[Samba] Domain Administrator and shares problems

[Rowland Penny]

On Tue, 9 Oct 2018 22:16:41 +0200
Peter Milesson <miles at atmos.eu> wrote:

> 
> 
> On 09.10.2018 21:25, Rowland Penny via samba wrote:
> > On Tue, 9 Oct 2018 19:44:55 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi Rowland,
> >>
> >> I made a fresh install of the AD DC, a member server, and a Windows
> >> 10 PC that was never part of any domain. Authentication works,
> >> Active Directory works, DNS works, the Administrator can add,
> >> edit, and delete entries. The AD DC running CentOS 7.5, with a
> >> self compiled Samba 4.9.1. The member server using CentOS 7.5 with
> >> Samba 4.7.1 from standard distribution packages. I have also
> >> tested a self compiled Samba 4.9.1 as domain member. The
> >> configurations are identical to the ones used in production.
> >> Firewalls disabled, as is SeLinux on both Linux boxes.
> >>
> >> However, file sharing is a complete disaster. The Samba member
> >> server automatically uses ACLs when creating files and folders,
> >> which the production server doesn't. Everything positive ends
> >> here. The rest of the process using Windows Computer Manager for
> >> setting up the share parameters, is completely derailed.
> >>
> >> If the domain Administrator, Domain Admins, or any account with
> >> Administrator privileges figure anywhere, everything is completely
> >> blocked.
> > When you say blocked, do you mean you get an error message like this
> > when you click on the 'security' tab:
> >
> > You do not have permission to view to view or edit this object’s
> > permission settings.
> >
> > I set up a totally new centos 7 VM and installed Samba, but somehow
> > I missed out the user.map line and I got that error. Added the line:
> >
> > username map = /etc/samba/user.map
> >
> > created the user.map:
> >
> > !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> > administrator
> >
> > Restarted Samba and it now works.
> >
> > Unix permissions before attempting any changes from windows:
> >
> > [root at cen7member ~]# ls -lad /data/samba/profiles
> > drwxrwx--- 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles
> >
> > After adding a user to the share from windows 'Security' tab:
> >
> > Edit -> Add -> Advanced -> Find Now -> select user (Rowland Penny)
> > -> OK -> OK -> standard permissions: Read & execute, List folder
> > contents, Read
> >
> > [root at cen7member ~]# ls -lad /data/samba/profiles
> > drwxrwx---+ 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles
> >
> > And the extend ACLs now set:
> > [root at cen7member ~]# getfacl /data/samba/profiles
> > getfacl: Removing leading '/' from absolute path names
> > # file: data/samba/profiles
> > # owner: root
> > # group: unix\040admins
> > user::rwx
> > user:root:rwx
> > user:rowland:r-x
> > user:12122:rwx
> > group::rwx
> > group:rowland:r-x
> > group:unix\040admins:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:rowland:r-x
> > default:group::r-x
> > default:group:rowland:r-x
> > default:group:unix\040admins:r-x
> > default:mask::rwx
> > default:other::r-x
> >
> >> I'll get on my bike and take a trip in the countryside tomorrow,
> >> instead of fighting wind mills...
> > Yes, I always find walking away and returning later usually
> > works ;-)
> >
> > Rowland
> >
> Thanks a lot for your support Rowland. I've tried those steps, but no 
> success. On the contrary. Just not possible to change anything. The 
> security object list is displayed, but no changes are possible.
> Windows complaining about insufficient permissions. I have not forgot
> the username map in the smb.conf file, neither did I forget to set 
> SeDiskOperatorPrivileges.
> 
> I'll put it on the shelf for some time. At least I've got a working 
> setup in the production server for now. Nothing will probably change 
> there for at least a couple of years. But I've got very strong doubts 
> about the current security level, with the Everyone group working as
> a stand in for Domain Admins, and a domain Administrator that's seems
> to have got privileges just north of the Guest account.

You seem to be fixated on the 'share' tab, ignore this and concentrate
on the 'security' tab (would it help if I said a better name for the
tab would 'NTFS permissions' ?). You should also be aware (From a Unix
perspective) that there are three permissions storages in play:
the standard 'ugo'
Extend ACLs as shown by getfacl
Extended attributes stored in security.NTACL on the directory or
file.

> 
> I'll give Samba a try under Slackware. I've set up a bunch of Samba 
> servers under Slackware since around 2002, or so. But the previous
> ones were always PDCs. That path seems now closed, however, with MS
> probably scrapping the NT1 protocol in the immediate future.
> Slackware had very quirky support for LDAP, and pam integration
> impossible, making any kind of AD stuff extremely tricky. But the
> recent Samba versions have got most of the parts that were missing
> from Slackware built in. So I'll give it a try, but in a few weeks
> time.

There is a GUY who posts on here regularly who uses Slackware, he is
probably one you need here.

However, if you are considering a different OS, how about Debian (or
Devuan), you could the use Louis's packages and get the most up to date
Samba versions.

> 
> Until then...
> 

I will sort out my notes and send you a copy, I feel you must have a
simple mistake that is causing your problem.

Rowland