[Samba] Computer Management - Share Security - No Read Access
Marco Shmerykowsky
marco at sce-engineers.com
Tue Feb 19 18:26:12 UTC 2019
On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
> On Mon, 18 Feb 2019 10:58:01 -0500
>
> I have proven that it does work, I have pointed you at the
> documentation.
> This leads to one of two things:
>
> You cannot understand the wiki pages and if so, what can you not
> understand ? If you can let me know, I will try to clarify it for you
> and update the wiki.
>
> You are not fully following the wiki.
>
> As I said, it works for myself and numerous other people.
>
> Rowland
ok. I find my eyesight is resulting in stupid typos.
I concede that I may have dome something totally stupid
due to lack of familiarity with Linux, Windows, etc
settings/configurations.
However ......
Following
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
** Samba Extended ACL Support
(CHECK - Expected result returned)
root at machine253:/# smbd -b |grep HAVE_LIBACL
HAVE_LIBACL
** Enable Extended ACL Support in the smb.conf file
(CHECK - Specified lines are part of [global] section - Full smb.conf
provided)
[global]
workgroup = INTERNAL
security = ADS
realm = INTERNAL.COMPANY.COM
server string = Samba 4 Client %h
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = yes
## map ids outside of domain to tdb files
idmap config *:backend - tdb
idmap config *:range = 2000-9999
## map ids from the domain
idmap config INTERNAL : backend = rid
idmap config INTERNAL : range = 10000-999999
# uncomment next line to allow login
# template shell = /bin/bash
template homedir = /home/%U
domain master = no
local master = no
preferred master = no
# user administrator workaround
username map = /etc/samba/user.map
# for ACL support on domain member
-> vfs objects = acl_xattr
-> map acl inherit = yes
-> store dos attributes = yes
# disable printing completely
# Remove these lines to print
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logging = 0
# Change the number to raise level
log level = 0
[programs]
path = /server/programs
read only = no
** Granting the SeDiskOperatorPrivilege Privilege
(CHECK - results as expected)
root at machine253:/# net rpc rights list privileges
SeDiskOperatorPrivilege -U "INTERNAL\administrator"
Enter INTERNAL\administrator's password:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
INTERNAL\Domain Admins
** Create Share & Set permissions
root at sce253:/# ls -la /server
drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs
** Login to Windows10 client with INTERNAL\administrator
and launch Server Manager -> Computer Manager
Action/Connect to another Computer -> Machine253
Open System Tools/Shared Folders/Shares menu
Right click properties of "programs" share
Share permissions assigned to INTERNAL\programs
(INTERNAL\Programs is a group created which includes
users which are allowed to have access to the programs share)
Security tab shows:
"You must have permissions to view the properties
of this object"
(The 'Object' is \\Machine253\programs)
More information about the samba
mailing list