[Samba] Retaining Permissions on a share
Rowland Penny
rpenny at samba.org
Tue Jun 13 13:14:47 UTC 2017
On Tue, 13 Jun 2017 15:03:49 +0200
Neil <nwilson123 at gmail.com> wrote:
> On Tue, Jun 13, 2017 at 1:17 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Tue, 13 Jun 2017 12:25:32 +0200
> > Neil <nwilson123 at gmail.com> wrote:
> >
> > > Hi Rowland,
> > >
> > > Thank you for the reply and info.
> > >
> > > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org>
> > > wrote:
> > >
> > > > On Tue, 13 Jun 2017 09:15:40 +0200
> > > > Neil via samba <samba at lists.samba.org> wrote:
> > > >
> > > >
> > > > OK, this a DC and therefore you will have to do things
> > > > differently from a Unix domain member.
> > > >
> > > > You might as well remove these lines from [global]
> > > >
> > > > winbind use default domain = yes
> > > > vfs objects = acl_xattr
> > > > map acl inherit = Yes
> > > > store dos attributes = Yes
> > > >
> > > > The first doesn't work on a DC and the others are built into the
> > > > 'samba' deamon and so could be causing problems.
> > > >
> > > > You should also make the [HR] share look like this:
> > > >
> > > > [HR]
> > > > path = /var/lib/samba/data/data/HR
> > > > read only = No
> > > >
> > > > Now go and read this:
> > > >
> > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > > >
> > > > You must use Windows ACLs on a DC.
> > > >
> > >
> > > Thanks I've cleaned up the smb.conf (and HR share) and had a full
> > > read again, but I'm still not sure how this will prevent users
> > > from becoming owner (shows using getfacl as the extended
> > > attributes) the files if they save it or if they create a
> > > directory.
> > >
> > > From what I've seen the only difference I've done, is because I
> > > set the permissions to 777 on the initially I didn't have to set
> > > the SeDiskOperatorPrivilege
> > > although I was using the user who already had this permission.
> >
> > Using '777' means that you now have a wide open share.
> >
>
> Yes thanks, it was just used to reset permissions initially, I'll use
> the SeDiskOperatorPrivilege to avoid having to "loosen" the
> permissions.
>
>
> > >
> > > One other thing is that the current HR share is 100GB's + and
> > > changing permissions from the Windows side takes hours, is there
> > > a quicker way to set both the sharing permissions and the
> > > Security permissions for group HR-group using setfacl? I've tried
> > > setting it using setfacl but couldn't seem to get this right.
> > >
> > > Apologies if I've misunderstood or if I'm missing something.
> > >
> > > Thank you!
> > >
> > > Regards.
> > >
> > > Neil Wilson
> > >
> >
> > # getfacl /srv/samba/Demo/
> > # file: srv/samba/Demo/
> > # owner: root
> > # group: root
> > user::rwx
> > user:root:rwx
> > group::---
> > group:root:---
> > group:domain\040users:rwx
> > group:domain\040admins:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:root:---
> > default:group:domain\040users:rwx
> > default:group:domain\040admins:rwx
> > default:mask::rwx
> > default:other::---
> >
> >
> >
> > This shows that the share directory is owned by root:root and the
> > user root can do anything, but root group members cannot do
> > anything. Extended ACLs for Domain Users and Domain Admins, allow
> > members of these groups to do anything
> >
> > The settings shown on the wiki page are only examples, so you can
> > change them if you wish. If you are going to only administer the
> > share using the 'Administrator' user then you can leave the owner
> > group alone, but if you want to use members of a group, you will
> > need to 'chmod' the group ownership and then give the group the
> > 'SeDiskOperatorPrivilege'
> >
>
> Great thanks, I didn't realise that I'd need to set the group to the
> "diskOperatorprivilege" that makes completely sense now!
>
> Thank you for your help, I'll go ahead and give this a try.
>
One thing I neglected to mention, you will need to give the group the
'SeDiskOperatorPrivilege' on the Samba machine that holds the share.
Rowland
More information about the samba
mailing list