[Samba] Domain Administrator and shares problems

[L.P.H. van Belle]

Im not saying anything but having a GID on "domain admins" works fine. 
For me then since 2014..

getent group "domain admins"
domain admins:x:10001:admin,administrator

Can you post the output of 
ls -ald  /data/samba

What happens when you do this. 
chmod 1777 /data/samba/profiles
or 3777, but that opens access for "domain users" to the users profiles folders. 

But really, if its the profiles folder its a windows only folder.

This works without any problems, set the settings you see here, then configure the share and security from a windows pc.
And never touch it again. 

[profiles]
    browseable = yes
    path = /data/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

ls -al /home/samba/
drwxrwx--T+  88 root root  4096 Oct  4 13:55 profiles

 file: home/samba/profiles
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---

Ps , have you check the SePrivileges, do you have the needed mappings? 
My output. 

kinit Administrator
net rpc rights list privileges SeDiskOperatorPrivilege -k -S $(hostname -s)
SeDiskOperatorPrivilege:
  BUILTIN\Administrators

net rpc rights list privileges SeSecurityPrivilege -k -S $(hostname -s)
SeSecurityPrivilege:
  BUILTIN\Administrators

net rpc rights list privileges SeTakeOwnershipPrivilege -k -S $(hostname -s)
SeTakeOwnershipPrivilege:
  BUILTIN\Administrators



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Naumer via samba
> Verzonden: woensdag 10 oktober 2018 10:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain Administrator and shares problems
> 
> Am 10.10.18 um 10:27 schrieb Peter Milesson via samba:
> > 
> > On 10/9/18 10:41 PM, Rowland Penny via samba wrote:
> >> On Tue, 9 Oct 2018 22:16:41 +0200
> >> Peter Milesson <miles at atmos.eu> wrote:
> >>
> >>>
> >>> On 09.10.2018 21:25, Rowland Penny via samba wrote:
> >>>> On Tue, 9 Oct 2018 19:44:55 +0200
> >>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> Hi Rowland,
> >>>>>
> >>>>> I made a fresh install of the AD DC, a member server, 
> and a Windows
> >>>>> 10 PC that was never part of any domain. Authentication works,
> >>>>> Active Directory works, DNS works, the Administrator can add,
> >>>>> edit, and delete entries. The AD DC running CentOS 7.5, with a
> >>>>> self compiled Samba 4.9.1. The member server using 
> CentOS 7.5 with
> >>>>> Samba 4.7.1 from standard distribution packages. I have also
> >>>>> tested a self compiled Samba 4.9.1 as domain member. The
> >>>>> configurations are identical to the ones used in production.
> >>>>> Firewalls disabled, as is SeLinux on both Linux boxes.
> >>>>>
> >>>>> However, file sharing is a complete disaster. The Samba member
> >>>>> server automatically uses ACLs when creating files and folders,
> >>>>> which the production server doesn't. Everything positive ends
> >>>>> here. The rest of the process using Windows Computer Manager for
> >>>>> setting up the share parameters, is completely derailed.
> >>>>>
> >>>>> If the domain Administrator, Domain Admins, or any account with
> >>>>> Administrator privileges figure anywhere, everything is 
> completely
> >>>>> blocked.
> >>>> When you say blocked, do you mean you get an error 
> message like this
> >>>> when you click on the 'security' tab:
> >>>>
> >>>> You do not have permission to view to view or edit this object?s
> >>>> permission settings.
> >>>>
> >>>> I set up a totally new centos 7 VM and installed Samba, 
> but somehow
> >>>> I missed out the user.map line and I got that error. 
> Added the line:
> >>>>
> >>>> username map = /etc/samba/user.map
> >>>>
> >>>> created the user.map:
> >>>>
> >>>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> >>>> administrator
> >>>>
> >>>> Restarted Samba and it now works.
> >>>>
> >>>> Unix permissions before attempting any changes from windows:
> >>>>
> >>>> [root at cen7member ~]# ls -lad /data/samba/profiles
> >>>> drwxrwx--- 2 root unix admins 6 Oct  9 19:13 /data/samba/profiles
> >>>>
> >>>> After adding a user to the share from windows 'Security' tab:
> >>>>
> >>>> Edit -> Add -> Advanced -> Find Now -> select user 
> (Rowland Penny)
> >>>> -> OK -> OK -> standard permissions: Read & execute, List folder
> >>>> contents, Read
> >>>>
> >>>> [root at cen7member ~]# ls -lad /data/samba/profiles
> >>>> drwxrwx---+ 2 root unix admins 6 Oct  9 19:13 
> /data/samba/profiles
> >>>>
> >>>> And the extend ACLs now set:
> >>>> [root at cen7member ~]# getfacl /data/samba/profiles
> >>>> getfacl: Removing leading '/' from absolute path names
> >>>> # file: data/samba/profiles
> >>>> # owner: root
> >>>> # group: unix\040admins
> >>>> user::rwx
> >>>> user:root:rwx
> >>>> user:rowland:r-x
> >>>> user:12122:rwx
> >>>> group::rwx
> >>>> group:rowland:r-x
> >>>> group:unix\040admins:rwx
> >>>> mask::rwx
> >>>> other::---
> >>>> default:user::rwx
> >>>> default:user:root:rwx
> >>>> default:user:rowland:r-x
> >>>> default:group::r-x
> >>>> default:group:rowland:r-x
> >>>> default:group:unix\040admins:r-x
> >>>> default:mask::rwx
> >>>> default:other::r-x
> >>>>
> >>>>> I'll get on my bike and take a trip in the countryside tomorrow,
> >>>>> instead of fighting wind mills...
> >>>> Yes, I always find walking away and returning later usually
> >>>> works ;-)
> >>>>
> >>>> Rowland
> >>>>
> >>> Thanks a lot for your support Rowland. I've tried those 
> steps, but no
> >>> success. On the contrary. Just not possible to change 
> anything. The
> >>> security object list is displayed, but no changes are possible.
> >>> Windows complaining about insufficient permissions. I 
> have not forgot
> >>> the username map in the smb.conf file, neither did I forget to set
> >>> SeDiskOperatorPrivileges.
> >>>
> >>> I'll put it on the shelf for some time. At least I've got 
> a working
> >>> setup in the production server for now. Nothing will 
> probably change
> >>> there for at least a couple of years. But I've got very 
> strong doubts
> >>> about the current security level, with the Everyone group 
> working as
> >>> a stand in for Domain Admins, and a domain Administrator 
> that's seems
> >>> to have got privileges just north of the Guest account.
> >> You seem to be fixated on the 'share' tab, ignore this and 
> concentrate
> >> on the 'security' tab (would it help if I said a better 
> name for the
> >> tab would 'NTFS permissions' ?). You should also be aware 
> (From a Unix
> >> perspective) that there are three permissions storages in play:
> >> the standard 'ugo'
> >> Extend ACLs as shown by getfacl
> >> Extended attributes stored in security.NTACL on the directory or
> >> file.
> >>
> >>> I'll give Samba a try under Slackware. I've set up a 
> bunch of Samba
> >>> servers under Slackware since around 2002, or so. But the previous
> >>> ones were always PDCs. That path seems now closed, 
> however, with MS
> >>> probably scrapping the NT1 protocol in the immediate future.
> >>> Slackware had very quirky support for LDAP, and pam integration
> >>> impossible, making any kind of AD stuff extremely tricky. But the
> >>> recent Samba versions have got most of the parts that were missing
> >>> from Slackware built in. So I'll give it a try, but in a few weeks
> >>> time.
> >> There is a GUY who posts on here regularly who uses 
> Slackware, he is
> >> probably one you need here.
> >>
> >> However, if you are considering a different OS, how about 
> Debian (or
> >> Devuan), you could the use Louis's packages and get the 
> most up to date
> >> Samba versions.
> >>
> >>> Until then...
> >>>
> >> I will sort out my notes and send you a copy, I feel you 
> must have a
> >> simple mistake that is causing your problem.
> >>
> >> Rowland
> > 
> > Hi Rowland,
> > 
> > I tried Debian as Samba member server as a test a few days ago.
> > Functionally no difference to CentOS. So I just continued 
> with CentOS
> > for the production server.
> > 
> > About my problems. I follow the instructions for setting up a share.
> > This time I assigned myself as a testuser to the Domain 
> Admins group,
> > and after that, there is no way to get any further. In the 
> shares list,
> > the Domain Users, and Domain Admins groups are displayed. 
> Switching over
> > to the security tab, different groups and users are 
> displayed. Yes, they
> > are displayed, which would be considered a great step forward. But
> > trying to change anything there it just don't work. It just 
> complains
> > that I have got insufficient permissons to make any 
> changes. Any changes
> > at all.
> > 
> > The folder looks the following:
> > 
> > ls -al
> > total 12
> > drwxr-xr-x. 3 root root          4096 Oct  9 15:55 .
> > drwxr-xr-x. 3 root root          4096 Oct  9 15:54 ..
> > drwxr-xr-x. 2 root domain admins 4096 Oct  9 15:55 wandafishand
> > 
> > getfacl wandafish
> > # file: wandafish
> > # owner: root
> > # group: domain\040admins
> > user::rwx
> > group::r-x
> > other::r-x
> > 
> > 
> > Having the "wrong" users or groups in the share tab, gives a blank
> > security tab. On the production server group Everyone with full
> > permissions is required, otherwise the security tab does 
> not show up. In
> > my test environment, I assigned myself to the Domain Admins 
> group. After
> > that I really don't get anywhere.
> > 
> > As I told you, I will put it on ice for a few weeks, and consider
> > alternatives. IMHO, the choice of OS probably plays a big role here.
> > CentOS has got far too much stuff running in the 
> background, interfering
> > if it considers necessary. Even with SeLinux and the 
> firewall disabled.
> > I need to have something with better control of the running 
> processes.
> > Slackware has precisely got that. I'll report back.
> 
> It looks like you gave Domain Admins a gid. This is considered a bad
> idea as the group needs to own files on the DC in Sysvol. 
> Rowland works
> around this by creating a group Unix Admins and adds this group to the
> Domain Admins group. This way you can work on the filesystem 
> with "unix
> Admins" (which has a gid) and still have the privileges of 
> Domain Admins.
> In our setup (also classic upgraded) I try to avoid Administrator and
> Domain Admins in file security operations. Have you tried using a
> "normal" group giving this the rights you want on the cli and tried to
> set security i´on Windows with a user in that group?
> 
> Regards
> 
> Christian
> 
> 
> > 
> > Best regards,
> > 
> > Peter
> > 
> > 
> 
> -- 
> Dr. Christian Naumer
> Research Scientist
> Plattform-Koordinator Bioprozesstechnik
> 
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
> 
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>