[Samba] Computer Management - Share Security - No Read Access

Rowland Penny rpenny at samba.org
Tue Feb 19 20:05:58 UTC 2019 

On Tue, 19 Feb 2019 14:44:05 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:

> 
> >>          # user administrator workaround
> >>          username map = /etc/samba/user.map
> > 
> > Just to check, what is in the user.map ?
> 
> root at machine253:/etc/samba# cat user.map
> !root = INTERNAL\Administrator INTERNAL\administrator Administrator 
> administrator

That should work.

> > 
> > If you run 'getent group Domain\ Admins', do you get 'Administrator'
> > listed as a group member e.g.
> > 
> > domain_admins:x:10512:administrator,rowland,.........
> 
> root at machine253:/etc/samba# getent group Domain\ Admins
> domain admins:x:10512:administrator

If you are logged into the Windows machine as 'INTERNAL\Administrator'
it should work, but if you are using another Domain user, add that user
to the 'Domain Admins' group.

> 
> > 
> >> 
> >> ** Create Share & Set permissions
> >> 
> >> root at sce253:/# ls -la /server
> >> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
> >> programs
> > 
> > Something seems to have happened, note the '+' sign at the end of
> > the Unix permissions, what does 'getfacl /server' show ?
> 
> root at machine253:/etc/samba# getfacl /server
> getfacl: Removing leading '/' from absolute path names
> # file: server
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x

Something is going on here, 'ls' shows 'root:domain admins' as the
owner:group with 0770 permissions, but getfacl shows 'root:root' as
owner:group with 0755 permissions

> 
> > This is very strange, it should work, are the 'attr' and 'acl'
> > packages installed ?
> > 
> > Rowland
> 
> I ran this command from the Debian section of the
> "Distribution specific Package Installation" on the wiki.
> 
> # apt-get install samba attr winbind libpam-winbind libnss-winbind 
> libpam-krb5 krb5-config krb5-user

'acl' is installed by default

> 
> Foe it's worth, Group policy is mapping the drives and the
> various shares are being restricted to the proper groups.
> I can also set folder/directory permissions on the share
> by navigating directly to the share using a UNC path.

Strange.

> 
> Just know that the last part of the "Setting Share Permissions
> and ACL's" on the wiki doesn't allow for anything to be
> modified on the 'Security' tab.

It should and I have just updated that wiki page.

> 
> Not sure if this is "as designed" or did I do something
> which will create problems later.

Double check Unix ownership and permissions on the share directory,
that is really the only thing that looks wrong.
To remove the ACL's and start again, run:

setfacl -b path/to/directory

reset the unix permissions as shown on the wiki page and then try again
from Windows.

Rowland

More information about the samba mailing list