[Samba] Domain Administrator and shares problems

Peter Milesson miles at atmos.eu
Wed Oct 10 08:27:53 UTC 2018


On 10/9/18 10:41 PM, Rowland Penny via samba wrote:
> On Tue, 9 Oct 2018 22:16:41 +0200
> Peter Milesson <miles at atmos.eu> wrote:
>
>>
>> On 09.10.2018 21:25, Rowland Penny via samba wrote:
>>> On Tue, 9 Oct 2018 19:44:55 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi Rowland,
>>>>
>>>> I made a fresh install of the AD DC, a member server, and a Windows
>>>> 10 PC that was never part of any domain. Authentication works,
>>>> Active Directory works, DNS works, the Administrator can add,
>>>> edit, and delete entries. The AD DC running CentOS 7.5, with a
>>>> self compiled Samba 4.9.1. The member server using CentOS 7.5 with
>>>> Samba 4.7.1 from standard distribution packages. I have also
>>>> tested a self compiled Samba 4.9.1 as domain member. The
>>>> configurations are identical to the ones used in production.
>>>> Firewalls disabled, as is SeLinux on both Linux boxes.
>>>>
>>>> However, file sharing is a complete disaster. The Samba member
>>>> server automatically uses ACLs when creating files and folders,
>>>> which the production server doesn't. Everything positive ends
>>>> here. The rest of the process using Windows Computer Manager for
>>>> setting up the share parameters, is completely derailed.
>>>>
>>>> If the domain Administrator, Domain Admins, or any account with
>>>> Administrator privileges figure anywhere, everything is completely
>>>> blocked.
>>> When you say blocked, do you mean you get an error message like this
>>> when you click on the 'security' tab:
>>>
>>> You do not have permission to view to view or edit this object’s
>>> permission settings.
>>>
>>> I set up a totally new centos 7 VM and installed Samba, but somehow
>>> I missed out the user.map line and I got that error. Added the line:
>>>
>>> username map = /etc/samba/user.map
>>>
>>> created the user.map:
>>>
>>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
>>> administrator
>>>
>>> Restarted Samba and it now works.
>>>
>>> Unix permissions before attempting any changes from windows:
>>>
>>> [root at cen7member ~]# ls -lad /data/samba/profiles
>>> drwxrwx--- 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles
>>>
>>> After adding a user to the share from windows 'Security' tab:
>>>
>>> Edit -> Add -> Advanced -> Find Now -> select user (Rowland Penny)
>>> -> OK -> OK -> standard permissions: Read & execute, List folder
>>> contents, Read
>>>
>>> [root at cen7member ~]# ls -lad /data/samba/profiles
>>> drwxrwx---+ 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles
>>>
>>> And the extend ACLs now set:
>>> [root at cen7member ~]# getfacl /data/samba/profiles
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: data/samba/profiles
>>> # owner: root
>>> # group: unix\040admins
>>> user::rwx
>>> user:root:rwx
>>> user:rowland:r-x
>>> user:12122:rwx
>>> group::rwx
>>> group:rowland:r-x
>>> group:unix\040admins:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:rowland:r-x
>>> default:group::r-x
>>> default:group:rowland:r-x
>>> default:group:unix\040admins:r-x
>>> default:mask::rwx
>>> default:other::r-x
>>>
>>>> I'll get on my bike and take a trip in the countryside tomorrow,
>>>> instead of fighting wind mills...
>>> Yes, I always find walking away and returning later usually
>>> works ;-)
>>>
>>> Rowland
>>>
>> Thanks a lot for your support Rowland. I've tried those steps, but no
>> success. On the contrary. Just not possible to change anything. The
>> security object list is displayed, but no changes are possible.
>> Windows complaining about insufficient permissions. I have not forgot
>> the username map in the smb.conf file, neither did I forget to set
>> SeDiskOperatorPrivileges.
>>
>> I'll put it on the shelf for some time. At least I've got a working
>> setup in the production server for now. Nothing will probably change
>> there for at least a couple of years. But I've got very strong doubts
>> about the current security level, with the Everyone group working as
>> a stand in for Domain Admins, and a domain Administrator that's seems
>> to have got privileges just north of the Guest account.
> You seem to be fixated on the 'share' tab, ignore this and concentrate
> on the 'security' tab (would it help if I said a better name for the
> tab would 'NTFS permissions' ?). You should also be aware (From a Unix
> perspective) that there are three permissions storages in play:
> the standard 'ugo'
> Extend ACLs as shown by getfacl
> Extended attributes stored in security.NTACL on the directory or
> file.
>
>> I'll give Samba a try under Slackware. I've set up a bunch of Samba
>> servers under Slackware since around 2002, or so. But the previous
>> ones were always PDCs. That path seems now closed, however, with MS
>> probably scrapping the NT1 protocol in the immediate future.
>> Slackware had very quirky support for LDAP, and pam integration
>> impossible, making any kind of AD stuff extremely tricky. But the
>> recent Samba versions have got most of the parts that were missing
>> from Slackware built in. So I'll give it a try, but in a few weeks
>> time.
> There is a GUY who posts on here regularly who uses Slackware, he is
> probably one you need here.
>
> However, if you are considering a different OS, how about Debian (or
> Devuan), you could the use Louis's packages and get the most up to date
> Samba versions.
>
>> Until then...
>>
> I will sort out my notes and send you a copy, I feel you must have a
> simple mistake that is causing your problem.
>
> Rowland

Hi Rowland,

I tried Debian as Samba member server as a test a few days ago. 
Functionally no difference to CentOS. So I just continued with CentOS 
for the production server.

About my problems. I follow the instructions for setting up a share. 
This time I assigned myself as a testuser to the Domain Admins group, 
and after that, there is no way to get any further. In the shares list, 
the Domain Users, and Domain Admins groups are displayed. Switching over 
to the security tab, different groups and users are displayed. Yes, they 
are displayed, which would be considered a great step forward. But 
trying to change anything there it just don't work. It just complains 
that I have got insufficient permissons to make any changes. Any changes 
at all.

The folder looks the following:

ls -al
total 12
drwxr-xr-x. 3 root root          4096 Oct  9 15:55 .
drwxr-xr-x. 3 root root          4096 Oct  9 15:54 ..
drwxr-xr-x. 2 root domain admins 4096 Oct  9 15:55 wandafishand

getfacl wandafish
# file: wandafish
# owner: root
# group: domain\040admins
user::rwx
group::r-x
other::r-x


Having the "wrong" users or groups in the share tab, gives a blank 
security tab. On the production server group Everyone with full 
permissions is required, otherwise the security tab does not show up. In 
my test environment, I assigned myself to the Domain Admins group. After 
that I really don't get anywhere.

As I told you, I will put it on ice for a few weeks, and consider 
alternatives. IMHO, the choice of OS probably plays a big role here. 
CentOS has got far too much stuff running in the background, interfering 
if it considers necessary. Even with SeLinux and the firewall disabled. 
I need to have something with better control of the running processes. 
Slackware has precisely got that. I'll report back.

Best regards,

Peter




More information about the samba mailing list