[Samba] Adding Share Windows ACL

Micha Ballmann ballmann at uni-landau.de
Sun Jan 28 14:23:03 UTC 2018 

I found out, when im creating a complete new share, access via  computer management - per default there is a share permission set with full controll to "everyone".

When im trying now to set ACLs it is working. But when im deleting "everyone" and set Domain Admins and/or Unix Admins and give them full controll, im no more able to set ACLs!

Micha



Am 28. Januar 2018 12:00:07 MEZ schrieb Rowland Penny via samba <samba at lists.samba.org>:
>On Sun, 28 Jan 2018 10:52:47 +0100
>Micha Ballmann via samba <samba at lists.samba.org> wrote:
>
>> Im sorry last mail was not complete.
>> 
>> ...
>> -> Login to Windows with administrator and connect to FILESERVER via 
>> "Computer Management" -> Chosing Demo Share and going to security Tab
>> ->
>> 
>> Cant set any ACL because, permission denied!
>> 
>
>This is strange, It didn't work for me because the Unix permissions
>were not set correctly, once I sorted those, it did work.
>
>I tried it again, added a share to smb.conf on a Unix domain member:
>
>[tmpshare]
>    path = /srv/tmpshare
>    read only = no
>
>create the required directory:
>
>mkdir /srv/tmpshare
>
>check ownership & permissions:
>
>ls -lad /srv/tmpshare
>drwxr-xr-x 2 root root 4096 Jan 28 10:17 /srv/tmpshare
>
>Now go to Win7, login as Administrator and do this:
>
>Computer Management -> Action -> Connect to another computer ... ->
>Browse to computer
>
>System tools -> ignore error -> Shared folders -> Shares 
>
>Select 'tmpshare' -> right-click -> select 'Properties'
>
>Check what permissions are set:
>
>Share Permissions -> Everyone -> Full control
>
>Security -> Everyone -> Read & execute, List folder contents, Read
>root user -> special permissions -> Full control
>root group -> special permissions -> Traverse folder / execute file,
>              List folder / read data, Read attributes, Read extended
>              attributes, Read permissions
>CREATOR OWNER -> special permissions ->  Full control
>CREATOR GROUP -> special permissions -> Traverse folder / execute file,
>                List folder / read data, Read attributes, Read extended
>                 attributes, Read permissions
>
>I Now tried to add a user to 'Security', which seemed to work.
>
>Back to the Unix domain member and check the permissions on the
>directory:
>
>ls -lad /srv/tmpshare
>drwxrwxr-x+ 2 root root 4096 Jan 28 10:17 /srv/tmpshare
>          ^ Notice the addition of the '+' sign, also the group now has
>          'write' on the directory.
>
>Check permissions with 'getfacl'
>
>getfacl /srv/tmpshare
>getfacl: Removing leading '/' from absolute path names
># file: srv/tmpshare
># owner: root
># group: root
>user::rwx
>user:root:rwx
>user:rowland:r-x
>group::r-x
>group:root:r-x
>mask::rwx
>other::r-x
>default:user::rwx
>default:user:root:rwx
>default:user:rowland:r-x
>default:group::r-x
>default:group:root:r-x
>default:mask::rwx
>default:other::r-x
>
>It worked, the user 'rowland' now has read & execute permissions.
>
>If it isn't working for you, then there is obviously something wrong
>with your setup.
>Is Selinux or Apparmor running, if so turn it off and try again, if it
>now works, investigate using Samba with it.
>
>If they aren't, please post these files:
>/etc/hostname
>/etc/hosts
>/etc/resolv.conf
>/etc/krb5.conf
>/etc/samba/smb.conf
>
>Rowland
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

More information about the samba mailing list