on a DC.
> > >
> >
> > Thanks I've cleaned up the smb.conf (and HR share) and had a full read
> > again, but I'm still not sure how this will prevent users from
> > becoming owner (shows using getfacl as the extended attributes) the
> > files if they save it or if they create a directory.
> >
> > From what I've seen the only difference I've done, is because I set
> > the permissions to 777 on the initially I didn't have to set the
> > SeDiskOperatorPrivilege
> > although I was using the user who already had this permission.
>
> Using '777' means that you now have a wide open share.
>

Yes thanks, it was just used to reset permissions initially, I'll use the
SeDiskOperatorPrivilege to avoid having to "loosen" the permissions.


> >
> > One other thing is that the current HR share is 100GB's + and changing
> > permissions from the Windows side takes hours, is there a quicker way
> > to set both the sharing permissions and the Security permissions for
> > group HR-group using setfacl? I've tried setting it using setfacl but
> > couldn't seem to get this right.
> >
> > Apologies if I've misunderstood or if I'm missing something.
> >
> > Thank you!
> >
> > Regards.
> >
> > Neil Wilson
> >
>
> # getfacl /srv/samba/Demo/
> # file: srv/samba/Demo/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:domain\040users:rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
>
>
> This shows that the share directory is owned by root:root and the user
> root can do anything, but root group members cannot do anything.
> Extended ACLs for Domain Users and Domain Admins, allow members of
> these groups to do anything
>
> The settings shown on the wiki page are only examples, so you can
> change them if you wish. If you are going to only administer the share
> using the 'Administrator' user then you can leave the owner group
> alone, but if you want to use members of a group, you will need to
> 'chmod' the group ownership and then give the group the
> 'SeDiskOperatorPrivilege'
>

Great thanks, I didn't realise that I'd need to set the group to the
"diskOperatorprivilege" that makes completely sense now!

Thank you for your help, I'll go ahead and give this a try.

Much appreciated.

Regards.

Neil Wilson.





>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list