[Samba] Computer Management - Share Security - No Read Access

[Marco Shmerykowsky]

On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
> On Mon, 18 Feb 2019 10:58:01 -0500
> 
> I have proven that it does work, I have pointed you at the
> documentation.
> This leads to one of two things:
> 
> You cannot understand the wiki pages and if so, what can you not
> understand ? If you can let me know, I will try to clarify it for you
> and update the wiki.
> 
> You are not fully following the wiki.
> 
> As I said, it works for myself and numerous other people.
> 
> Rowland

ok.  I find my eyesight is resulting in stupid typos.
I concede that I may have dome something totally stupid
due to lack of familiarity with Linux, Windows, etc
settings/configurations.

However ......

Following 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

** Samba Extended ACL Support
    (CHECK - Expected result returned)

root at machine253:/# smbd -b |grep HAVE_LIBACL
    HAVE_LIBACL

** Enable Extended ACL Support in the smb.conf file
    (CHECK - Specified lines are part of [global] section - Full smb.conf 
provided)

[global]
         workgroup = INTERNAL
         security = ADS
         realm = INTERNAL.COMPANY.COM
         server string = Samba 4 Client %h

         winbind use default domain = yes
         winbind expand groups = 2
         winbind refresh tickets = yes

         ## map ids outside of domain to tdb files
         idmap config *:backend - tdb
         idmap config *:range = 2000-9999

         ## map ids from the domain
         idmap config INTERNAL : backend = rid
         idmap config INTERNAL : range = 10000-999999

         # uncomment next line to allow login
         # template shell = /bin/bash
         template homedir = /home/%U

         domain master =  no
         local master = no
         preferred master = no

         # user administrator workaround
         username map = /etc/samba/user.map

         # for ACL support on domain member
->      vfs objects = acl_xattr
->      map acl inherit = yes
->      store dos attributes = yes

         # disable printing completely
         # Remove these lines to print
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         # logging = 0
         # Change the number to raise level
         log level = 0

[programs]
         path = /server/programs
         read only = no

** Granting the SeDiskOperatorPrivilege Privilege
    (CHECK - results as expected)

root at machine253:/# net rpc rights list privileges 
SeDiskOperatorPrivilege -U "INTERNAL\administrator"
Enter INTERNAL\administrator's password:
SeDiskOperatorPrivilege:
   BUILTIN\Administrators
   INTERNAL\Domain Admins

** Create Share & Set permissions

root at sce253:/# ls -la /server
drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs

** Login to Windows10 client with INTERNAL\administrator
    and launch Server Manager -> Computer Manager

    Action/Connect to another Computer -> Machine253

    Open System Tools/Shared Folders/Shares menu

    Right click properties of "programs" share

    Share permissions assigned to INTERNAL\programs
    (INTERNAL\Programs is a group created which includes
     users which are allowed to have access to the programs share)

    Security tab shows:

    "You must have permissions to view the properties
     of this object"
    (The 'Object' is \\Machine253\programs)